On Mon, Jun 19, 2023 at 12:45:43PM -0700, Kees Cook wrote: > I think there's a misunderstanding here about the threat model I'm > interested in protecting against for JITs. While making sure the VM of a > JIT is safe in itself, that's separate from what I'm concerned about. > > The threat model is about flaws _elsewhere_ in the kernel that can > leverage the JIT machinery to convert a "write anything anywhere anytime" > exploit primitive into an "execute anything" primitive. Arguments can > be made to say "a write anything flaw means the total collapse of the > security model so there's no point defending against it", but both that > type of flaw and the slippery slope argument don't stand up well to > real-world situations. Hey Kees, thanks for the explanation - I don't think this is a concern for what bcachefs is doing, since we're not doing a full jit. The unpack functions we generate only write to the 40 bytes pointed to by rsi; not terribly useful as an execute anything primitive :)
