From: "Stephen Röttger" <sroettger@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Jeff Xu <jeffxu@google.com>,
jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org,
keescook@chromium.org, groeck@chromium.org, jannh@google.com,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api()
Date: Fri, 19 May 2023 13:22:21 +0200 [thread overview]
Message-ID: <CAEAAPHb5wzn6=9sL92-wq7mwT0-iu7NVmzpWM7tSiN85kZYO9w@mail.gmail.com> (raw)
In-Reply-To: <c53c03e8-529f-5b72-42ab-f32f50aaab35@intel.com>
[-- Attachment #1: Type: text/plain, Size: 2067 bytes --]
On Fri, May 19, 2023 at 2:00 AM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 5/18/23 15:51, Jeff Xu wrote:
> >> Do you have a solid handle on all call paths that will reach
> >> __arch_check_vma_pkey_for_write() and can you ensure they are all
> >> non-remote?
> > Is this about the attack scenario where the attacker uses ptrace()
> > into the chrome process ? if so it is not in our threat model, and
> > that is more related to sandboxing on the host.
>
> The attacker would use *some* remote interface. ptrace() is just one of
> those remote interfaces.
>
> > Or is this about io_uring? Yes, io_uring kernel thread breaks our
> > expectations of PKRU & user space threads, however I thought the break
> > is not just for this - any syscall involved in memory operation will
> > break after into io_uring ?
>
> I'm not quite following.
>
> Please just do me a favor: have the io_uring maintainers look at your
> proposal. Make sure that the defenses you are building can work in a
> process where io_uring is in use by the benign threads.
>
> Those same folks are pretty familiar with the other, more traditional
> I/O syscalls that have in-memory descriptors that control syscall
> behavior like readv/writev. Those also need a close look.
>
> > Other than those, yes, I try to ensure the check is only used at the
> > beginning of syscall entry in all cases, which should be non-remote I
> > hope.
>
> You're right that synchronous, shallow syscall paths are usually
> non-remote. But those aren't the problem. The problem is that there
> *ARE* remote accesses and those are a potential hole for this whole
> mechanism.
>
> Can they be closed? I don't know. I honestly don't have a great grasp
> on how widespread these things are. You'll need a much more complete
> grasp on them than I have before this thing can go forward.
I don't think the remote writes are a problem for us if they're initiated from
the same process. It's a case of syscalls where we need to add special
validation in userspace.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4005 bytes --]
next prev parent reply other threads:[~2023-05-19 11:22 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 13:05 [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 jeffxu
2023-05-15 13:05 ` [PATCH 1/6] PKEY: Introduce PKEY_ENFORCE_API flag jeffxu
2023-05-16 23:14 ` Dave Hansen
2023-05-16 23:55 ` Jeff Xu
2023-05-17 11:07 ` Stephen Röttger
2023-05-15 13:05 ` [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api() jeffxu
2023-05-18 21:43 ` Dave Hansen
2023-05-18 22:51 ` Jeff Xu
2023-05-19 0:00 ` Dave Hansen
2023-05-19 11:22 ` Stephen Röttger [this message]
2023-05-15 13:05 ` [PATCH 3/6] PKEY: Apply PKEY_ENFORCE_API to mprotect jeffxu
2023-05-16 20:07 ` Kees Cook
2023-05-16 22:23 ` Jeff Xu
2023-05-16 23:18 ` Dave Hansen
2023-05-16 23:36 ` Jeff Xu
2023-05-17 4:50 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 4/6] PKEY:selftest pkey_enforce_api for mprotect jeffxu
2023-05-15 13:05 ` [PATCH 5/6] KEY: Apply PKEY_ENFORCE_API to munmap jeffxu
2023-05-16 20:06 ` Kees Cook
2023-05-16 22:24 ` Jeff Xu
2023-05-16 23:23 ` Dave Hansen
2023-05-17 0:08 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 6/6] PKEY:selftest pkey_enforce_api for munmap jeffxu
2023-05-15 14:28 ` [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 Dave Hansen
2023-05-15 15:03 ` Stephen Röttger
2023-05-16 7:06 ` Stephen Röttger
2023-05-16 22:41 ` Dave Hansen
2023-05-17 10:51 ` Stephen Röttger
2023-05-17 15:07 ` Dave Hansen
2023-05-17 15:21 ` Jeff Xu
2023-05-17 15:29 ` Dave Hansen
2023-05-17 23:48 ` Jeff Xu
2023-05-18 15:37 ` Dave Hansen
2023-05-18 20:20 ` Jeff Xu
2023-05-18 21:04 ` Dave Hansen
2023-05-19 11:13 ` Stephen Röttger
2023-05-24 20:15 ` Jeff Xu
2023-06-01 1:39 ` Jeff Xu
2023-06-01 16:16 ` Dave Hansen
2023-05-31 23:02 ` Jeff Xu
2023-05-16 20:08 ` Kees Cook
2023-05-16 22:17 ` Jeff Xu
2023-05-16 22:30 ` Dave Hansen
2023-05-16 23:39 ` Jeff Xu
2023-05-17 10:49 ` Stephen Röttger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEAAPHb5wzn6=9sL92-wq7mwT0-iu7NVmzpWM7tSiN85kZYO9w@mail.gmail.com' \
--to=sroettger@google.com \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.