Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp7079543rwd; Mon, 19 Jun 2023 18:02:31 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7k3kYSrqp9z5BMi2kebOQ+YROLg6zT7e1tP6B9a3Q47lI84o/8GmPRzCHvg0MNw7cxr6kV X-Received: by 2002:a54:4d94:0:b0:39e:dd33:3586 with SMTP id y20-20020a544d94000000b0039edd333586mr3950322oix.38.1687222951098; Mon, 19 Jun 2023 18:02:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687222951; cv=none; d=google.com; s=arc-20160816; b=woX5aFLa6BkLrgYfSa8mhTa4W2zCJ40CienTDiHgaF6p9LmNntIaJ8w8vjTdaSxKtR 22DX56P9aZnSPb48ijcAz+YC13kz9AYIdum5SHXiugH1sfb+W65fc7cD55xrqRYXWFyl W2BX6A0uwR+B66Sms1H4qTEEV/x8jayVABHCwogoGw/8HrIcCzVhN+T38C8nEFZIDL2q 9Da0cJKTRdLrWmJkcJ2cktbb47dyYvRA3xlI7QMebu9zjg2pm2sdZQyXiu4zlk8boO4n SC53RaZbW31kS+BIgeXJh8Q3qWwZPW+VDxZP/CRPu38OAb1ZSp1qMp1k3180VnPBm5bo 3Qkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:dkim-signature:date; bh=2Zfq6ittE0IV5j42l7ltYn23CXJNIzl2rvAKGvH0VyM=; b=IlOYhNa18dKs5548nM8Fo6C9YqlUPlGriMVWyIyaAIQMucTHPnnUKRDQDDmupc3u1I Pl4gFVlZjQDFfOt8G5oUZV3wU9phWcYgUf8WVFD7ASOqHmw/G+yadwrW/WXUWBdHFQXn qowR7KxZgO2RreSDPE6eRvTy+Av1x8xhGXbIjmPgkc0b+sI/0U2EfaiU/1TI8gQqHT+C 6hp792AG55BHQhlN1gb8R9lsSX8lUX0WkcI2OLXCM7m/75tRts5P0UOJa8SWpmRwfmSY Ul5GE0MyXFAqCni1SMEhIxcMSXbYQXR8fpZIwSab0SYlXDqKbhrjo8NbQx61M8EroT0d xt6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=KzSvOqKf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h34-20020a17090a29a500b00256c97defa9si8074926pjd.54.2023.06.19.18.02.16; Mon, 19 Jun 2023 18:02:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=KzSvOqKf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229448AbjFTAkA (ORCPT + 99 others); Mon, 19 Jun 2023 20:40:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229519AbjFTAj7 (ORCPT ); Mon, 19 Jun 2023 20:39:59 -0400 Received: from out-55.mta0.migadu.com (out-55.mta0.migadu.com [91.218.175.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0BDCE7E for ; Mon, 19 Jun 2023 17:39:57 -0700 (PDT) Date: Mon, 19 Jun 2023 20:39:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1687221595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2Zfq6ittE0IV5j42l7ltYn23CXJNIzl2rvAKGvH0VyM=; b=KzSvOqKfcMmVN0w3Me9IkrmC6QouMRyyeBRH9zO6fPglTbdqGSKPREw3qxo0JuMprczB+a gBh1CcjSxjKA3BjoaGZbjBi7W8Crd4fevq+XE9cwgXwlSom7mcz3T+IDoDO/tyZEexRtCl jpWFuxuqDHgVBnAVdPv5to1A6xKl/Zs= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Kees Cook Cc: Andy Lutomirski , Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: <20230620003949.kjs2z524hodwwcnt@moria.home.lan> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> <202305161401.F1E3ACFAC@keescook> <1d249326-e3dd-9c9d-7b53-2fffeb39bfb4@kernel.org> <202306191228.6A98FD25@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202306191228.6A98FD25@keescook> X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 19, 2023 at 12:45:43PM -0700, Kees Cook wrote: > I think there's a misunderstanding here about the threat model I'm > interested in protecting against for JITs. While making sure the VM of a > JIT is safe in itself, that's separate from what I'm concerned about. > > The threat model is about flaws _elsewhere_ in the kernel that can > leverage the JIT machinery to convert a "write anything anywhere anytime" > exploit primitive into an "execute anything" primitive. Arguments can > be made to say "a write anything flaw means the total collapse of the > security model so there's no point defending against it", but both that > type of flaw and the slippery slope argument don't stand up well to > real-world situations. Hey Kees, thanks for the explanation - I don't think this is a concern for what bcachefs is doing, since we're not doing a full jit. The unpack functions we generate only write to the 40 bytes pointed to by rsi; not terribly useful as an execute anything primitive :)