Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Date:   Fri, 1 Dec 2023 17:31:20 +0100
From:   Joel Granados <j.granados@samsung.com>
To:     Thomas =?utf-8?Q?Wei=C3=9Fschuh?= <linux@weissschuh.net>
CC:     Kees Cook <keescook@chromium.org>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Iurii Zaikin <yzaikin@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        <linux-hardening@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH RFC 0/7] sysctl: constify sysctl ctl_tables
Message-ID: <20231201163120.depfyngsxdiuchvc@localhost>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512";
        protocol="application/pgp-signature"; boundary="62vksxdeaplkstjx"
Content-Disposition: inline
In-Reply-To: <475cd5fa-f0cc-4b8b-9e04-458f6d143178@t-8ch.de>
CMS-TYPE: 201P
References: <CGME20231125125305eucas1p2ebdf870dd8ef46ea9d346f727b832439@eucas1p2.samsung.com>
        <20231125-const-sysctl-v1-0-5e881b0e0290@weissschuh.net>
        <20231127101323.sdnibmf7c3d5ovye@localhost>
        <475cd5fa-f0cc-4b8b-9e04-458f6d143178@t-8ch.de>
Precedence: bulk

--62vksxdeaplkstjx
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hey Thomas.

Thx for the clarifications. I did more of a deep dive into your set and
have additional comments (in line). I think const-ing all this is a good
approach. The way forward is to be able to see the entire patch set of
changes in a V1 or a shared repo somewhere to have a better picture of
what is going on. By the "entire patchset" I mean all the changes that
you described in the "full process".

On Tue, Nov 28, 2023 at 09:18:30AM +0100, Thomas Wei=DFschuh wrote:
> Hi Joel,
>=20
> On 2023-11-27 11:13:23+0100, Joel Granados wrote:
> > In general I would like to see more clarity with the motivation and I
> > would also expect some system testing. My comments inline:
>=20
> Thanks for your feedback, response are below.
>=20
> > On Sat, Nov 25, 2023 at 01:52:49PM +0100, Thomas Wei=DFschuh wrote:
> > > Problem description:
> > >=20
> > > The kernel contains a lot of struct ctl_table throught the tree.
> > > These are very often 'static' definitions.
> > > It would be good to mark these tables const to avoid accidental or
> > > malicious modifications.
>=20
> > It is unclear to me what you mean here with accidental or malicious
> > modifications. Do you have a specific attack vector in mind? Do you
> > have an example of how this could happen maliciously? With
> > accidental, do you mean in proc/sysctl.c? Can you expand more on the
> > accidental part?
>=20
> There is no specific attack vector I have in mind. The goal is to remove
> mutable data, especially if it contains pointers, that could be used by
> an attacker as a step in an exploit. See for example [0], [1].
I think you should work "remove mutable data" as part of you main
motivation when you send the non-RFC patch. I would also including [0]
and [1] (and any other previous work) to help contextualize.

>=20
> Accidental can be any out-of-bounds write throughout the kernel.
>=20
> > What happens with the code that modifies these outside the sysctl core?
> > Like for example in sysctl_route_net_init where the table is modified
> > depending on the net->user_ns? Would these non-const ctl_table pointers
> > be ok? would they be handled differently?
>=20
> It is still completely fine to modify the tables before registering,
> like sysctl_route_net_init is doing. That code should not need any
> changes.
>=20
> Modifying the table inside the handler function would bypass the
> validation done when registering so sounds like a bad idea in general.
This is done before registering. So the approach *is* sound.

> It would still be possible however for a subsystem to do so by just not
> making their sysctl table const and then modifying the table directly.
Indeed. Which might be intended or migth be someone that just forgets to
put const. I think you mentioned that there would be some sort of static
check for this (coccinelle or smach, or something else)?=20

> =20
> > > Unfortunately the tables can not be made const because the core
> > > registration functions expect mutable tables.
> > >=20
> > > This is for two reasons:
> > >=20
> > > 1) sysctl_{set,clear}_perm_empty_ctl_header in the sysctl core modify
> > >    the table. This should be fixable by only modifying the header
> > >    instead of the table itself.
> > > 2) The table is passed to the handler function as a non-const pointer.
> > >=20
> > > This series is an aproach on fixing reason 2).
>=20
> > So number 2 will be sent in another set?
Sorry, this was supposed to be "number 1", but you got my meaning :)

>=20
> If the initial feedback to the RFC and general process is positive, yes.
Off the top of my head, putting  that type in the header instead of the
ctl_table seems ok. I would include it in non-RFC version together with
2.

>=20
> > >=20
> > > Full process:
> > >=20
> > > * Introduce field proc_handler_new for const handlers (this series)
I don't understand why we need a new handler. Couldn't we just change
the existing handler to receive `const struct ctl_table` and change all
the `proc_do*` handlers?
I'm guessing its because you want to do this in steps? if that is the
case, it would be very helpfull to see (in some repo or V1) the steps
to change all the handlers in the non-RFC version=20

> > > * Migrate all core handlers to proc_handler_new (this series, partial)
> > >   This can hopefully be done in a big switch, as it only involves
> > >   functions and structures owned by the core sysctl code.
It would be helpful to see what the "big switch" would look like. If it
is all sysctl code and cannot be chunked up because of dependencies,
then it should be ok to do it in one go.

> > > * Migrate all other sysctl handlers to proc_handler_new.
> > > * Drop the old proc_handler_field.
> > > * Fix the sysctl core to not modify the tables anymore.
> > > * Adapt public sysctl APIs to take "const struct ctl_table *".
> > > * Teach checkpatch.pl to warn on non-const "struct ctl_table"
> > >   definitions.
Have you considered how to ignore the cases where the ctl_tables are
supposed to be non-const when they are defined (like in the network
code that we were discussing earlier)

> > > * Migrate definitions of "struct ctl_table" to "const" where applicab=
le.
These migrations are treewide and are usually reviewed by a wider
audience. You might need to chunk it up to make the review more palpable
for the other maintainers.

> > > =20
> > >=20
> > > Notes:
> > >=20
> > > Just casting the function pointers around would trigger
> > > CFI (control flow integrity) warnings.
> > >=20
> > > The name of the new handler "proc_handler_new" is a bit too long mess=
ing
> > > up the alignment of the table definitions.
> > > Maybe "proc_handler2" or "proc_handler_c" for (const) would be better.
>=20
> > indeed the name does not say much. "_new" looses its meaning quite fast
> > :)
>=20
> Hopefully somebody comes up with a better name!
I would like to avoid this all together and just do add the const to the
existing "proc_handler"

>=20
> > In my experience these tree wide modifications are quite tricky. Have y=
ou
> > run any tests to see that everything is as it was? sysctl selftests and
> > 0-day come to mind.
>=20
> I managed to miss one change in my initial submission:
> With the hunk below selftests and typing emails work.
>=20
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -1151,7 +1151,7 @@ static int sysctl_check_table(const char *path, str=
uct ctl_table_header *header)
>                         else
>                                 err |=3D sysctl_check_table_array(path, e=
ntry);
>                 }
> -               if (!entry->proc_handler)
> +               if (!entry->proc_handler && !entry->proc_handler_new)
>                         err |=3D sysctl_err(path, entry, "No proc_handler=
");
> =20
>                 if ((entry->mode & (S_IRUGO|S_IWUGO)) !=3D entry->mode)
>=20
> > [..]
>=20
> [0] 43a7206b0963 ("driver core: class: make class_register() take a const=
 *")
> [1] https://lore.kernel.org/lkml/20230930050033.41174-1-wedsonaf@gmail.co=
m/
>=20
>=20
> Thomas

--=20

Best
Joel Granados

--62vksxdeaplkstjx
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEErkcJVyXmMSXOyyeQupfNUreWQU8FAmVqClcACgkQupfNUreW
QU8bjAv/XDH1QrpOnyw0p5Ef1/EuNDqDCpf//956rA9GC1T48F2ovsuVAtFR7Vht
vrYW3bE4eJlV2IjwDXoLldcVeJoKJPvQXzbX4ALXjnF3FREfaMHz8lU4YuLDhwE4
yaclYTzU8T4YTSTH827E4r0I4qYi+7Vysx0Nj1Lu4OQ4cXmxLwefPrC3BrXpW5Pe
B3nccgjbGdy9ho20n8hWXLlJn114RVPgUxlqX5SbuH2EoPsBCVpfXzHETcOPOFXw
O5IGLleLH+1/A9JI5woGx+WQmGETev2/2Cc9V2hYGU+6kE4LFBbfN4IPYshvAx5z
kQx+3AJluJQXeQ0hCBR0CvSTRPaAKnoLkt5/P+8omwZFUunkyk5iL1o0i0UkxaVT
GHVqtd7gYXUJGr5WSt7brMhUOxhYYrsWl9PKgmqgrhmANVwGxKGfwu0Y3BjzZC47
WCqLSphlvAg6/hKdgAw1iBVixcxOPJK8Ujx7/gafCHmXp/onZmB6egXAG/pYtEhe
9nIBsKx8
=SQPW
-----END PGP SIGNATURE-----

--62vksxdeaplkstjx--