lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <342e6924-cc3f-4877-96e4-ee8936ab644f@lucifer.local>
Date: Tue, 20 May 2025 10:16:42 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: David Hildenbrand <david@...hat.com>
Cc: Jann Horn <jannh@...gle.com>, Usama Arif <usamaarif642@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        hannes@...xchg.org, shakeel.butt@...ux.dev, riel@...riel.com,
        ziy@...dia.com, laoar.shao@...il.com, baolin.wang@...ux.alibaba.com,
        Liam.Howlett@...cle.com, npache@...hat.com, ryan.roberts@....com,
        vbabka@...e.cz, Arnd Bergmann <arnd@...db.de>,
        linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
        kernel-team@...a.com
Subject: Re: [PATCH v3 2/7] prctl: introduce PR_DEFAULT_MADV_HUGEPAGE for the
 process

On Tue, May 20, 2025 at 11:09:05AM +0200, David Hildenbrand wrote:
> On 20.05.25 07:23, Lorenzo Stoakes wrote:
> > On Tue, May 20, 2025 at 01:01:38AM +0200, Jann Horn wrote:
> > > On Tue, May 20, 2025 at 12:33 AM Usama Arif <usamaarif642@...il.com> wrote:
> > > > This is set via the new PR_SET_THP_POLICY prctl. It has 2 affects:
> > > > - It sets VM_HUGEPAGE and clears VM_NOHUGEPAGE on the default VMA flags
> > > >    (def_flags). This means that every new VMA will be considered for
> > > >    hugepage.
> > > > - Iterate through every VMA in the process and call hugepage_madvise
> > > >    on it, with MADV_HUGEPAGE policy.
> > > > The policy is inherited during fork+exec.
> > >
> > > As I replied to Lorenzo's series
> > > (https://lore.kernel.org/all/CAG48ez3-7EnBVEjpdoW7z5K0hX41nLQN5Wb65Vg-1p8DdXRnjg@mail.gmail.com/),
> > > it would be nice if you could avoid introducing new flags that have
> > > the combination of all the following properties:
> > >
> > > 1. persists across exec
> > > 2. not cleared on secureexec execution
> > > 3. settable without ns_capable(CAP_SYS_ADMIN)
> > > 4. settable without NO_NEW_PRIVS
> > >
> > > Flags that have all of these properties need to be reviewed extra
> > > carefully to see if there is any way they could impact the security of
> > > setuid binaries, for example by changing mmap() behavior in a way that
> > > makes addresses significantly more predictable.
> >
> > Indeed, this series was meant to be as RFC as mine while we still figured this
> > out :) grr. Well, with the NACK it is - in effect - now an RFC.
> >
> > Yes having something persistent like this is not great, the idea of
> > introducing this in my series was to provide an alternative generic version
> > of this approach that can be better controlled and isn't just a 'tacked on'
> > change specific to one company's needs but rather a more general idea of
> > 'madvise() by default'.
> >
> > I do wonder in this case, whether we need be so cautious however given the
> > _relatively_ safe nature of these flags?
>
> Yes. Changing VM_HUGEPAGE / VM_NOHUGEPAGE defaults should have little
> impact, but we better be careful.
>
> setuid execution is certainly an interesting point. Maybe the general rule
> should be, that it is not inherited over secureexec unless CAP_SYS_ADMIN?

I think probably we should just restrict this operation to system admins
anyway. This will be the most cautious option, and simplifies things as we
then don't have to especially check for things at certain points?

>
> --
> Cheers,
>
> David / dhildenb
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ