From: Florian Weimer <fweimer@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>,
linux-mm@kvack.org, linux-api@vger.kernel.org,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org,
x86@kernel.org, linuxram@us.ibm.com
Subject: Re: [PATCH] pkeys: Introduce PKEY_ALLOC_SIGNALINHERIT and change signal semantics
Date: Wed, 2 May 2018 19:17:21 +0200 [thread overview]
Message-ID: <6286ba0a-7e09-b4ec-e31f-bd091f5940ff@redhat.com> (raw)
In-Reply-To: <57459C6F-C8BA-4E2D-99BA-64F35C11FC05@amacapital.net>
On 05/02/2018 07:09 PM, Andy Lutomirski wrote:
>> Nick Clifton wrote a binutils patch which puts the .got.plt section on separate pages. We allocate a protection key for it, assign it to all such sections in the process image, and change the access rights of the main thread to disallow writes via that key during process startup. In _dl_fixup, we enable write access to the GOT, update the GOT entry, and then disable it again.
>>
>> This way, we have a pretty safe form of lazy binding, without having to resort to BIND_NOW.
>>
>> With the current kernel behavior on x86, we cannot do that because signal handlers revert to the default (deny) access rights, so the GOT turns inaccessible.
> Dave is right: the current behavior was my request, and I still think ita??s correct. The whole point is that, even if something nasty happens like a SIGALRM handler hitting in the middle of _dl_fixup, the SIGALRM handler is preventing from accidentally writing to the protected memory. When SIGALRM returns, PKRU should get restored
>
> Another way of looking at this is that the kernel would like to approximate what the ISA behavior*should* have been: the whole sequence a??modify PKRU; access memory; restore PKRUa?? should be as atomic as possible.
>
> Florian, what is the actual problematic sequence of events?
See above. The signal handler will crash if it calls any non-local
function through the GOT because with the default access rights, it's
not readable in the signal handler.
Any use of memory protection keys for basic infrastructure will run into
this problem, so I think the current kernel behavior is not very useful.
It's also x86-specific.
From a security perspective, the atomic behavior is not very useful
because you generally want to modify PKRU *before* computing the details
of the memory access, so that you don't have a general a??poke anywhere
with this access righta?? primitive in the text segment. (I called this
the a??suffix problema?? in another context.)
For this reason, I plan to add the PKRU modification to the beginning of
_dl_fixup.
CET will offer a different trade-off here, but we haven't that yet.
Thanks,
Florian
next prev parent reply other threads:[~2018-05-02 17:17 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-02 13:26 [PATCH] pkeys: Introduce PKEY_ALLOC_SIGNALINHERIT and change signal semantics Florian Weimer
2018-05-02 14:30 ` Dave Hansen
2018-05-02 15:12 ` Florian Weimer
2018-05-02 15:28 ` Dave Hansen
2018-05-02 21:08 ` Florian Weimer
2018-05-02 22:03 ` Dave Hansen
2018-05-07 9:47 ` Florian Weimer
2018-05-02 17:09 ` Andy Lutomirski
2018-05-02 17:17 ` Florian Weimer [this message]
2018-05-02 20:41 ` Andy Lutomirski
2018-05-02 21:06 ` Florian Weimer
2018-05-02 21:23 ` Andy Lutomirski
2018-05-02 22:08 ` Dave Hansen
2018-05-02 22:22 ` Andy Lutomirski
2018-05-02 22:32 ` Dave Hansen
2018-05-02 23:32 ` Andy Lutomirski
2018-05-02 23:58 ` Dave Hansen
2018-05-03 1:14 ` Andy Lutomirski
2018-05-03 14:42 ` Dave Hansen
2018-05-03 14:42 ` Florian Weimer
2018-05-03 2:10 ` Ram Pai
2018-05-03 4:05 ` Andy Lutomirski
2018-05-07 9:48 ` Florian Weimer
2018-05-08 2:49 ` Andy Lutomirski
2018-05-08 12:40 ` Florian Weimer
2018-05-09 14:41 ` Andy Lutomirski
2018-05-14 12:01 ` Florian Weimer
2018-05-14 15:32 ` Andy Lutomirski
2018-05-14 15:34 ` Florian Weimer
2018-05-16 17:01 ` Dave Hansen
2018-05-16 20:52 ` Ram Pai
2018-05-16 20:54 ` Andy Lutomirski
2018-05-16 20:35 ` Ram Pai
2018-05-16 20:37 ` Andy Lutomirski
2018-05-16 21:07 ` Ram Pai
2018-05-17 10:09 ` Florian Weimer
2018-05-17 10:11 ` Florian Weimer
2018-05-03 14:37 ` Florian Weimer
2018-05-02 21:12 ` Ram Pai
2018-05-02 21:18 ` Andy Lutomirski
2018-05-02 23:38 ` Ram Pai
2018-05-07 9:47 ` Florian Weimer
2018-05-07 9:43 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6286ba0a-7e09-b4ec-e31f-bd091f5940ff@redhat.com \
--to=fweimer@redhat.com \
--cc=dave.hansen@intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=luto@amacapital.net \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).