From: Ingo Molnar <mingo@kernel.org> To: Linus Torvalds <torvalds@linux-foundation.org> Cc: Dave Hansen <dave@sr71.net>, Kees Cook <keescook@google.com>, "x86@kernel.org" <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>, Andrew Morton <akpm@linux-foundation.org>, Peter Zijlstra <a.p.zijlstra@chello.nl>, Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de> Subject: Re: [PATCH 26/26] x86, pkeys: Documentation Date: Fri, 2 Oct 2015 09:09:43 +0200 [thread overview] Message-ID: <20151002070943.GA1623@gmail.com> (raw) In-Reply-To: <CA+55aFwUAY01QC8A3mCOoq5aYjT7Lw-gVx6DvqYBr0UMZ9kZEQ@mail.gmail.com> * Linus Torvalds <torvalds@linux-foundation.org> wrote: > On Thu, Oct 1, 2015 at 6:33 PM, Dave Hansen <dave@sr71.net> wrote: > > > > Here it is in a quite fugly form (well, it's not opt-in). Init crashes if I > > boot with this, though. > > > > I'll see if I can turn it in to a bit more of an opt-in and see what's > > actually going wrong. > > It's quite likely that you will find that compilers put read-only constants in > the text section, knowing that executable means readable. At least with pkeys enabling true --x mappings, that compiler practice becomes a (mild) security problem: it provides a readable and executable return target for stack/buffer overflow attacks - FWIIW. (It's a limited concern because the true code areas are executable already.) I'd expect such readonly data to eventually move out into the regular data sections, the moment the kernel gives a tool to distros to enforce true PROT_EXEC mappings. > So it's entirely possible that it's pretty much all over. I'd expect that too. > That said, I don't understand your patch. Why check PROT_WRITE? We've had > :"execute but not write" forever. It's "execute and not *read*" that is > interesting. Yeah, but almost none of user-space seems to be using it. > So I wonder if your testing is just bogus. But maybe I'm mis-reading this? I don't think you are mis-reading it: my (hacky! bad! not signed off!) debug idea was to fudge PROT_EXEC|PROT_READ bits into pure PROT_EXEC only - at least to get pkeys used in a much more serious fashion than standalone testcases, without having to change the distro itself. You are probably right that true data reads from executable sections are very common, so this might not be a viable technique even for testing purposes. But worth a try. Thanks, Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org> To: Linus Torvalds <torvalds@linux-foundation.org> Cc: Dave Hansen <dave@sr71.net>, Kees Cook <keescook@google.com>, "x86@kernel.org" <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>, Andrew Morton <akpm@linux-foundation.org>, Peter Zijlstra <a.p.zijlstra@chello.nl>, Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de> Subject: Re: [PATCH 26/26] x86, pkeys: Documentation Date: Fri, 2 Oct 2015 09:09:43 +0200 [thread overview] Message-ID: <20151002070943.GA1623@gmail.com> (raw) In-Reply-To: <CA+55aFwUAY01QC8A3mCOoq5aYjT7Lw-gVx6DvqYBr0UMZ9kZEQ@mail.gmail.com> * Linus Torvalds <torvalds@linux-foundation.org> wrote: > On Thu, Oct 1, 2015 at 6:33 PM, Dave Hansen <dave@sr71.net> wrote: > > > > Here it is in a quite fugly form (well, it's not opt-in). Init crashes if I > > boot with this, though. > > > > I'll see if I can turn it in to a bit more of an opt-in and see what's > > actually going wrong. > > It's quite likely that you will find that compilers put read-only constants in > the text section, knowing that executable means readable. At least with pkeys enabling true --x mappings, that compiler practice becomes a (mild) security problem: it provides a readable and executable return target for stack/buffer overflow attacks - FWIIW. (It's a limited concern because the true code areas are executable already.) I'd expect such readonly data to eventually move out into the regular data sections, the moment the kernel gives a tool to distros to enforce true PROT_EXEC mappings. > So it's entirely possible that it's pretty much all over. I'd expect that too. > That said, I don't understand your patch. Why check PROT_WRITE? We've had > :"execute but not write" forever. It's "execute and not *read*" that is > interesting. Yeah, but almost none of user-space seems to be using it. > So I wonder if your testing is just bogus. But maybe I'm mis-reading this? I don't think you are mis-reading it: my (hacky! bad! not signed off!) debug idea was to fudge PROT_EXEC|PROT_READ bits into pure PROT_EXEC only - at least to get pkeys used in a much more serious fashion than standalone testcases, without having to change the distro itself. You are probably right that true data reads from executable sections are very common, so this might not be a viable technique even for testing purposes. But worth a try. Thanks, Ingo -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-10-02 7:09 UTC|newest] Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-09-16 17:49 [PATCH 00/26] [RFCv2] x86: Memory Protection Keys Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 04/26] x86, pku: define new CR4 bit Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 03/26] x86, pkeys: cpuid bit definition Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 02/26] x86, pkeys: Add Kconfig option Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 01/26] x86, fpu: add placeholder for Processor Trace XSAVE state Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 07/26] x86, pkeys: new page fault error code bit: PF_PK Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 05/26] x86, pkey: add PKRU xsave fields and data structure(s) Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-22 19:53 ` Thomas Gleixner 2015-09-22 19:53 ` Thomas Gleixner 2015-09-22 19:58 ` Dave Hansen 2015-09-22 19:58 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 06/26] x86, pkeys: PTE bits for storing protection key Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 10/26] x86, pkeys: notify userspace about protection key faults Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-22 20:03 ` Thomas Gleixner 2015-09-22 20:03 ` Thomas Gleixner 2015-09-22 20:21 ` Dave Hansen 2015-09-22 20:21 ` Dave Hansen 2015-09-22 20:27 ` Thomas Gleixner 2015-09-22 20:27 ` Thomas Gleixner 2015-09-22 20:29 ` Dave Hansen 2015-09-22 20:29 ` Dave Hansen 2015-09-23 8:05 ` Ingo Molnar 2015-09-23 8:05 ` Ingo Molnar 2015-09-24 9:23 ` Ingo Molnar 2015-09-24 9:23 ` Ingo Molnar 2015-09-24 9:30 ` Ingo Molnar 2015-09-24 9:30 ` Ingo Molnar 2015-09-24 17:41 ` Dave Hansen 2015-09-24 17:41 ` Dave Hansen 2015-09-25 7:11 ` Ingo Molnar 2015-09-25 7:11 ` Ingo Molnar 2015-09-25 23:18 ` Dave Hansen 2015-09-25 23:18 ` Dave Hansen 2015-09-26 6:20 ` Ingo Molnar 2015-09-26 6:20 ` Ingo Molnar 2015-09-27 22:39 ` Dave Hansen 2015-09-27 22:39 ` Dave Hansen 2015-09-28 5:59 ` Ingo Molnar 2015-09-28 5:59 ` Ingo Molnar 2015-09-24 17:15 ` Dave Hansen 2015-09-24 17:15 ` Dave Hansen 2015-09-28 19:25 ` Christian Borntraeger 2015-09-28 19:25 ` Christian Borntraeger 2015-09-28 19:32 ` Dave Hansen 2015-09-28 19:32 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 09/26] x86, pkeys: arch-specific protection bits Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 08/26] x86, pkeys: store protection in high VMA flags Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 11/26] x86, pkeys: add functions for set/fetch PKRU Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-22 20:05 ` Thomas Gleixner 2015-09-22 20:05 ` Thomas Gleixner 2015-09-22 20:22 ` Dave Hansen 2015-09-22 20:22 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 14/26] x86, pkeys: check VMAs and PTEs for protection keys Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 12/26] mm: factor out VMA fault permission checking Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 13/26] mm: simplify get_user_pages() PTE bit handling Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 15/26] x86, pkeys: optimize fault handling in access_error() Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 16/26] x86, pkeys: dump PKRU with other kernel registers Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 17/26] x86, pkeys: dump PTE pkey in /proc/pid/smaps Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 19/26] [NEWSYSCALL] mm, multi-arch: pass a protection key in to calc_vm_flag_bits() Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 20/26] [NEWSYSCALL] mm: implement new mprotect_pkey() system call Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 18/26] x86, pkeys: add Kconfig prompt to existing config option Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 22/26] [HIJACKPROT] mm: Pass the 4-bit protection key in via PROT_ bits to syscalls Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 21/26] [NEWSYSCALL] x86: wire up mprotect_key() system call Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 24/26] [HIJACKPROT] x86, pkeys: mask off pkeys bits in mprotect() Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 25/26] x86, pkeys: actually enable Memory Protection Keys in CPU Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 23/26] [HIJACKPROT] x86, pkeys: add x86 version of arch_validate_prot() Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-16 17:49 ` [PATCH 26/26] x86, pkeys: Documentation Dave Hansen 2015-09-16 17:49 ` Dave Hansen 2015-09-20 8:55 ` Ingo Molnar 2015-09-20 8:55 ` Ingo Molnar 2015-09-21 4:34 ` Dave Hansen 2015-09-21 4:34 ` Dave Hansen 2015-09-24 9:49 ` Ingo Molnar 2015-09-24 9:49 ` Ingo Molnar 2015-09-24 19:10 ` Dave Hansen 2015-09-24 19:10 ` Dave Hansen 2015-09-24 19:17 ` Andy Lutomirski 2015-09-24 19:17 ` Andy Lutomirski 2015-09-25 7:16 ` Ingo Molnar 2015-09-25 7:16 ` Ingo Molnar 2015-09-25 6:15 ` Ingo Molnar 2015-09-25 6:15 ` Ingo Molnar 2015-10-01 11:17 ` Ingo Molnar 2015-10-01 11:17 ` Ingo Molnar 2015-10-01 20:39 ` Kees Cook 2015-10-01 20:39 ` Kees Cook 2015-10-01 20:45 ` Andy Lutomirski 2015-10-01 20:45 ` Andy Lutomirski 2015-10-02 6:23 ` Ingo Molnar 2015-10-02 6:23 ` Ingo Molnar 2015-10-02 17:50 ` Dave Hansen 2015-10-02 17:50 ` Dave Hansen 2015-10-03 7:27 ` Ingo Molnar 2015-10-03 7:27 ` Ingo Molnar 2015-10-06 23:28 ` Dave Hansen 2015-10-06 23:28 ` Dave Hansen 2015-10-07 7:11 ` Ingo Molnar 2015-10-07 7:11 ` Ingo Molnar 2015-10-16 15:12 ` Dave Hansen 2015-10-16 15:12 ` Dave Hansen 2015-10-21 18:55 ` Andy Lutomirski 2015-10-21 18:55 ` Andy Lutomirski 2015-10-21 19:11 ` Dave Hansen 2015-10-21 19:11 ` Dave Hansen 2015-10-21 23:22 ` Andy Lutomirski 2015-10-21 23:22 ` Andy Lutomirski 2015-10-01 20:58 ` Dave Hansen 2015-10-01 20:58 ` Dave Hansen 2015-10-01 22:33 ` Dave Hansen 2015-10-01 22:35 ` Kees Cook 2015-10-01 22:35 ` Kees Cook 2015-10-01 22:39 ` Dave Hansen 2015-10-01 22:39 ` Dave Hansen 2015-10-01 22:48 ` Linus Torvalds 2015-10-01 22:48 ` Linus Torvalds 2015-10-01 22:56 ` Dave Hansen 2015-10-01 22:56 ` Dave Hansen 2015-10-02 1:38 ` Linus Torvalds 2015-10-02 1:38 ` Linus Torvalds 2015-10-02 18:08 ` Dave Hansen 2015-10-02 18:08 ` Dave Hansen 2015-10-02 7:09 ` Ingo Molnar [this message] 2015-10-02 7:09 ` Ingo Molnar 2015-10-03 6:59 ` Ingo Molnar 2015-10-03 6:59 ` Ingo Molnar 2015-10-02 11:49 ` Paolo Bonzini 2015-10-02 11:49 ` Paolo Bonzini 2015-10-02 11:58 ` Linus Torvalds 2015-10-02 11:58 ` Linus Torvalds 2015-10-02 12:14 ` Paolo Bonzini 2015-10-02 12:14 ` Paolo Bonzini 2015-10-03 6:46 ` Ingo Molnar 2015-10-03 6:46 ` Ingo Molnar 2015-10-01 22:57 ` Andy Lutomirski 2015-10-01 22:57 ` Andy Lutomirski 2015-10-02 6:09 ` Ingo Molnar 2015-10-02 6:09 ` Ingo Molnar 2015-10-03 8:17 ` Ingo Molnar 2015-10-03 8:17 ` Ingo Molnar 2015-10-07 20:24 ` Dave Hansen 2015-10-07 20:24 ` Dave Hansen 2015-10-07 20:39 ` Andy Lutomirski 2015-10-07 20:39 ` Andy Lutomirski 2015-10-07 20:47 ` Dave Hansen 2015-10-07 20:47 ` Dave Hansen 2015-09-16 17:51 ` Fwd: [PATCH 00/26] [RFCv2] x86: Memory Protection Keys Dave Hansen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20151002070943.GA1623@gmail.com \ --to=mingo@kernel.org \ --cc=a.p.zijlstra@chello.nl \ --cc=akpm@linux-foundation.org \ --cc=bp@alien8.de \ --cc=dave@sr71.net \ --cc=keescook@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=torvalds@linux-foundation.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.