On Tue, 14 May 2024 at 18:47, Theo de Raadt deraadt@openbsd.org wrote:
Linus Torvalds torvalds@linux-foundation.org wrote:
Regarding mprotect(), POSIX also says:
An implementation may permit accesses other than those specified by prot; however, no implementation shall permit a write to succeed where PROT_WRITE has not been set or shall permit any access where PROT_NONE alone has been set.
Why do you quote entirely irrelevant issues?
If the mprotect didn't succeed, then clearly the above is irrelevant.
When sealed memory is encountered in the middle of a range, an error will be returned (which almost noone looks at). Memory after the sealed region will not be fixed to follow this rule.
It may retain higher permission.
This is not in any way specific to mseal().
Theo, you're making shit up.
You claim that this is somehow new behavior:
The other previous errors have been transient system effects, like ENOMEM.
but that's simply NOT TRUE. Try this:
#include <stdio.h> #include <sys/mman.h>
int main(int argc, char **argv) { /* Just three pages for VM space allocation */ void *a = mmap(NULL, 3*4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
/* Make the second page a shared read mapping of stdin */ mmap(a+4096, 4096, PROT_READ, MAP_FIXED | MAP_SHARED, 0, 0);
/* Turn them all PROT_WRITE */ mprotect(a, 3*4096, PROT_WRITE);
fprintf(stderr, "Write to first page\n"); *(int *) (a+0) = 0;
fprintf(stderr, "Write to second page\n"); *(int *) (a+4096) = 0;
fprintf(stderr, "Write to third page\n"); *(int *) (a+2*4096) = 0; }
and what you will get (under Linux) is
$ ./a.out < ./a.out Write to first page Write to second page Segmentation fault (core dumped)
because that mprotect() will have returned EACCES on the shared mapping, but will have successfully made the first one writable.
End result: this whole "transient system effects" is just not true. And "mseal()" isn't somethign new.
If somebody makes random mprotect() calls, and doesn't check the result, they get exactly what they deserve. And mseal() isn't the issue - bad programming is.
Anyway, you're just making things up for your nonexistent arguments. I'm done.
Linus