From: Jeff Xu <jeffxu@chromium.org>
To: Theo de Raadt <deraadt@openbsd.org>
Cc: Jeff Xu <jeffxu@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Jonathan Corbet <corbet@lwn.net>,
akpm@linux-foundation.org, keescook@chromium.org,
jannh@google.com, sroettger@google.com, willy@infradead.org,
gregkh@linuxfoundation.org, usama.anjum@collabora.com,
rdunlap@infradead.org, jorgelo@chromium.org,
groeck@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
pedro.falcato@gmail.com, dave.hansen@intel.com,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
Date: Thu, 1 Feb 2024 20:54:28 -0800 [thread overview]
Message-ID: <CABi2SkWSt=UMFWe9n916ZH16wCzaipKXmEJ5VasQHMr1AxerxQ@mail.gmail.com> (raw)
In-Reply-To: <8744.1706846710@cvs.openbsd.org>
On Thu, Feb 1, 2024 at 8:05 PM Theo de Raadt <deraadt@openbsd.org> wrote:
>
> Jeff Xu <jeffxu@google.com> wrote:
>
> > To me, the most important thing is to deliver a feature that's easy to
> > use and works well. I don't want users to mess things up, so if I'm
> > the one giving them the tools, I'm going to make sure they have all
> > the information they need and that there are safeguards in place.
> >
> > e.g. considering the following user case:
> > 1> a security sensitive data is allocated from heap, using malloc,
> > from the software component A, and filled with information.
> > 2> software component B then uses mprotect to change it to RO, and
> > seal it using mseal().
>
> p = malloc(80);
> mprotect(p & ~4095, 4096, PROT_NONE);
> free(p);
>
> Will you save such a developer also? No.
>
> Since the same problem you describe already exists with mprotect() what
> does mseal() even have to do with your proposal?
>
> What about this?
>
> p = malloc(80);
> munmap(p & ~4095, 4096);
> free(p);
>
> And since it is not sealed, how about madvise operations on a proper
> non-malloc memory allocation? Well, the process smashes it's own
> memory. And why is it not sealed? You make it harder to seal memory!
>
> How about this?
>
> p = malloc(80);
> bzero(p, 100000;
>
> Yes it is a buffer overflow. But this is all the same class of software
> problem:
>
> Memory belongs to processes, which belongs to the program, which is coded
> by the programmer, who has to learn to be careful and handle the memory correctly.
>
> mseal() / mimmutable() add *no new expectation* to a careful programmer,
> because they expected to only use it on memory that they *promise will never
> be de-allocated or re-permissioned*.
>
> What you are proposing is not a "mitigation", it entirely cripples the
> proposed subsystem because you are afraid of it; because you have cloned a
> memory subsystem primitive you don't fully understand; and this is because
> you've not seen a complete operating system using it.
>
> When was the last time you developed outside of Chrome?
>
> This is systems programming. The kernel supports all the programs, not
> just the one holy program from god.
>
Even without free.
I personally do not like the heap getting sealed like that.
Component A.
p=malloc(4096);
writing something to p.
Component B:
mprotect(p,4096, RO)
mseal(p,4096)
This will split the heap VMA, and prevent the heap from shrinking, if
this is in a frequent code path, then it might hurt the process's
memory usage.
The existing code is more likely to use malloc than mmap(), so it is
easier for dev to seal a piece of data belonging to another component.
I hope this pattern is not wide-spreading.
The ideal way will be just changing the library A to use mmap.
next prev parent reply other threads:[~2024-02-02 4:54 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 17:50 [PATCH v8 0/4] Introduce mseal jeffxu
2024-01-31 17:50 ` [PATCH v8 1/4] mseal: Wire up mseal syscall jeffxu
2024-01-31 17:50 ` [PATCH v8 2/4] mseal: add " jeffxu
2024-02-01 23:11 ` Eric Biggers
2024-02-02 3:30 ` Jeff Xu
2024-02-02 3:54 ` Theo de Raadt
2024-02-02 4:03 ` Jeff Xu
2024-02-02 4:10 ` Theo de Raadt
2024-02-02 4:22 ` Jeff Xu
2024-01-31 17:50 ` [PATCH v8 3/4] selftest mm/mseal memory sealing jeffxu
2024-01-31 17:50 ` [PATCH v8 4/4] mseal:add documentation jeffxu
2024-01-31 19:34 ` [PATCH v8 0/4] Introduce mseal Liam R. Howlett
2024-02-01 1:27 ` Jeff Xu
2024-02-01 1:46 ` Theo de Raadt
2024-02-01 16:56 ` Bird, Tim
2024-02-01 1:55 ` Theo de Raadt
2024-02-01 20:45 ` Liam R. Howlett
2024-02-01 22:24 ` Theo de Raadt
2024-02-02 1:06 ` Greg KH
2024-02-02 3:24 ` Jeff Xu
2024-02-02 3:29 ` Linus Torvalds
2024-02-02 3:46 ` Jeff Xu
2024-02-02 15:18 ` Greg KH
2024-02-01 22:37 ` Jeff Xu
2024-02-01 22:54 ` Theo de Raadt
2024-02-01 23:15 ` Linus Torvalds
2024-02-01 23:43 ` Theo de Raadt
2024-02-02 0:26 ` Theo de Raadt
2024-02-02 3:20 ` Jeff Xu
2024-02-02 4:05 ` Theo de Raadt
2024-02-02 4:54 ` Jeff Xu [this message]
2024-02-02 5:00 ` Theo de Raadt
2024-02-02 17:58 ` Jeff Xu
2024-02-02 18:51 ` Pedro Falcato
2024-02-02 21:20 ` Jeff Xu
2024-02-04 19:39 ` David Laight
2024-02-02 17:05 ` Theo de Raadt
2024-02-02 21:02 ` Jeff Xu
2024-02-02 3:14 ` Jeff Xu
2024-02-02 15:13 ` Liam R. Howlett
2024-02-02 17:24 ` Jeff Xu
2024-02-02 19:21 ` Liam R. Howlett
2024-02-02 19:32 ` Theo de Raadt
2024-02-02 20:36 ` Linus Torvalds
2024-02-02 20:57 ` Jeff Xu
2024-02-02 21:18 ` Liam R. Howlett
2024-02-02 23:36 ` Linus Torvalds
2024-02-03 4:45 ` Liam R. Howlett
2024-02-05 22:13 ` Suren Baghdasaryan
2024-02-02 20:14 ` Jeff Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABi2SkWSt=UMFWe9n916ZH16wCzaipKXmEJ5VasQHMr1AxerxQ@mail.gmail.com' \
--to=jeffxu@chromium.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=deraadt@openbsd.org \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedro.falcato@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sroettger@google.com \
--cc=torvalds@linux-foundation.org \
--cc=usama.anjum@collabora.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).