| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jan 2023 16:03:42 +0000
From: Joey Gouly <joey.gouly@....com>
To: Catalin Marinas <catalin.marinas@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Lennart Poettering <lennart@...ttering.net>,
Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>
CC: Alexander Viro <viro@...iv.linux.org.uk>,
Kees Cook <keescook@...omium.org>,
Szabolcs Nagy <szabolcs.nagy@....com>,
Mark Brown <broonie@...nel.org>,
Jeremy Linton <jeremy.linton@....com>,
Topi Miettinen <toiwoton@...il.com>, <linux-mm@...ck.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>,
<linux-abi-devel@...ts.sourceforge.net>, <nd@....com>,
<joey.gouly@....com>, <shuah@...nel.org>
Subject: [PATCH v2 0/2] mm: In-kernel support for memory-deny-write-execute (MDWE)
Hi all,
This is v2 of the MDWE patchset.
Changes since v1:
- Rewritten test - thanks Kees!
- Added comment to `map_deny_write_exec`
- Moved flag check into mmap_region, should be no functional change
- Rebased onto v6.2-rc4
The background to this is that systemd has a configuration option called
MemoryDenyWriteExecute [2], implemented as a SECCOMP BPF filter. Its aim
is to prevent a user task from inadvertently creating an executable
mapping that is (or was) writeable. Since such BPF filter is stateless,
it cannot detect mappings that were previously writeable but
subsequently changed to read-only. Therefore the filter simply rejects
any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI
support (Branch Target Identification), the dynamic loader cannot change
an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect().
For libraries, it can resort to unmapping and re-mapping but for the
main executable it does not have a file descriptor. The original bug
report in the Red Hat bugzilla - [3] - and subsequent glibc workaround
for libraries - [4].
This series adds in-kernel support for this feature as a prctl PR_SET_MDWE,
that is inherited on fork(). The prctl denies PROT_WRITE | PROT_EXEC mappings.
Like the systemd BPF filter it also denies adding PROT_EXEC to mappings.
However unlike the BPF filter it only denies it if the mapping didn't previous
have PROT_EXEC. This allows to PROT_EXEC -> PROT_EXEC | PROT_BTI with mprotect(),
which is a problem with the BPF filter.
Thanks,
Joey
[1] https://lore.kernel.org/linux-arm-kernel/20221026150457.36957-1-joey.gouly@arm.com/
[2] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1888842
[4] https://sourceware.org/bugzilla/show_bug.cgi?id=26831
Joey Gouly (1):
mm: Implement memory-deny-write-execute as a prctl
Kees Cook (1):
kselftest: vm: add tests for memory-deny-write-execute
include/linux/mman.h | 34 +++++
include/linux/sched/coredump.h | 6 +-
include/uapi/linux/prctl.h | 6 +
kernel/sys.c | 33 +++++
mm/mmap.c | 10 ++
mm/mprotect.c | 5 +
tools/testing/selftests/vm/Makefile | 1 +
tools/testing/selftests/vm/mdwe_test.c | 197 +++++++++++++++++++++++++
8 files changed, 291 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/vm/mdwe_test.c
--
2.17.1
Powered by blists - more mailing lists