From: Florian Weimer <fweimer@redhat.com>
To: Dave Hansen <dave.hansen@linux.intel.com>,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org
Cc: linux-mm <linux-mm@kvack.org>, Linux API <linux-api@vger.kernel.org>
Subject: Re: MPK: pkey_free and key reuse
Date: Thu, 23 Nov 2017 13:48:57 +0100 [thread overview]
Message-ID: <068b89c7-4303-88a7-540a-1491dc8a292d@redhat.com> (raw)
In-Reply-To: <633b5b03-3481-0da2-9d6c-f5298902e36a@linux.intel.com>
On 11/09/2017 05:59 PM, Dave Hansen wrote:
> On 11/09/2017 06:48 AM, Florian Weimer wrote:
>> On 11/08/2017 09:41 PM, Dave Hansen wrote:
>>>> (B) If a key is reused, existing threads retain their access rights,
>>>> while there is an expectation that pkey_alloc denies access for the
>>>> threads except the current one.
>>> Where does this expectation come from?
>>
>> For me, it was the access_rights argument to pkey_alloc. What else
>> would it do? For the current thread, I can already set the rights with
>> a PKRU write, so the existence of the syscall argument is puzzling.
>
> The manpage is pretty bare here. But the thought was that, in most
> cases, you will want to allocate a key and start using it immediately.
> This was in response to some feedback on one of the earlier reviews of
> the patch set.
Okay. In the future, may want to use this access rights to specify the
default for the signal handler (with a new pkey_alloc flag). If I can
the default access rights, that would pretty much solve the sigsetjmp
problem for me, too, and I can start using protection keys in low-level
glibc code.
>>> Using the malloc() analogy, we
>>> don't expect that free() in one thread actively takes away references to
>>> the memory held by other threads.
>>
>> But malloc/free isn't expected to be a partial antidote to random
>> pointer scribbling.
>
> Nor is protection keys intended to be an antidote for use-after-free.
I'm comparing this to munmap, which is actually such an antidote
(because it involves an IPI to flush all CPUs which could have seen the
mapping before).
I'm surprised that pkey_free doesn't perform a similar broadcast.
>> I think we should either implement revoke on pkey_alloc, with a
>> broadcast to all threads (the pkey_set race can be closed by having a
>> vDSO for that an the revocation code can check %rip to see if the old
>> PKRU value needs to be fixed up). Or we add the two pkey_alloc flags I
>> mentioned earlier.
>
> That sounds awfully complicated to put in-kernel. I'd be happy to
> review the patches after you put them together once we see how it looks.
TLB flushes are complicated, too, and very costly, but we still do them
on unmap, even in cases where they are not required for security reasons.
> You basically want threads to broadcast their PKRU values at pkey_free()
> time. That's totally doable... in userspace. You just need a mechanism
> for each thread to periodically check if they need an update.
No, we want to the revocation to be immediate, so we'd have to use
something like the setxid broadcast, and we have to make sure that we
aren't in a pkey_set, and if we are, adjust register contents besides
PKRU. Not pretty at all. I really don't want to implement that.
If the broadcast is lazy, I think it defeats its purpose because you
don't know what kind of access privileges other threads in the system have.
Your solution to all MPK problems seems to be to say that it's undefined
and applications shouldn't do that. But if applications only used
well-defined memory accesses, why would we need MPK?
Thanks,
Florian
next prev parent reply other threads:[~2017-11-23 12:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-05 10:35 MPK: pkey_free and key reuse Florian Weimer
2017-11-08 20:41 ` Dave Hansen
2017-11-09 14:48 ` Florian Weimer
2017-11-09 16:59 ` Dave Hansen
2017-11-23 12:48 ` Florian Weimer [this message]
2017-11-23 13:07 ` Vlastimil Babka
2017-11-23 15:25 ` Dave Hansen
2017-11-24 14:55 ` Florian Weimer
[not found] ` <0f006ef4-a7b5-c0cf-5f58-d0fd1f911a54-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 8:18 ` MPK: removing a pkey (was: pkey_free and key reuse) Vlastimil Babka
2017-11-22 12:15 ` MPK: removing a pkey Florian Weimer
2017-11-22 12:46 ` Vlastimil Babka
[not found] ` <f0495f01-9821-ec36-56b4-333f109eb761-AlSwsSmVLrQ@public.gmane.org>
2017-11-22 12:49 ` Florian Weimer
2017-11-22 16:10 ` Dave Hansen
2017-11-22 16:21 ` Florian Weimer
[not found] ` <9ec19ff3-86f6-7cfe-1a07-1ab1c5d9882c-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 16:32 ` Dave Hansen
2017-11-23 8:11 ` Vlastimil Babka
[not found] ` <de93997a-7802-96cf-62e2-e59416e745ca-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 15:00 ` Dave Hansen
2017-11-23 21:42 ` Vlastimil Babka
[not found] ` <2d12777f-615a-8101-2156-cf861ec13aa7-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 23:29 ` Dave Hansen
2017-11-24 8:35 ` Florian Weimer
2017-11-24 8:38 ` Vlastimil Babka
2017-11-23 12:38 ` Florian Weimer
2017-11-23 15:09 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=068b89c7-4303-88a7-540a-1491dc8a292d@redhat.com \
--to=fweimer@redhat.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).