[RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2)

From: jeffxu@chromium.org
To: akpm@linux-foundation.org, keescook@chromium.org,
	jannh@google.com, sroettger@google.com, willy@infradead.org,
	gregkh@linuxfoundation.org, torvalds@linux-foundation.org
Cc: jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org, surenb@google.com, alex.sierra@amd.com,
	apopple@nvidia.com, aneesh.kumar@linux.ibm.com,
	axelrasmussen@google.com, ben@decadent.org.uk,
	catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk,
	ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com,
	corbet@lwn.net, wangkefeng.wang@huawei.com,
	Liam.Howlett@oracle.com, lstoakes@gmail.com,
	mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com,
	peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com,
	shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com,
	yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com,
	luto@kernel.org, linux-hardening@vger.kernel.org
Subject: [RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2)
Date: Tue, 17 Oct 2023 09:08:13 +0000	[thread overview]
Message-ID: <20231017090815.1067790-7-jeffxu@chromium.org> (raw)
In-Reply-To: <20231017090815.1067790-1-jeffxu@chromium.org>

From: Jeff Xu <jeffxu@google.com>

mremap(2) can shrink/expand a VMA, or move a VMA to a fixed
address and overwriting or existing VMA. Sealing will
prevent unintended mremap(2) call.

What this patch does:
When a mremap(2) is invoked, if one of its VMAs has MM_SEAL_MREMAP
set from previous mseal(2) call, this mremap(2) will fail, without
any VMA modified.

This patch is based on following:
1. At syscall entry point: SYSCALL_DEFINE5(mremap,...)
There are two cases:
a. going into mremap_to().
b. not going into mremap_to().

2. For mremap_to() case.
Since mremap_to() is called only from SYSCALL_DEFINE5(mremap,..),
omit changing signature of mremap_to(), i.e. not passing
checkSeals flag.
In mremap_to(), it calls can_modify_mm() for src address and
dst address (when MREMAP_FIXED is used), before any update is
made to the VMAs.

3. For non mremap_to() case.
It is still part of SYSCALL_DEFINE5(mremap,...).
It calls can_modify_mm() to check sealing in the src address,
before any update is made to src VMAs.
Check for dest address is not needed, because dest memory is
allocated in current mremap(2) call.

Signed-off-by: Jeff Xu <jeffxu@google.com>
---
 mm/mremap.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/mm/mremap.c b/mm/mremap.c
index ac363937f8c4..691fc32d37e4 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -836,7 +836,27 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
 	if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
 		return -ENOMEM;
 
+	/*
+	 * Check src address for sealing.
+	 *
+	 * Note: mremap_to() currently called from one place:
+	 * SYSCALL_DEFINE4(pkey_mprotect, ...)
+	 * and not in any other places.
+	 * Therefore, omit changing the signature of mremap_to()
+	 * Otherwise, we might need to add checkSeals and pass it
+	 * from all callers of mremap_to().
+	 */
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP))
+		return -EACCES;
+
 	if (flags & MREMAP_FIXED) {
+		/*
+		 * Check dest address for sealing.
+		 */
+		if (!can_modify_mm(mm, new_addr, new_addr + new_len,
+				   MM_SEAL_MREMAP))
+			return -EACCES;
+
 		ret = do_munmap(mm, new_addr, new_len, uf_unmap_early);
 		if (ret)
 			goto out;
@@ -995,6 +1015,11 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 		goto out;
 	}
 
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP)) {
+		ret = -EACCES;
+		goto out;
+	}
+
 	/*
 	 * Always allow a shrinking remap: that just unmaps
 	 * the unnecessary pages..
-- 
2.42.0.655.g421f12c284-goog

