From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7E45EB64DC for ; Tue, 20 Jun 2023 00:40:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229688AbjFTAkB (ORCPT ); Mon, 19 Jun 2023 20:40:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229519AbjFTAj7 (ORCPT ); Mon, 19 Jun 2023 20:39:59 -0400 Received: from out-55.mta0.migadu.com (out-55.mta0.migadu.com [91.218.175.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0BDCE7E for ; Mon, 19 Jun 2023 17:39:57 -0700 (PDT) Date: Mon, 19 Jun 2023 20:39:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1687221595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2Zfq6ittE0IV5j42l7ltYn23CXJNIzl2rvAKGvH0VyM=; b=KzSvOqKfcMmVN0w3Me9IkrmC6QouMRyyeBRH9zO6fPglTbdqGSKPREw3qxo0JuMprczB+a gBh1CcjSxjKA3BjoaGZbjBi7W8Crd4fevq+XE9cwgXwlSom7mcz3T+IDoDO/tyZEexRtCl jpWFuxuqDHgVBnAVdPv5to1A6xKl/Zs= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Kees Cook Cc: Andy Lutomirski , Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: <20230620003949.kjs2z524hodwwcnt@moria.home.lan> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> <202305161401.F1E3ACFAC@keescook> <1d249326-e3dd-9c9d-7b53-2fffeb39bfb4@kernel.org> <202306191228.6A98FD25@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202306191228.6A98FD25@keescook> X-Migadu-Flow: FLOW_OUT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 19, 2023 at 12:45:43PM -0700, Kees Cook wrote: > I think there's a misunderstanding here about the threat model I'm > interested in protecting against for JITs. While making sure the VM of a > JIT is safe in itself, that's separate from what I'm concerned about. > > The threat model is about flaws _elsewhere_ in the kernel that can > leverage the JIT machinery to convert a "write anything anywhere anytime" > exploit primitive into an "execute anything" primitive. Arguments can > be made to say "a write anything flaw means the total collapse of the > security model so there's no point defending against it", but both that > type of flaw and the slippery slope argument don't stand up well to > real-world situations. Hey Kees, thanks for the explanation - I don't think this is a concern for what bcachefs is doing, since we're not doing a full jit. The unpack functions we generate only write to the 40 bytes pointed to by rsi; not terribly useful as an execute anything primitive :)