From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from seahorse.cherry.relay.mailchannels.net (seahorse.cherry.relay.mailchannels.net [23.83.223.161])
	by sourceware.org (Postfix) with ESMTPS id E5E08385828E
	for <libc-alpha@sourceware.org>; Fri,  6 Oct 2023 12:41:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E5E08385828E
Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id F421050130B;
	Fri,  6 Oct 2023 12:41:29 +0000 (UTC)
Received: from pdx1-sub0-mail-a312.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 3CFE4501000;
	Fri,  6 Oct 2023 12:41:29 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696596089; a=rsa-sha256;
	cv=none;
	b=bxAwhTw8Ygs3rM+E72L0l62eh4AVS7EwxF7OZ+E+jhzgm7xI2CpOibEEejfodsj2PMbqPZ
	5LiVAeKRl4IK14yr2k54+Lg48pXCJLVXd83vYU0zaNPFsZ7FcsWWR/NzUy3xZcN+4SCYIy
	/8MRdme9IJdfYbHWQ8/x4/sY8A3lxRJDgTxtv5oKPMzh6sXH1NAJAQaPlG5KFFJe88s96B
	QmDUmolDEor2OeqvPzjJn1X0hNfDut+hNdTZypttmv0NwxhBTN88avXxcpha1uOqMFXAnq
	hmIxt1mDFInCVYUHZ+9RHFoUfB9cG81Yqy8YH9GC7g/7JqEeuu7XfS2Uhq7uEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1696596089;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vBoAc3Dldz2pUwjEwedcaeUY+U/0SHXf59+nsfphLrI=;
	b=q1R07OTfShZpj8kgQT3SHYT4eAHqkmFjYJPv8tTnhkYTNpfCHhZ6n68a+oQ0KpRPLxay3/
	O/gSGqGIBaYG8Et1H9tQyFuoJ6zz+D6Lo2uZqlivn91vKcav02gEMBCHw2UibCHmSOTWDk
	WBrIv5zJR5vsjYZPrd12rvoIrDoKT0i1pR/Ed27lVl62apscGf4S84yd6J6GuOMgJ3vK0h
	1CsW6406qksVZG3UVvILJUbCjufbeybT2pZ1YEwyJ1A3n8kAvu8CaHou3D2VUJjUxuQOOQ
	bU9DgNgEyDg+iDO0CAGUyL82KT8YhgiFe5SI913HrG6+JJxqVd7OJSos5IE0IA==
ARC-Authentication-Results: i=1;
	rspamd-7d5dc8fd68-94rrc;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MC-Copy: stored-urls
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Tart-Obese: 7906f735425a64a3_1696596089800_1145219041
X-MC-Loop-Signature: 1696596089800:3123783833
X-MC-Ingress-Time: 1696596089800
Received: from pdx1-sub0-mail-a312.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.101.166.200 (trex/6.9.1);
	Fri, 06 Oct 2023 12:41:29 +0000
Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a312.dreamhost.com (Postfix) with ESMTPSA id 4S27Mr4TsFzB9;
	Fri,  6 Oct 2023 05:41:28 -0700 (PDT)
Message-ID: <4eaea4b7-c72f-8bd8-ab2b-dc08fc4ad97d@sourceware.org>
Date: Fri, 6 Oct 2023 08:41:23 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE
To: Zack Weinberg <zack@owlfolio.org>, Szabolcs Nagy <szabolcs.nagy@arm.com>,
 Adhemerval Zanella <adhemerval.zanella@linaro.org>,
 GNU libc development <libc-alpha@sourceware.org>
Cc: Florian Weimer <fweimer@redhat.com>, Carlos O'Donell <carlos@redhat.com>
References: <ZR0UdwS+wTH+WfjR@arm.com>
 <f673bfd2-f590-c49d-d2f4-bbaae5c44994@sourceware.org>
 <ZR1w6NYJBqlwTQlh@arm.com>
 <e0357f65-8164-b3a6-359a-298172945219@sourceware.org>
 <ZR1717lyxyaDMeEG@arm.com> <cd20d11d-00ff-4f67-aee3-4df1f78ec669@linaro.org>
 <ZR5xfdrc9aqiw/BW@arm.com>
 <c0ca28f0-2da4-1ed2-5a0b-ffe9b82e7715@sourceware.org>
 <ZR7BTSxFlrQIHFht@arm.com>
 <1d301638-abaa-4f0b-89a5-7fa75250bf5d@app.fastmail.com>
 <ae819935-92fe-d4d8-8186-82be639ac0b5@sourceware.org>
 <ff27f292-af1f-4718-836a-df8690eaa57d@app.fastmail.com>
Content-Language: en-US
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
In-Reply-To: <ff27f292-af1f-4718-836a-df8690eaa57d@app.fastmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1167.5 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2023-10-06 08:25, Zack Weinberg wrote:
>> I don't completely disagree with the conclusion below, but the CVE
>> that prompted this discussion doesn't say anything about environment
>> inheritance because the vulnerability had nothing to do with
>> environment processing and inheritance.
> 
> I may have misunderstood the CVE or mixed it up with another one.
> I thought there was a recent CVE in which a SXID_IGNORE environment
> variable was inherited by a child process, and that child process was
> rendered vulnerable to further exploitation because it honored that
> variable.

Hmm, I don't remember anything like this recently (but my memory is 
worse than my airplane flying skills), but something like that would be 
an interesting data point and further confirmation that we need to get 
rid of SXID_IGNORE and SXID_NONE.  In any case, I can't see a good 
reason anymore to keep these levels, especially if we drop memory 
tagging, malloc tuning and malloc debugging tunables from SXID_IGNORE. 
If memory tagging needs to persist across setxid programs then there 
needs to be a different way, maybe through systemwide tunables[1] that 
DJ is working on, or maybe even ELF markup.

Adhemerval has taken this patchset and is going to build on it to rip it 
all out, so we'll hopefully resolve all of this together.

Thanks,
Sid

[1] 
https://inbox.sourceware.org/libc-alpha/xn1qeayuo9.fsf@greed.delorie.com/T/#u