Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp3061482lqo; Tue, 14 May 2024 20:14:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVr71xCy2nu3N0M1FouUk9IPW6BJrUAeBvoXuOVbof3C7g1Uj0UfrKhow93TXqnHPhoYgj67KyF0juYQ0qt0mwSAv6bGAuKLiLwCAH7dQ== X-Google-Smtp-Source: AGHT+IGjp4jPqN2lFO2VCWsZsz2JzZruzYaE9BKTZltHk6P8NgW5z12Y8oobp84K7eKn/wvMSKwF X-Received: by 2002:a05:6e02:1d92:b0:36d:b660:76ca with SMTP id e9e14a558f8ab-36db6608105mr14568465ab.14.1715742892958; Tue, 14 May 2024 20:14:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715742892; cv=pass; d=google.com; s=arc-20160816; b=s28NgxlywOrP9sgM+8gE5Z1Ll3kGK62FHp6YN+V1C/jshD+fxzxLs6G0MCQYv05PmU /kCiSmQegx3aCTWjD7ariy6/YsP7QjphQ+JU+AkZyjvk5WPYbVjUR+4Fs/PGcU2Shmqm vktWvI9NBnp2rs7XLQbdGuXNFYXAKGz10jBj58Pq92u5O8hu3Lee6UTlAE5L/Px43s9J pSLhEJTT0syNNp633mCFOUK33ffShezXcK9LgxjQDNf9JyAFFtiGs+Z974AQUCTO5aSm KDsYW7rAVPm8Z/rlH9fh/ojt/jLiTY4sI7C7FqaIKNqHNnt3ewg80qGgFdU5MIkf88fA RwOg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date; bh=1DYSGIEVFDiRjWKV8Bo36Ee7DbDPljLKB+uhL4xgVv0=; fh=BLdbyq5M3ZLLjhrDg1gC19Vbiq/dbhCdukONWrMoJGs=; b=Fffx7avMgbJo11J2Bxbe/YYE0TWT6BMde5VfSunhNYaE2ItE1dBL/D6oLjuLVxJ/7Z 71zXsUjWxDIgxee64o1Id0UgOX2sHnYve6A+k1YOB/PI/CVZoRpWSJug5ME3AImrmCZB ilgIgNk0nxpFC4QnMPmBEQrySpysE77loX1zNPnCU2cexqeTBm+iAJsDTwsaeerj0zt+ fNWNn4E0G4O6VLwCXAN0xFXP2ieQFVHv7Keoy9fhXv/6IScvMwwC+DUmf+CcMhtVHXop U64djqg2Mdl1NdkqWv4xR7j37LMCTHLTX6A+Z00ZWn2QhSV5NlN6wpHsdHm4/sqhmR1A Lfqw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=1wt.eu); spf=pass (google.com: domain of linux-kernel+bounces-179369-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179369-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-634103f69e3si12612761a12.403.2024.05.14.20.14.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 20:14:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-179369-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=1wt.eu); spf=pass (google.com: domain of linux-kernel+bounces-179369-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179369-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 5B72CB21E3C for ; Wed, 15 May 2024 03:14:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7DA6A37708; Wed, 15 May 2024 03:14:08 +0000 (UTC) Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 66EBC38385; Wed, 15 May 2024 03:14:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=163.172.96.212 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715742848; cv=none; b=ULx1r9RpVRm2lDYhoLZu3c3eijKn7ECF9JLKo6XLbDbzakkewPsW8IedOTRUxaNNbOAvZOd3QqjRcBNnPk+KhwTBJuZCoLqUPpRMVNqJLlWJvUyTUKrYWLCNXohlJcl+owyH83PJYdOIguGLfsjEq90hcxzJOKxvK8cDdQ1fyo4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715742848; c=relaxed/simple; bh=nB1m7j2Q3vEqktywIoGVfNTqMXYMw9gbBScV7i4x0AE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=K5IWINe3Bvxy+8GeP5La3r1srhnFtBODgDit+jlRdpk7XAiTa4muAuiQ9iLny1R7YM77Pejh50IQO+4gtP96kFEFwPtKF0uhdGmMBw4GjUwFq86UD1728ydU1EX3BaM3mByps/HHPFVchln3847CsilYzBs9AboKP0dw4HCvGuE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=1wt.eu; spf=pass smtp.mailfrom=1wt.eu; arc=none smtp.client-ip=163.172.96.212 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=1wt.eu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=1wt.eu Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 44F2wB5O001379; Wed, 15 May 2024 04:58:11 +0200 Date: Wed, 15 May 2024 04:58:11 +0200 From: Willy Tarreau To: Theo de Raadt Cc: Andrew Morton , Matthew Wilcox , Jonathan Corbet , jeffxu@chromium.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, Liam.Howlett@oracle.com, surenb@google.com, merimus@google.com, rdunlap@infradead.org, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v10 0/5] Introduce mseal Message-ID: <20240515025811.GA1232@1wt.eu> References: <20240415163527.626541-1-jeffxu@chromium.org> <20240514104646.e6af4292f19b834777ec1e32@linux-foundation.org> <871q646rea.fsf@meer.lwn.net> <56001.1715726927@cvs.openbsd.org> <20240514160150.3ed0fda8af5cbd2f17c625e6@linux-foundation.org> <92453.1715730450@cvs.openbsd.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <92453.1715730450@cvs.openbsd.org> User-Agent: Mutt/1.10.1 (2018-07-13) On Tue, May 14, 2024 at 05:47:30PM -0600, Theo de Raadt wrote: > Andrew Morton wrote: > > > > I worry that the non-atomicity will one day be used by an attacker. > > > > How might an attacker exploit this? > > Various ways which are going to be very application specific. Most ways > will depend on munmap / mprotect arguments being incorrect for some > reason, and callers not checking the return values. > > After the system call, the memory is in a very surprising configuration. > > Consider a larger memory region containing the following sections: > > [regular memory] [sealed memory] [regular memory containing a secret] > > unmap() gets called on the whole region, for some reason. The first > section is removed. It hits the sealed memory, and returns EPERM. It does > not unmap the sealed reason, not the memory containing the secret. If we consider that the attack consists, for an attacker, in mseal()ing the beginning of an area to make sure to pin the whole area by making a future munmap() fail, maybe we could make munmap() not stop anymore on such errors and continue to unmap the rest of the area, for the purpose of not leaving such a theoretical attack vector work ? After all, munmap() currently skips wholes and continues to unmap the area. But then what would prevent the attacker from doing mseal() on the whole area in this case, to prevent it from being unmapped ? Wouldn't it be more effective to have a non-resettable prctl() allowing the application to prefer to be killed upon such an munmap() failure in order to stay consistent and more robust against such class of attacks? Willy