From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: linux-sgx@vger.kernel.org,
Shay Katz-zamir <shay.katz-zamir@intel.com>,
Serge Ayoun <serge.ayoun@intel.com>
Subject: Re: [PATCH for_v22 10/11] x86/sgx: Call sgx_encl_grow() with the enclave's lock held
Date: Thu, 8 Aug 2019 18:52:29 +0300 [thread overview]
Message-ID: <20190808155217.r5seneo3px3kzjmd@linux.intel.com> (raw)
In-Reply-To: <20190808001254.11926-11-sean.j.christopherson@intel.com>
On Wed, Aug 07, 2019 at 05:12:53PM -0700, Sean Christopherson wrote:
> Move the taking of the enclave's lock outside of sgx_encl_grow() in
> preparation for adding sgx_encl_shrink(), which will decrement the
> number of enclave pages and free any allocated VA page. When freeing
> a VA page, the enclave's lock needs to be held for the entire time
> between adding the VA page to the enclave's list and freeing the VA
> page so as to prevent it from being used by reclaim, e.g. to avoid a
> use-after-free scenario.
>
> Because sgx_encl_grow() can temporarily drop encl->lock, calling it
> with encl->lock held adds a subtle dependency on the ordering of
> checks against encl->flags, e.g. checking for SGX_ENCL_CREATED prior
> to calling sgx_encl_grow() could lead to a TOCTOU on ECREATE. Avoid
> this by passing in the disallowed flags to sgx_encl_grow() so that the
> the dependency is clear.
>
> Retaking encl->lock in the failure paths is a bit ugly, but the
> alternative is to have sgx_encl_grow() drop encl->lock in all failure
> paths, which is arguably worse since the caller has to know which
> paths do/don't drop the lock.
>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Would be cleaner to check the flags just before the call. Otherwise,
no problems with this.
/Jarkko
next prev parent reply other threads:[~2019-08-08 15:52 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 0:12 [PATCH for_v22 00/11] x86/sgx: Bug fixes for v22 Sean Christopherson
2019-08-08 0:12 ` [PATCH for_v22 01/11] x86/sgx: Fix an SECS collision with enclave page at VA=0 Sean Christopherson
2019-08-08 15:34 ` Jarkko Sakkinen
2019-08-08 15:44 ` Sean Christopherson
2019-08-09 15:13 ` Jarkko Sakkinen
2019-08-09 20:44 ` Jarkko Sakkinen
2019-08-09 20:59 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 02/11] x86/sgx: Fix incorrect NULL pointer check Sean Christopherson
2019-08-08 15:36 ` Jarkko Sakkinen
2019-08-09 21:16 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 03/11] x86/sgx: Return '0' when sgx_ioc_enclave_set_attribute() succeeds Sean Christopherson
2019-08-08 15:37 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 04/11] x86/sgx: x86/sgx: Require EADD destination to be page aligned Sean Christopherson
2019-08-08 15:38 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 05/11] x86/sgx: Require EADD source " Sean Christopherson
2019-08-08 15:44 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 06/11] x86/sgx: Check the bounds of the enclave address against ELRANGE Sean Christopherson
2019-08-08 15:45 ` Jarkko Sakkinen
2019-08-09 21:21 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 07/11] x86/sgx: Check that enclave is created at beginning of EADD/EINIT ioctl Sean Christopherson
2019-08-08 15:47 ` Jarkko Sakkinen
2019-08-09 23:40 ` Jarkko Sakkinen
2019-08-10 0:03 ` Sean Christopherson
2019-08-10 0:10 ` Sean Christopherson
2019-08-08 0:12 ` [PATCH for_v22 08/11] x86/sgx: Do not free enclave resources on redundant ECREATE Sean Christopherson
2019-08-08 15:48 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 09/11] x86/sgx: Refactor error handling for user of sgx_encl_grow() Sean Christopherson
2019-08-08 15:49 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 10/11] x86/sgx: Call sgx_encl_grow() with the enclave's lock held Sean Christopherson
2019-08-08 15:52 ` Jarkko Sakkinen [this message]
2019-08-08 15:55 ` Sean Christopherson
2019-08-09 16:12 ` Jarkko Sakkinen
2019-08-10 11:32 ` Jarkko Sakkinen
2019-08-08 0:12 ` [PATCH for_v22 11/11] x86/sgx: Shrink the enclave if ECREATE/EADD fails Sean Christopherson
2019-08-08 15:50 ` Jarkko Sakkinen
2019-08-08 18:03 ` Sean Christopherson
2019-08-09 16:13 ` Jarkko Sakkinen
2019-08-10 11:37 ` Jarkko Sakkinen
2019-08-08 15:18 ` [PATCH for_v22 00/11] x86/sgx: Bug fixes for v22 Jarkko Sakkinen
2019-08-08 15:57 ` Jarkko Sakkinen
2019-08-10 11:44 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190808155217.r5seneo3px3kzjmd@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=linux-sgx@vger.kernel.org \
--cc=sean.j.christopherson@intel.com \
--cc=serge.ayoun@intel.com \
--cc=shay.katz-zamir@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).