[RFC,v2,6/8] mseal: Check seal flag for mremap(2)

Message ID	20231017090815.1067790-7-jeffxu@chromium.org (mailing list archive)
State	New
Headers	show Return-Path: <linux-kselftest-owner@vger.kernel.org> From: jeffxu@chromium.org To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org Cc: jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, surenb@google.com, alex.sierra@amd.com, apopple@nvidia.com, aneesh.kumar@linux.ibm.com, axelrasmussen@google.com, ben@decadent.org.uk, catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk, ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com, corbet@lwn.net, wangkefeng.wang@huawei.com, Liam.Howlett@oracle.com, lstoakes@gmail.com, mawupeng1@huawei.com, linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com, peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io, vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com, zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org, linux-hardening@vger.kernel.org Subject: [RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2) Date: Tue, 17 Oct 2023 09:08:13 +0000 Message-ID: <20231017090815.1067790-7-jeffxu@chromium.org> In-Reply-To: <20231017090815.1067790-1-jeffxu@chromium.org> References: <20231017090815.1067790-1-jeffxu@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Introduce mseal() syscall \| expand [RFC,v2,0/8] Introduce mseal() syscall [RFC,v2,1/8] mseal: Add mseal(2) syscall. [RFC,v2,2/8] mseal: Wire up mseal syscall [RFC,v2,3/8] mseal: add can_modify_mm and can_modify_vma [RFC,v2,4/8] mseal: Check seal flag for mprotect(2) [RFC,v2,5/8] mseal: Check seal flag for munmap(2) [RFC,v2,6/8] mseal: Check seal flag for mremap(2) [RFC,v2,7/8] mseal:Check seal flag for mmap(2) [RFC,v2,8/8] selftest mm/mseal mprotect/munmap/mremap/mmap

Message ID

20231017090815.1067790-7-jeffxu@chromium.org (mailing list archive)

State

New

Headers

From: jeffxu@chromium.org
To: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com,
        sroettger@google.com, willy@infradead.org,
        gregkh@linuxfoundation.org, torvalds@linux-foundation.org
Cc: jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org,
        linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
        linux-mm@kvack.org, surenb@google.com, alex.sierra@amd.com,
        apopple@nvidia.com, aneesh.kumar@linux.ibm.com,
        axelrasmussen@google.com, ben@decadent.org.uk,
        catalin.marinas@arm.com, david@redhat.com, dwmw@amazon.co.uk,
        ying.huang@intel.com, hughd@google.com, joey.gouly@arm.com,
        corbet@lwn.net, wangkefeng.wang@huawei.com,
        Liam.Howlett@oracle.com, lstoakes@gmail.com, mawupeng1@huawei.com,
        linmiaohe@huawei.com, namit@vmware.com, peterx@redhat.com,
        peterz@infradead.org, ryan.roberts@arm.com, shr@devkernel.io,
        vbabka@suse.cz, xiujianfeng@huawei.com, yu.ma@intel.com,
        zhangpeng362@huawei.com, dave.hansen@intel.com, luto@kernel.org,
        linux-hardening@vger.kernel.org
Subject: [RFC PATCH v2 6/8] mseal: Check seal flag for mremap(2)
Date: Tue, 17 Oct 2023 09:08:13 +0000
Message-ID: <20231017090815.1067790-7-jeffxu@chromium.org>
In-Reply-To: <20231017090815.1067790-1-jeffxu@chromium.org>
References: <20231017090815.1067790-1-jeffxu@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Introduce mseal() syscall | expand

Commit Message

Jeff Xu Oct. 17, 2023, 9:08 a.m. UTC

From: Jeff Xu <jeffxu@google.com>

mremap(2) can shrink/expand a VMA, or move a VMA to a fixed
address and overwriting or existing VMA. Sealing will
prevent unintended mremap(2) call.

What this patch does:
When a mremap(2) is invoked, if one of its VMAs has MM_SEAL_MREMAP
set from previous mseal(2) call, this mremap(2) will fail, without
any VMA modified.

This patch is based on following:
1. At syscall entry point: SYSCALL_DEFINE5(mremap,...)
There are two cases:
a. going into mremap_to().
b. not going into mremap_to().

2. For mremap_to() case.
Since mremap_to() is called only from SYSCALL_DEFINE5(mremap,..),
omit changing signature of mremap_to(), i.e. not passing
checkSeals flag.
In mremap_to(), it calls can_modify_mm() for src address and
dst address (when MREMAP_FIXED is used), before any update is
made to the VMAs.

3. For non mremap_to() case.
It is still part of SYSCALL_DEFINE5(mremap,...).
It calls can_modify_mm() to check sealing in the src address,
before any update is made to src VMAs.
Check for dest address is not needed, because dest memory is
allocated in current mremap(2) call.

Signed-off-by: Jeff Xu <jeffxu@google.com>
---
 mm/mremap.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

Comments

Muhammad Usama Anjum Oct. 20, 2023, 1:56 p.m. UTC | #1

On 10/17/23 2:08 PM, jeffxu@chromium.org wrote:
> From: Jeff Xu <jeffxu@google.com>
> 
> mremap(2) can shrink/expand a VMA, or move a VMA to a fixed
> address and overwriting or existing VMA. Sealing will
> prevent unintended mremap(2) call.
> 
> What this patch does:
> When a mremap(2) is invoked, if one of its VMAs has MM_SEAL_MREMAP
> set from previous mseal(2) call, this mremap(2) will fail, without
> any VMA modified.
> 
> This patch is based on following:
> 1. At syscall entry point: SYSCALL_DEFINE5(mremap,...)
> There are two cases:
Maybe we can reduce the code duplication by bringing the check if memory is
sealed before call to mremap_to().

> a. going into mremap_to().
> b. not going into mremap_to().
> 
> 2. For mremap_to() case.
> Since mremap_to() is called only from SYSCALL_DEFINE5(mremap,..),
> omit changing signature of mremap_to(), i.e. not passing
> checkSeals flag.
> In mremap_to(), it calls can_modify_mm() for src address and
> dst address (when MREMAP_FIXED is used), before any update is
> made to the VMAs.
> 
> 3. For non mremap_to() case.
> It is still part of SYSCALL_DEFINE5(mremap,...).
> It calls can_modify_mm() to check sealing in the src address,
> before any update is made to src VMAs.
> Check for dest address is not needed, because dest memory is
> allocated in current mremap(2) call.
> 
> Signed-off-by: Jeff Xu <jeffxu@google.com>
> ---
>  mm/mremap.c | 25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
> 
> diff --git a/mm/mremap.c b/mm/mremap.c
> index ac363937f8c4..691fc32d37e4 100644
> --- a/mm/mremap.c
> +++ b/mm/mremap.c
> @@ -836,7 +836,27 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
>  	if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
>  		return -ENOMEM;
>  
> +	/*
> +	 * Check src address for sealing.
> +	 *
> +	 * Note: mremap_to() currently called from one place:
> +	 * SYSCALL_DEFINE4(pkey_mprotect, ...)
> +	 * and not in any other places.
> +	 * Therefore, omit changing the signature of mremap_to()
> +	 * Otherwise, we might need to add checkSeals and pass it
> +	 * from all callers of mremap_to().
> +	 */
> +	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP))
> +		return -EACCES;
> +
>  	if (flags & MREMAP_FIXED) {
> +		/*
> +		 * Check dest address for sealing.
> +		 */
> +		if (!can_modify_mm(mm, new_addr, new_addr + new_len,
> +				   MM_SEAL_MREMAP))
> +			return -EACCES;
> +
Move these two checks to just before call to mremap_to() in sys_mremap() or
even earlier. Or even better move the first condition before mremap_to()
and second condition can be checked before call to mremap_to().

>  		ret = do_munmap(mm, new_addr, new_len, uf_unmap_early);
>  		if (ret)
>  			goto out;
> @@ -995,6 +1015,11 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
>  		goto out;
>  	}
>  
> +	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP)) {
> +		ret = -EACCES;
> +		goto out;
> +	}
> +
>  	/*
>  	 * Always allow a shrinking remap: that just unmaps
>  	 * the unnecessary pages..

diff --git a/mm/mremap.c b/mm/mremap.c
index ac363937f8c4..691fc32d37e4 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -836,7 +836,27 @@  static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
 	if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
 		return -ENOMEM;
 
+	/*
+	 * Check src address for sealing.
+	 *
+	 * Note: mremap_to() currently called from one place:
+	 * SYSCALL_DEFINE4(pkey_mprotect, ...)
+	 * and not in any other places.
+	 * Therefore, omit changing the signature of mremap_to()
+	 * Otherwise, we might need to add checkSeals and pass it
+	 * from all callers of mremap_to().
+	 */
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP))
+		return -EACCES;
+
 	if (flags & MREMAP_FIXED) {
+		/*
+		 * Check dest address for sealing.
+		 */
+		if (!can_modify_mm(mm, new_addr, new_addr + new_len,
+				   MM_SEAL_MREMAP))
+			return -EACCES;
+
 		ret = do_munmap(mm, new_addr, new_len, uf_unmap_early);
 		if (ret)
 			goto out;
@@ -995,6 +1015,11 @@  SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 		goto out;
 	}
 
+	if (!can_modify_mm(mm, addr, addr + old_len, MM_SEAL_MREMAP)) {
+		ret = -EACCES;
+		goto out;
+	}
+
 	/*
 	 * Always allow a shrinking remap: that just unmaps
 	 * the unnecessary pages..

[RFC,v2,6/8] mseal: Check seal flag for mremap(2)

Commit Message

Comments

Patch