Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3864607rdg; Wed, 18 Oct 2023 08:09:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGfd+yieiS8u7d1EfyW9WwfojP+ZE5J+n9QKy2CZ3Rb7BlAL5N2SZHWB5Xk7gdhm4JwsMzo X-Received: by 2002:a17:90a:fd84:b0:27d:c36:e134 with SMTP id cx4-20020a17090afd8400b0027d0c36e134mr4781905pjb.42.1697641783219; Wed, 18 Oct 2023 08:09:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697641783; cv=none; d=google.com; s=arc-20160816; b=gK2UEwFEwNwUWw8s0gjBcjlAZc3mF7i2ieG8HI1VUCClmqVAtO2gdiBNc8znd9PQN6 HLp+L6S5cUgRTRurmu4KZRyktHkWCZWm5A40lZ5zqKirLRBxJvE9axka+RM7/u8dgXar oZRfrFxBAJjc9YvuYitR7+8Irch8EI2IPNyIqa4PDZADOHSAI5Q+GwaSzUhB+zA7XCef wexKVCyTzNOrkszuyaEkoiLifbXiUjChCTcciZRTGnYofYLi64+rGh301E+w+3KefNiT MBNSH0Hd7ydIU/lF2RQcbwD+sGMFNmv0NuGHxBhC9N3F8zt6pu1pPwFlSoMomk3Pc7Ar fZTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=PvfWp1C5xv3xuTQ6WUqjUh4zSLJkkTSPfVE2loOXpbY=; fh=A5tR/fPg4W5/UY+St1h4u8Kg+luuf+U9l8bopJi0YzI=; b=rs9ALlmPhjJc9DEIJWebrWX68o/3tFEV+3D7V/rkb9H0A5qmrgkY1Oh5OfXrRbiz5W vPLzOKQOFnzgdNBNhANyhaZPHKMNDxrcHh3LrLvhy+CRiwynZTVNw8Sz7Fh6SIeBzf07 WiRh2djOaEkibu57rNvrBk71hUBQ7LUMQyrTZaSjHJoDnfqNbfTzeqXF0Z7H7Yvl9LzC TG6Z99MIP91ug3ntnTyt0wtYJi9KSKB/dMNskYdTVd8o2HcYQb89PN6dWcHYrisqV1dU 8e/tHKbrNeKYjzW1iELlbI3qV5AzwcpiO7uM7h2KyP6/Girtnq5Ebo0wizY6TMxy0qKA P4ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=0jEu3mNa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id c15-20020a17090abf0f00b0026ce877b4cbsi44824pjs.151.2023.10.18.08.09.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 08:09:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=0jEu3mNa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 871F28029231; Wed, 18 Oct 2023 08:09:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345047AbjJRPJb (ORCPT + 99 others); Wed, 18 Oct 2023 11:09:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46974 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230228AbjJRPJa (ORCPT ); Wed, 18 Oct 2023 11:09:30 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE6FBAB for ; Wed, 18 Oct 2023 08:09:27 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-41b19dda4c6so254341cf.1 for ; Wed, 18 Oct 2023 08:09:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697641767; x=1698246567; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PvfWp1C5xv3xuTQ6WUqjUh4zSLJkkTSPfVE2loOXpbY=; b=0jEu3mNalZW4sYjmW1SzcVilxuXEYHji310yhmvuXE7NXtCoNiXXrZBkyN11XwBp95 xef5o23/l9dw2F19XFwatSK6tyykDsd+ZBv2cc80OQQqqVIrosuIujuo/s/4FTzzA+P4 klXTf4U5Xn2F08Tqfy8ay/AVMdx/c4xgaiqF5qb7D53fjINkmLT9dYPXnHwdp4aXPcgA nYQwvAqMrjEnWLBpXCUvunD64YfG3N0yPfz3neRg2060IUhGDXsg9djK50ix4yZcu89G +Hyi38JTvsKkX6LPRi2widzY76CcSpTiDTDvFMvSd1C8OfruQ23WsucLw5eyyIWEyJpL DnYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697641767; x=1698246567; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PvfWp1C5xv3xuTQ6WUqjUh4zSLJkkTSPfVE2loOXpbY=; b=UEwLcxPPlP4yfTC+KJqKIjuBKPY7Jy1mBuFDGVaRw2Twip/SGzkNBcZxfTOf3rzfkx CbgrnFTyYDIBkRwgyPlV5SCeGkR9BJUU2lQLSfvhF4xbF39w4pLcGapmA3JZJW8wCHbh oHBpE2ehxRLUycZt4aBkPxMpC4htu6BvIrs64ehLQb1j002ykgBML1lMIPrLWAv9uBaK wPu0ujboilgUOcgFAC7O57u26lSonJLm0A36Oqv15I9/HSWRV9F0broQjpXNH7QmMahE iS/eYW9eLxeeaOhyjYgAhHlZj8N9PPl2p9PpAoz62G0YoFDv9fe3rSmP7bpBS6oZeaXp JQkA== X-Gm-Message-State: AOJu0YyiYLOTcdf8qbbFM/dIyNT7rbNqJdLcy998t4OVdYgQ/5mxVpKU GikMWN467R0MpD5j8GEtbh+PHWnii5KE2TeOiPaihA== X-Received: by 2002:ac8:4b75:0:b0:410:9d31:68cd with SMTP id g21-20020ac84b75000000b004109d3168cdmr221871qts.27.1697641766704; Wed, 18 Oct 2023 08:09:26 -0700 (PDT) MIME-Version: 1.0 References: <20231017090815.1067790-1-jeffxu@chromium.org> <20231017090815.1067790-6-jeffxu@chromium.org> In-Reply-To: From: Jeff Xu Date: Wed, 18 Oct 2023 08:08:49 -0700 Message-ID: Subject: Re: [RFC PATCH v2 5/8] mseal: Check seal flag for munmap(2) To: Linus Torvalds Cc: jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 18 Oct 2023 08:09:40 -0700 (PDT) On Tue, Oct 17, 2023 at 9:54=E2=80=AFAM Linus Torvalds wrote: > > On Tue, 17 Oct 2023 at 02:08, wrote: > > > > Of all the call paths that call into do_vmi_munmap(), > > this is the only place where checkSeals =3D MM_SEAL_MUNMAP. > > The rest has checkSeals =3D 0. > > Why? > > None of this makes sense. > > So you say "we can't munmap in this *one* place, but all others ignore > the sealing". > I apologize that previously, I described what this code does, and not reaso= ning. In our threat model, as Stephen R=C3=B6ttger point out in [1], and I quote: V8 exploits typically follow a similar pattern: an initial bug leads to memory corruption but often the initial corruption is limited and the attacker has to find a way to arbitrarily read/write in the whole address space. The memory correction is in the user space process, e.g. Chrome. Attackers will try to modify permission of the memory, by calling mprotect, or munmap then mmap to the same address but with different permission, etc. Sealing blocks mprotect/munmap/mremap/mmap call from the user space process, e.g. Chrome. At time of handling those 4 syscalls, we need to check the seal ( can_modify_mm), this requires locking the VMA ( mmap_write_lock_killable), and ideally, after validating the syscall input. The reasonable place for can_modify_mm() is from utility functions, such as do_mmap(), do_vmi_munmap(), etc. However, there is no guarantee that do_mmap() and do_vmi_munmap() are only reachable from mprotect/munmap/mremap/mmap syscall entry point (SYSCALL_DEFINE_XX). In theory, the kernel can call those in other scenarios, and some of them can be perfectly legit. Those other scenarios are not covered by our threat model at this time. Therefore, we need a flag, passed from the SYSCALL_DEFINE_XX entry , down to can_modify_mm(), to differentiate those other scenarios. Now, back to code, it did some optimization, i.e. doesn't pass the flag from SYSCALL_DEFINE_XX in all cases. If SYSCALL_DEFINE_XX calls do_a, and do_a has only one caller, I will set the flag in do_a, instead of SYSCALL_DEFINE_XX. Doing this reduces the size of the patchset, but it also makes the code less readable indeed. I could remove this optimization in V3. I welcome suggestions to improve readability on this. When handing the mmap/munmap/mremap/mmap, once the code passed can_modify_mm(), it means the memory area is not sealed, if the code continues to call the other utility functions, we don't need to check the seal again. This is the case for mremap(), the seal of src address and dest address (when applicable) are checked first, later when the code calls do_vmi_munmap(), it no longer needs to check the seal again. [1] https://v8.dev/blog/control-flow-integrity -Jeff