From: Florian Weimer <fweimer@redhat.com>
To: Dave Hansen <dave.hansen@linux.intel.com>,
Vlastimil Babka <vbabka@suse.cz>,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org
Cc: linux-mm <linux-mm@kvack.org>, Linux API <linux-api@vger.kernel.org>
Subject: Re: MPK: removing a pkey
Date: Thu, 23 Nov 2017 13:38:21 +0100 [thread overview]
Message-ID: <28f6e430-293d-4b30-dce6-018a2b3c03e8@redhat.com> (raw)
In-Reply-To: <d98eb4b8-6e59-513d-fdf8-3395485cb851@linux.intel.com>
[-- Attachment #1: Type: text/plain, Size: 1906 bytes --]
On 11/22/2017 05:32 PM, Dave Hansen wrote:
> On 11/22/2017 08:21 AM, Florian Weimer wrote:
>> On 11/22/2017 05:10 PM, Dave Hansen wrote:
>>> On 11/22/2017 04:15 AM, Florian Weimer wrote:
>>>> On 11/22/2017 09:18 AM, Vlastimil Babka wrote:
>>>>> And, was the pkey == -1 internal wiring supposed to be exposed to the
>>>>> pkey_mprotect() signal, or should there have been a pre-check returning
>>>>> EINVAL in SYSCALL_DEFINE4(pkey_mprotect), before calling
>>>>> do_mprotect_pkey())? I assume it's too late to change it now anyway (or
>>>>> not?), so should we also document it?
>>>>
>>>> I think the -1 case to the set the default key is useful because it
>>>> allows you to use a key value of -1 to mean “MPK is not supported”, and
>>>> still call pkey_mprotect.
>>>
>>> The behavior to not allow 0 to be set was unintentional and is a bug.
>>> We should fix that.
>>
>> On the other hand, x86-64 has no single default protection key due to
>> the PROT_EXEC emulation.
>
> No, the default is clearly 0 and documented to be so. The PROT_EXEC
> emulation one should be inaccessible in all the APIs so does not even
> show up as *being* a key in the API.
I see key 1 in /proc for a PROT_EXEC mapping. If I supply an explicit
protection key, that key is used, and the page ends up having read
access enabled.
The key is also visible in the siginfo_t argument on read access to a
PROT_EXEC mapping with the default key, so it's not just /proc:
page 1 (0x7f008242d000): read access denied
SIGSEGV address: 0x7f008242d000
SIGSEGV code: 4
SIGSEGV key: 1
I'm attaching my test.
> The fact that it's implemented
> with pkeys should be pretty immaterial other than the fact that you
> can't touch the high bits in PKRU.
I don't see a restriction for PKRU updates. If I write zero to the PKRU
register, PROT_EXEC implies PROT_READ, as I would expect.
This is with kernel 4.14.
Florian
[-- Attachment #2: mpk-default.c --]
[-- Type: text/x-csrc, Size: 4720 bytes --]
#include <err.h>
#include <setjmp.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <unistd.h>
#define PKEY_DISABLE_ACCESS 1
#define PKEY_DISABLE_WRITE 2
__attribute__ ((weak, noinline, noclone)) /* Compiler barrier. */
void
touch (void *buffer)
{
}
__attribute__ ((weak, noinline, noclone)) /* Compiler barrier. */
void
read_page (void *page)
{
char buf[16];
memcpy (buf, page, sizeof (buf));
touch (buf);
}
__attribute__ ((weak, noinline, noclone)) /* Compiler barrier. */
void
write_page (void *page)
{
memset (page, 0, 16);
touch (page);
}
static volatile void *sigsegv_addr;
static volatile int sigsegv_code;
static volatile int sigsegv_pkey;
static sigjmp_buf sigsegv_jmp;
static void
sigsegv_handler (int signo, siginfo_t *info, void *arg)
{
sigsegv_addr = info->si_addr;
sigsegv_code = info->si_code;
if (info->si_code == 4)
{
/* Guess the address of the protection key field. */
int *ppkey = 2 + ((int *)((&info->si_addr) + 1));
sigsegv_pkey = *ppkey;
}
else
sigsegv_pkey = -1;
siglongjmp (sigsegv_jmp, 2);
}
static const struct sigaction sigsegv_sigaction =
{
.sa_flags = SA_RESETHAND | SA_SIGINFO,
.sa_sigaction = &sigsegv_handler,
};
/* Return the value of the PKRU register. */
static inline unsigned int
pkey_read (void)
{
unsigned int result;
__asm__ volatile (".byte 0x0f, 0x01, 0xee"
: "=a" (result) : "c" (0) : "rdx");
return result;
}
/* Overwrite the PKRU register with VALUE. */
static inline void
pkey_write (unsigned int value)
{
__asm__ volatile (".byte 0x0f, 0x01, 0xef"
: : "a" (value), "c" (0), "d" (0));
}
enum { page_count = 7 };
static void *pages[page_count];
static void
check_fault_1 (int page, const char *what, void (*op) (void *))
{
unsigned pkru = pkey_read ();
int result = sigsetjmp (sigsegv_jmp, 1);
if (result == 0)
{
if (sigaction (SIGSEGV, &sigsegv_sigaction, NULL) != 0)
err (1, "sigaction");
op (pages[page]);
printf ("page %d (%p): %s access allowed\n", page, pages[page], what);
return;
}
else
{
if (signal (SIGSEGV, SIG_DFL) == SIG_ERR)
err (1, "signal");
printf ("page %d (%p): %s access denied\n", page, pages[page], what);
printf (" SIGSEGV address: %p\n", sigsegv_addr);
printf (" SIGSEGV code: %d\n", sigsegv_code);
printf (" SIGSEGV key: %d\n", sigsegv_pkey);
}
/* Preserve PKRU register value (clobbered by signal handler). */
pkey_write (pkru);
}
static void
check_fault (int page)
{
check_fault_1 (page, "read", read_page);
check_fault_1 (page, "write", write_page);
}
static void
dump_smaps (const char *what)
{
printf ("info: *** BEGIN %s ***\n", what);
FILE *fp = fopen ("/proc/self/smaps", "r");
if (fp == NULL)
err (1, "fopen");
while (true)
{
int ch = fgetc (fp);
if (ch == EOF)
break;
fputc (ch, stdout);
}
if (ferror (fp))
err (1, "fgetc");
if (fclose (fp) != 0)
err (1, "fclose");
printf ("info: *** END %s ***\n", what);
fflush (stdout);
}
int
main (void)
{
int protections[page_count] =
{ PROT_READ | PROT_WRITE, PROT_EXEC, PROT_READ, PROT_READ,
PROT_EXEC | PROT_WRITE, PROT_EXEC | PROT_WRITE, PROT_EXEC };
for (int i = 0; i < page_count; ++i)
{
pages[i] = mmap (NULL, 1, protections[i],
MAP_ANON | MAP_PRIVATE, -1, 0);
if (pages[i] == MAP_FAILED)
err (1, "mmap");
printf ("page %d: %p\n", i, pages[i]);
}
int key = syscall (SYS_pkey_alloc, 0, 0);
if (key < 0)
err (1, "pkey_alloc");
printf ("key: %d\n", key);
if (syscall (SYS_pkey_mprotect, pages[2], 1, PROT_READ, key) != 0)
err (1, "pkey_mprotected (pages[2])");
if (syscall (SYS_pkey_mprotect, pages[3], 1, PROT_EXEC, key) != 0)
err (1, "pkey_mprotected (pages[3])");
if (syscall (SYS_pkey_mprotect, pages[5], 1, PROT_EXEC | PROT_WRITE, key)
!= 0)
err (1, "pkey_mprotected (pages[5])");
if (syscall (SYS_pkey_mprotect, pages[6], 1, PROT_EXEC, key) != 0)
err (1, "pkey_mprotected (pages[6])");
if (syscall (SYS_pkey_mprotect, pages[6], 1, PROT_EXEC, -1) != 0)
err (1, "pkey_mprotected (pages[6])");
dump_smaps ("dump before faults");
/* This succeeds because the page is mapped readable. */
puts ("info: performing accesses");
fflush (stdout);
for (int i = 0; i < page_count; ++i)
check_fault (i);
/* See what happens if we grant all access rights. */
puts ("info: setting PKRU to zero");
fflush (stdout);
pkey_write (0);
for (int i = 0; i < page_count; ++i)
check_fault (i);
return 0;
}
next prev parent reply other threads:[~2017-11-23 12:38 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-05 10:35 MPK: pkey_free and key reuse Florian Weimer
2017-11-05 10:35 ` Florian Weimer
2017-11-08 20:41 ` Dave Hansen
2017-11-09 14:48 ` Florian Weimer
2017-11-09 14:48 ` Florian Weimer
2017-11-09 16:59 ` Dave Hansen
2017-11-09 16:59 ` Dave Hansen
2017-11-23 12:48 ` Florian Weimer
2017-11-23 13:07 ` Vlastimil Babka
2017-11-23 13:07 ` Vlastimil Babka
2017-11-23 15:25 ` Dave Hansen
2017-11-24 14:55 ` Florian Weimer
2017-11-24 14:55 ` Florian Weimer
[not found] ` <0f006ef4-a7b5-c0cf-5f58-d0fd1f911a54-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 8:18 ` MPK: removing a pkey (was: pkey_free and key reuse) Vlastimil Babka
2017-11-22 8:18 ` Vlastimil Babka
2017-11-22 12:15 ` MPK: removing a pkey Florian Weimer
2017-11-22 12:15 ` Florian Weimer
2017-11-22 12:46 ` Vlastimil Babka
2017-11-22 12:46 ` Vlastimil Babka
[not found] ` <f0495f01-9821-ec36-56b4-333f109eb761-AlSwsSmVLrQ@public.gmane.org>
2017-11-22 12:49 ` Florian Weimer
2017-11-22 12:49 ` Florian Weimer
2017-11-22 16:10 ` Dave Hansen
2017-11-22 16:21 ` Florian Weimer
2017-11-22 16:21 ` Florian Weimer
[not found] ` <9ec19ff3-86f6-7cfe-1a07-1ab1c5d9882c-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 16:32 ` Dave Hansen
2017-11-22 16:32 ` Dave Hansen
2017-11-23 8:11 ` Vlastimil Babka
[not found] ` <de93997a-7802-96cf-62e2-e59416e745ca-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 15:00 ` Dave Hansen
2017-11-23 15:00 ` Dave Hansen
2017-11-23 21:42 ` Vlastimil Babka
[not found] ` <2d12777f-615a-8101-2156-cf861ec13aa7-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 23:29 ` Dave Hansen
2017-11-23 23:29 ` Dave Hansen
2017-11-24 8:35 ` Florian Weimer
2017-11-24 8:35 ` Florian Weimer
2017-11-24 8:38 ` Vlastimil Babka
2017-11-23 12:38 ` Florian Weimer [this message]
2017-11-23 15:09 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28f6e430-293d-4b30-dce6-018a2b3c03e8@redhat.com \
--to=fweimer@redhat.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).