Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp100175lqb; Tue, 16 Apr 2024 09:49:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW6K8u3MuAn/MBy+8bWF4TiBrsfEjJXnFgq3/KblT/+8ZzH3eGeOyg0F8xXgVDSza5o9wyZq0pkR4+eIKG5MFDx0Kp2Ebmv+hfF6WBaLA== X-Google-Smtp-Source: AGHT+IHPE/XW2duu5+RJGCMNhV1zcu+vv+KvnWX2QtfyN2q1k/ilc9zDbN5bjhegp6YgK+UXdsLK X-Received: by 2002:a05:6a00:acb:b0:6ed:332:ffbc with SMTP id c11-20020a056a000acb00b006ed0332ffbcmr14327928pfl.20.1713286178694; Tue, 16 Apr 2024 09:49:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713286178; cv=pass; d=google.com; s=arc-20160816; b=gsZflTMHCP03NmgJQIr1cf3/veBuNc1H56DI3jpIeOSkvx+XHcSj1Vd9/ERouYQdo6 wlc1wZLWe0WQ92nFMBGzvcjBOsSjeoCe7QZU2+W/xQEn6IA07yt2gDWDtTsfqAMPy1sS 1mBe8m8Hrh4kZo9THjUyQLYuVs1etYjnUPl2ldtG1PocVWWa4Bfnmi2exBjYyoVEqop6 hpFlnkWIP6sMtL7efy8w+AMAafNJFF0FqPjYswQ0+115FU2q/mDa/1DsQU/xjb1oIgLX y2dhBjOOA4+Fpqz/hhZNsoOsLaGCIRpgSuP11wTY0MKKjfagwuG8Rzn6swB3n2x9SuC+ H0DQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:content-id:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:comments:references:in-reply-to :subject:mail-followup-to:to:from:dkim-signature; bh=PsbOK7NqlD2eJxMmhAgdQY9VBEXxyqleO+55ToWP6iE=; fh=s166/C30wjRUkkWhohkGK5r4zkpI7n6bWCpW76Ewc6U=; b=o6xcWr/0VHZdxgLjXhiHhH2KW6sEVTqP+Kbt9nJR3jJXXcRMy2XsyEi9xWCliL7r+X 0hqJZH0WbbHQeouFfuNBPpuXAJ8HXWxdAKMY1xCbXdrCBI8/QB86HNppt4ZAXCjnCFVH 5nThp8gYPb2XdVjawL51qCEIsLw46spU6J2fF0RMyi9OlVQc6WTV5u5V8FKe3vaW1pbT mI9OwE119HDc7t/3lqt2uz4N5o/CrhrN1H9FqktxV2lsd+hBVGUrJADH1R6cUgY8HpxI h3km5NVpscK549a+KcOjSLjwh7I7lorTUe3M9pgkZrdfo0f4VPhfB91z9k4piBLUqgCc HmDQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b=OZgRk9jl; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-147262-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-147262-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id b185-20020a6334c2000000b005f0565df1c5si9864540pga.441.2024.04.16.09.49.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 09:49:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-147262-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@openbsd.org header.s=selector1 header.b=OZgRk9jl; arc=pass (i=1 spf=pass spfdomain=openbsd.org dkim=pass dkdomain=openbsd.org); spf=pass (google.com: domain of linux-kernel+bounces-147262-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-147262-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id E1034B21066 for ; Tue, 16 Apr 2024 16:49:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7DF96132C1F; Tue, 16 Apr 2024 16:49:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b="OZgRk9jl" Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41CA7FC1F; Tue, 16 Apr 2024 16:49:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=199.185.137.3 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713286153; cv=none; b=lfgGVNEz71VqFFSw5Td0aZFkvvrL23YwcczD4A/O/ngCRFiVzClFeBrhhnODliP5XMLvAR1/ROVTJD5Lyb77dZhl0sN6YgxEv2O3M7xBlv5Xly3hU7XNpQKXnhSzRw2HZGdAECH7TTNYLuU4bGot/FgWRsww6v/7X2ZP33hSE28= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713286153; c=relaxed/simple; bh=pU0D7p6Mrsm9UDb/aQ2TM6OzvMKuAB+Zxp5mgw2XPKU=; h=From:To:Subject:In-reply-to:References:MIME-Version:Content-Type: Date:Message-ID; b=kcnrGc03xxOxa9wSS7IjoPopez72K6hYATCDYKUBXQKy9bIex4sWND53KrgFk4mFy5MIQznNj+c+HKQMzR1OfdEhhNpAlnUzKT+X+YrieIlTNzwoTtQylvc3whSP+wX08Sxl2ZIA6lWYTFnWSUfn6NHnoMfNAagGu0kEtYDbUdU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org; spf=pass smtp.mailfrom=openbsd.org; dkim=pass (2048-bit key) header.d=openbsd.org header.i=@openbsd.org header.b=OZgRk9jl; arc=none smtp.client-ip=199.185.137.3 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=openbsd.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openbsd.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=pU0D7p6Mrs m9UDb/aQ2TM6OzvMKuAB+Zxp5mgw2XPKU=; h=date:references:in-reply-to: subject:to:from; d=openbsd.org; b=OZgRk9jlk6HVVL1liuGCuPFJ2Wd/cE3AWIUi 1dKj9S2eim+/p7/MEBIVLGnjDzmNcJk3SrhXvjCzQOoINFz8z7XieiAjr7JwyKSuds0gRv NLx/0obXLezhwQ2dW1pjWUTMqgg6JizhtP8r3Bs2z0l9RBpLPrDGSyIZOazHXibDrD+N9l 9fK2g1F/yNU0kgZlVOaVwSQQ34BqYf47mc8L5V/+WvP3gcDClX9TOPTHv1YJYT2Rz5jwKq 2gmFwm9bqhkpm5QOvXdLUqnW2kw5jlFLScyDbCrEEIg8iPV/YNBuYKastWGrKwTp1eC3Vn +qPMY7t2TzUNv+PW0NBHj/bTAw== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id a4496a3c; Tue, 16 Apr 2024 10:42:30 -0600 (MDT) From: "Theo de Raadt" To: "Liam R. Howlett" , akpm@linux-foundation.org, torvalds@linux-foundation.org, jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, usama.anjum@collabora.com, corbet@lwn.net, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Mail-Followup-To: "Liam R. Howlett" , akpm@linux-foundation.org, torvalds@linux-foundation.org, jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, usama.anjum@collabora.com, corbet@lwn.net, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v10 2/5] mseal: add mseal syscall In-reply-to: References: <20240415163527.626541-1-jeffxu@chromium.org> <20240415163527.626541-3-jeffxu@chromium.org> Comments: In-reply-to "Liam R. Howlett" message dated "Tue, 16 Apr 2024 10:59:34 -0400." Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <43378.1713285750.1@cvs.openbsd.org> Date: Tue, 16 Apr 2024 10:42:30 -0600 Message-ID: <58783.1713285750@cvs.openbsd.org> Liam R. Howlett wrote: > No per-vma change is checked prior to entering a per-vma modification > loop today. This means that mseal() differs in behaviour in "up-front > failure" vs "partial change failure" that exists in every other > function. I discussed this with Liam and Jeff a while ago (seperate conversations). A bunch of linux m*() syscalls have weaker atomicity gaurantees than the other systems I looked into. Linux is an outlier here. Other systems do two passes over the "entries in the range", before commiting to success or failure. When success is returned, it means the whole range has been changed. When an error is identified in the first pass, then no changes are applied, and error is returned. I found no partial results in my limited reading of various VM systems. Actually the gaurantee of having done nothing upon error, is very common system call behaviour. POSIX and defacto standards don't seem to specify by specific wording as far as I can see, but majority of systems seem to do so because it matches expectations. Considering all the system calls, I can't think of any examples. There are a few specific ioctl which were designed wrong. I suspect, for performance reasons, there will be little appetite to repair the m*() syscalls in Linux. (I would appreciate if they were brought up to standard, so I guess that starts the 20 year counter :) > I think we can all agree that having some up-front and some later > without any reason will lead to a higher probability of things getting > missed. Also as attack surface. I spent some time thinking about circumstances where this might help an attack. The risk is that mprotect() return value is very rarely checked, yet parts of objects will change. mprotect() is probably the least checked system call, since people assume it will always succeed entirely; not the case on Linux. Even more so not the case once immutable memory ranges come into play, it's an even more likely error condition now. I didn't find a particular piece of software (or an old attack) which would help an attack with the sloppy permission handling aspects, but I only thought about it for a couple days... there are people with more time on their hands.