Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp1084566rdb; Fri, 2 Feb 2024 13:08:39 -0800 (PST) X-Google-Smtp-Source: AGHT+IEjC/FSfl9Red0m5V+2DOCWUfpxRU96zjg1wK2hV+hnxnU6ODVzERd5sGNQJk++CmB+I2TK X-Received: by 2002:a17:903:60f:b0:1d8:d3e8:c322 with SMTP id kg15-20020a170903060f00b001d8d3e8c322mr380006plb.0.1706908119159; Fri, 02 Feb 2024 13:08:39 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706908119; cv=pass; d=google.com; s=arc-20160816; b=xdTP8NT3tk4zja6vLUeiF5AXUkazo59bGcwIr3hJr1UGTnSwLNN71UDJ4thdliwj/J LHmSebRp+misPlnaWMkdOMfCag5odYZN4DpqAalfHxhobxq3ovegGs4R3A4nfvi354+U o0z4aUAzqhbrKj3hh3pZPrt2HwPmvh2P9arr0PEZuMTcHC804bwULETaGoYS1Ku8wjPY tlBy6GfPrx6oEwNx3gx9wOwXyLreNLqbEmdZwFHrRSMCq+NZTi2S2fSHWNXwwIoMwVAy 366FXH3ihYJWaNMALScs28a4Ome67Vytofpp3aSU8fTQZN5ynEl/vuULHxtMHdkKgdfy yEEw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=Kwv1t/9P2eD8k32faLH8OAi3mAtA+or2AT1hGZahOn0=; fh=hgB0C7pJacPSfcfCjQjXu0ssKCbB41jgZnb2xkmtvmI=; b=nyliogcZavLXw4MgVUFVJROlhOlEPsCATGswwqx3mmX/CS8BTOANfOpNasZWjop5Bk ibKAesGrJ9vBBZGFeCePFIq13+myKZ/mdbOS/VjBZcEeQRrsMAX+32UBC5Q6/fwJqtQ2 NLZAunetZY3ColpSxz/wrZ/Jr870QImLc68CvZPjfO4U/3srBcXKl361Vv0jlWpvHGHj +A/SGUjhu5mjkUZAOxUPZBnMIvIRFl3wMrExb3llpepOnr2KNOPyi7fJ5evcl6DGtNN3 rafnYogvTJ+XtuhjvUyNGlpX/YROW/D6mkTtpOzWZBCwMa1SB92rLaZ1yKMHWNL/Z3Kn y0IQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dc7xZzbI; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-50587-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50587-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org X-Forwarded-Encrypted: i=1; AJvYcCXhPrshrs7ua671Vox4BJVhr6babe7f2e8J/gPyXqAO3QGKXGwJVa9X6rAV1y1FUM3GIlhXpsEs4iKgBTmt1qxEs0gueoAjvqSidi5WMw== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id a8-20020a655c88000000b005d8e3c0a2fcsi2110673pgt.844.2024.02.02.13.08.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Feb 2024 13:08:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-50587-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dc7xZzbI; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-50587-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50587-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CA197281D5F for ; Fri, 2 Feb 2024 21:08:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 159BB8063F; Fri, 2 Feb 2024 21:02:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="dc7xZzbI" Received: from mail-oa1-f51.google.com (mail-oa1-f51.google.com [209.85.160.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 918A67E111 for ; Fri, 2 Feb 2024 21:02:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706907773; cv=none; b=LkSHoLcn28IohBCOdduZXjjzccTsy+9SdsVXu3gPIvBUHcr1Zx/FrKpOV3GklcLRtjZ/pvzNiVwbZWGKviitdkQgC53XHz+jrLzhnsE3Xv8JlkSlsxWELLF8Kx8q13aDpt7BpLDcCUYxqFTLFqM0CnIiYAjdlGw0bMiXQZsJUVw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706907773; c=relaxed/simple; bh=JWsKFngwH8votK+4WexIivHhiapSnu4LNbbiE0EB1kA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=UdbcyeOt7rmZoMMEOKAZ80QYpEHQJtlRjrRzydUn/pD/tCBivox7LjnhgY+PQfEsQqbgegbfEpAh6aOg7tejjIle4TaZarM6ItPVp6vBrmHIq/rhTbNJuZ0WNqlzxcMk6bJRA3X/3BNeWMIixFdn+/ZdBM2dfvc8i3WGtqHukI4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=dc7xZzbI; arc=none smtp.client-ip=209.85.160.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-oa1-f51.google.com with SMTP id 586e51a60fabf-2192ce71854so359166fac.1 for ; Fri, 02 Feb 2024 13:02:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706907770; x=1707512570; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Kwv1t/9P2eD8k32faLH8OAi3mAtA+or2AT1hGZahOn0=; b=dc7xZzbIakdzMj46W8qEEwJofmRaX9IjUk3EOCJgFKVIN0idJHzj7wa8U5p2G+eIqS 7HFVCZQYRYv5XiuT0+D7zgD8b6NvT+suRBSVZzkTuCYL0uIq42ePiGO1tfOF6h/6QMsT eVSZREc9gjDwjF5QbkDIBXuajhrk7coc3S1Lw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706907770; x=1707512570; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Kwv1t/9P2eD8k32faLH8OAi3mAtA+or2AT1hGZahOn0=; b=ZLaMxkwvSQtE77hZj/VqTodLaHTWIIcs4JuV35XfEIjpONwbbAlB2k8QWtD6RElbAn w1uDu5QwEc2vXTD4Zg+Z7jEERjs4Aqq/gkBrJj92DG7C2VrZnm+2fE7ya6OeeB2VwJqc vLtx0zMLXOXfoT2wzL7jlbmZpczxrnAlF8MVKrQBgDl5HX91uKeG3weqlEJP9kuA26Ix QQ86N0lQPHCsYyAQQ6spDtenWQQv2oHytXWbP16xVpjMTabtBGNJI2JhCsFBX7H4bkDi Cxe4KxDOqFTVvDbM1YNoX8FVAhWJ31/U0wxCA2JGR7g2ckMPkLRP7xfx8DuU+DZrjhE4 XPKg== X-Gm-Message-State: AOJu0YzFSR5Jp0AA1jecNCcjVIwjcLFKp96nxy/E90rg6kct4IfV/vLq WI+VcTzZMSJ670wumnfTSvOsQmZ02V1jyNLWzPprBnFwpslAMzT5a9HikzV1TyWO3/Mwn6NR+D7 /iw6NwrJTtXdKJE0oiurmgAEJAQpFI7lXzVqe X-Received: by 2002:a05:6871:8aa:b0:215:17f1:3aa with SMTP id r42-20020a05687108aa00b0021517f103aamr370639oaq.3.1706907770631; Fri, 02 Feb 2024 13:02:50 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> <20240201204512.ht3e33yj77kkxi4q@revolver> <58408.1706828083@cvs.openbsd.org> <66496.1706893543@cvs.openbsd.org> In-Reply-To: <66496.1706893543@cvs.openbsd.org> From: Jeff Xu Date: Fri, 2 Feb 2024 13:02:38 -0800 Message-ID: Subject: Re: [PATCH v8 0/4] Introduce mseal To: Theo de Raadt Cc: Linus Torvalds , "Liam R. Howlett" , Jonathan Corbet , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, usama.anjum@collabora.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Feb 2, 2024 at 9:05=E2=80=AFAM Theo de Raadt = wrote: > > Another interaction to consider is sigaltstack(). > > In OpenBSD, sigaltstack() forces MAP_STACK onto the specified > (pre-allocated) region, because on kernel-entry we require the "sp" > register to point to a MAP_STACK region (this severely damages ROP pivot > methods). Linux does not have MAP_STACK enforcement (yet), but one day > someone may try to do that work. > > This interacted poorly with mimmutable() because some applications > allocate the memory being provided poorly. I won't get into the details > unless pushed, because what we found makes me upset. Over the years, > we've upstreamed diffs to applications to resolve all the nasty > allocation patterns. I think the software ecosystem is now mostly > clean. > > I suggest someone in Linux look into whether sigaltstack() is a mseal() > bypass, perhaps somewhat similar to madvise MADV_FREE, and consider the > correct strategy. > Thanks for bringing this up. I will follow up on sigaltstack() in Linux. > This is our documented strategy: > > On OpenBSD some additional restrictions prevent dangerous address sp= ace > modifications. The proposed space at ss_sp is verified to be > contiguously mapped for read-write permissions (no execute) and inca= pable > of syscall entry (see msyscall(2)). If those conditions are met, a = page- > aligned inner region will be freshly mapped (all zero) with MAP_STAC= K > (see mmap(2)), destroying the pre-existing data in the region. Once= the > sigaltstack is disabled, the MAP_STACK attribute remains on the memo= ry, > so it is best to deallocate the memory via a method that results in > munmap(2). > > OK, I better provide the details of what people were doing. > sigaltstacks() in .data, in .bss, using malloc(), on a buffer on the > stack, we even found one creating a sigaltstack inside a buffer on a > pthread stack. We told everyone to use mmap() and munmap(), with MAP_STA= CK > if #ifdef MAP_STACK finds a definition. >