lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Jun 2021 18:01:43 -0700
From:   Andrei Vagin <avagin@...il.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Jann Horn <jannh@...gle.com>, Andy Lutomirski <luto@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        linux-um@...ts.infradead.org, criu@...nvz.org, avagin@...gle.com,
        Andrew Morton <akpm@...ux-foundation.org>,
        Anton Ivanov <anton.ivanov@...bridgegreys.com>,
        Christian Brauner <christian.brauner@...ntu.com>,
        Dmitry Safonov <0x7f454c46@...il.com>,
        Ingo Molnar <mingo@...hat.com>, Jeff Dike <jdike@...toit.com>,
        Mike Rapoport <rppt@...ux.ibm.com>,
        Michael Kerrisk <mtk.manpages@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Richard Weinberger <richard@....at>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 2/4] arch/x86: implement the process_vm_exec syscall

On Mon, Jun 28, 2021 at 01:18:07PM -0500, Eric W. Biederman wrote:
> Jann Horn <jannh@...gle.com> writes:
> 
> > On Mon, Jun 28, 2021 at 6:30 PM Andy Lutomirski <luto@...nel.org> wrote:
> >> On Mon, Jun 28, 2021, at 9:13 AM, Jann Horn wrote:
> >> > On Wed, Apr 14, 2021 at 7:59 AM Andrei Vagin <avagin@...il.com> wrote:
> >> > > This change introduces the new system call:
> >> > > process_vm_exec(pid_t pid, struct sigcontext *uctx, unsigned long flags,
> >> > >                 siginfo_t * uinfo, sigset_t *sigmask, size_t sizemask)
> >> > >
> >> > > process_vm_exec allows to execute the current process in an address
> >> > > space of another process.
> >> > [...]
> >> >
> >> > I still think that this whole API is fundamentally the wrong approach
> >> > because it tries to shoehorn multiple usecases with different
> >> > requirements into a single API. But that aside:
> >> >
> >> > > +static void swap_mm(struct mm_struct *prev_mm, struct mm_struct *target_mm)
> >> > > +{
> >> > > +       struct task_struct *tsk = current;
> >> > > +       struct mm_struct *active_mm;
> >> > > +
> >> > > +       task_lock(tsk);
> >> > > +       /* Hold off tlb flush IPIs while switching mm's */
> >> > > +       local_irq_disable();
> >> > > +
> >> > > +       sync_mm_rss(prev_mm);
> >> > > +
> >> > > +       vmacache_flush(tsk);
> >> > > +
> >> > > +       active_mm = tsk->active_mm;
> >> > > +       if (active_mm != target_mm) {
> >> > > +               mmgrab(target_mm);
> >> > > +               tsk->active_mm = target_mm;
> >> > > +       }
> >> > > +       tsk->mm = target_mm;
> >> >
> >> > I'm pretty sure you're not currently allowed to overwrite the ->mm
> >> > pointer of a userspace thread. For example, zap_threads() assumes that
> >> > all threads running under a process have the same ->mm. (And if you're
> >> > fiddling with ->mm stuff, you should probably CC linux-mm@.)
> >>
> >> exec_mmap() does it, so it can’t be entirely impossible.
> >
> > Yeah, true, execve can do it - I guess the thing that makes that
> > special is that it's running after de_thread(), so it's guaranteed to
> > be single-threaded?
> 
> Even the implementation detail of swapping the mm aside.  Even the idea
> of swaping the mm is completely broken, as an endless system calls
> depend upon the state held in task_struct.  io_uring just tried running
> system calls of a process in a different context and we ultimately had
> to make the threads part of the original process to make enough things
> work to keep the problem tractable.
> 
> System calls deeply and fundamentally depend on task_struct and
> signal_struct.

In opposite to io_uring, process_vm_exec doesn't intend to run system
calls in the context of the target process. We initially declare that
system calls are executed in the context of the current process with
just another mm. If we are talking about user-mode kernels, they will
need just two system calls: mmap and munmap. In case of CRIU, vmsplice
will be used too.

> 
> I can think of two possibilities.
> 1) Hijack and existing process thread.
> 2) Inject a new thread into an existing process.

I am not sure that I understand what you mean here, but it sounds like
we will need to do a context switch to execute anything in a context
of a hijacked thread. If I am right, it kills the main idea of
process_vm_exec. If I misunderstand your idea, maybe you can describe it
with more details.

Thanks,
Andrei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ