From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933185AbbLRTWS (ORCPT <rfc822;w@1wt.eu>);
	Fri, 18 Dec 2015 14:22:18 -0500
Received: from mail-ob0-f177.google.com ([209.85.214.177]:33226 "EHLO
	mail-ob0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932736AbbLRTWR (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 18 Dec 2015 14:22:17 -0500
MIME-Version: 1.0
In-Reply-To: <567453AF.5060808@linux.intel.com>
References: <CALCETrVw2V+Ny7=D=_E2m0Qa_v7Bp8GUjhyDXx_bWC35R2ohjg@mail.gmail.com>
 <56736BD1.5080700@linux.intel.com> <CALCETrWBjvTiVBPc098cGSH2vdezvdg-i6N4kZjgdcPT7uXoiQ@mail.gmail.com>
 <5673750B.606@linux.intel.com> <CALCETrWMofAX8TbZNyPaCWUHqcE85wpehDR05irEPtTYiVMXRA@mail.gmail.com>
 <FEA53E3B-6AE2-4305-82B1-C57451B6E33E@zytor.com> <CALCETrU28FoOwR+n8U0Qtt20=ZW6rgc3=M8X4G0QMt1_ZVHY7Q@mail.gmail.com>
 <567453AF.5060808@linux.intel.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 18 Dec 2015 11:21:56 -0800
Message-ID: <CALCETrU7TnbLSzOuGNmh=xDpa5W729RJSPdap2izXxagfg-biQ@mail.gmail.com>
Subject: Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?
To: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>, Oleg Nesterov <oleg@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@kernel.org>,
        Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Christoph Hellwig <hch@lst.de>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Dec 18, 2015 at 10:42 AM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 12/18/2015 08:04 AM, Andy Lutomirski wrote:
>> 1b. If the app malfunctions such that RSP points to pmem, the kernel
>> MUST NOT clobber the pmem space.  I think that this basically mandates
>> that PKRU needs to have some safe state (i.e. definitely not the init
>> state) on signal delivery: the kernel is going to write a signal frame
>> at the address identified by RSP, and that address is in pmem, so
>> those writes need to fail.
>
> The kernel is writing the signal frame using normal old copy_to_user().
>  Those are writing through mappings with _PAGE_USER set and should be
> subject to the PKRU state of the thread before the signal started to be
> delivered.
>
> We don't do the fpu__clear() until after this copy, so I think pkeys
> enforcement is being done properly for this today.

True, but I think only in a very limited sense.  Your average signal
handler is reasonably like to execute "push $rbp" as its very first
instruction, at which point we're immediately screwed with the current
arrangement.

--Andy

-- 
Andy Lutomirski
AMA Capital Management, LLC