| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 May 2024 00:53:47 -0400
From: "Liam R. Howlett" <Liam.Howlett@...cle.com>
To: Theo de Raadt <deraadt@...nbsd.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Matthew Wilcox <willy@...radead.org>, Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>, jeffxu@...omium.org,
keescook@...omium.org, jannh@...gle.com, sroettger@...gle.com,
gregkh@...uxfoundation.org, usama.anjum@...labora.com,
surenb@...gle.com, merimus@...gle.com, rdunlap@...radead.org,
jeffxu@...gle.com, jorgelo@...omium.org, groeck@...omium.org,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
linux-mm@...ck.org, pedro.falcato@...il.com, dave.hansen@...el.com,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v10 0/5] Introduce mseal
* Theo de Raadt <deraadt@...nbsd.org> [240514 22:42]:
> Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>
> > On Tue, 14 May 2024 at 18:47, Theo de Raadt <deraadt@...nbsd.org> wrote:
> > >
> > > Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> > >
> > > Regarding mprotect(), POSIX also says:
> > >
> > > An implementation may permit accesses other than those specified by
> > > prot; however, no implementation shall permit a write to succeed where
> > > PROT_WRITE has not been set or shall permit any access where PROT_NONE
> > > alone has been set.
> >
> > Why do you quote entirely irrelevant issues?
> >
> > If the mprotect didn't succeed, then clearly the above is irrelevant.
>
> Imagine the following region:
>
>
> <--------------------------------------------- len
> [region PROT_READ] [region PROT_READ + sealed]
> addr ^
>
> then perform
> mprotect(addr, len, PROT_WRITE | PROT_READ);
>
> This will return -1, with EPERM, when it encounters the sealed region.
>
> I believe in Linux, since it has not checked for errors as a first
> phase, this changes the first region of memory to PROT_READ |
> PROT_WRITE. Liam, is that correct?
I really don't want to fight about this - I just want to have reliable
code that is maintainable. I think the correctness argument is always
going to be unclear because we're all going to interpret the
documentation from our point of view - which is probably how we got here
in the first place. My opinion of the matter of correctness is,
obviously, the least important.
My problem right now is that we're changing it so that we are not
consistent in when we should check. I'm not sure how doing both fits
into either model, but it increases the next change going to the 'wrong'
side of the argument (whatever side that happens to be from your view).
If there isn't a technical reason to keep the check before, then we
should treat mseal the same as all other checks.
If we are going to have an up-front check, then it makes sense to keep
the checks that we can (reasonably) do at the same time together.
Linus, you said up front checks is a good thing to aim for.
That said, I don't think the example above will allow the madvise to
succeed at all. mseal checks the entire region up front while most
other checks occur during the loop across vmas.
Thanks,
Liam
Powered by blists - more mailing lists