From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Dave Hansen <dave@sr71.net>
Cc: mtk.manpages@gmail.com, Jonathan Corbet <corbet@lwn.net>,
lkml <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [PATCH 5/8] x86, pkeys: allocation/free syscalls
Date: Fri, 3 Jun 2016 14:27:01 -0500 [thread overview]
Message-ID: <d4f9b224-2ce2-8e45-516c-5dddcfd95724@gmail.com> (raw)
In-Reply-To: <5751BE37.1060704@sr71.net>
On 06/03/2016 12:28 PM, Dave Hansen wrote:
> On 06/02/2016 05:26 PM, Michael Kerrisk (man-pages) wrote:
>> On 06/01/2016 07:17 PM, Dave Hansen wrote:
>>> On 06/01/2016 05:11 PM, Michael Kerrisk (man-pages) wrote:
>>>>>>>>
>>>>>>>> If I read this right, it doesn't actually remove any pkey restrictions
>>>>>>>> that may have been applied while the key was allocated. So there could be
>>>>>>>> pages with that key assigned that might do surprising things if the key is
>>>>>>>> reallocated for another use later, right? Is that how the API is intended
>>>>>>>> to work?
>>>>>>
>>>>>> Yeah, that's how it works.
>>>>>>
>>>>>> It's not ideal. It would be _best_ if we during mm_pkey_free(), we
>>>>>> ensured that no VMAs under that mm have that vma_pkey() set. But, that
>>>>>> search would be potentially expensive (a walk over all VMAs), or would
>>>>>> force us to keep a data structure with a count of all the VMAs with a
>>>>>> given key.
>>>>>>
>>>>>> I should probably discuss this behavior in the manpages and address it
>>>> s/probably//
>>>>
>>>> And, did I miss it. Was there an updated man-pages patch in the latest
>>>> series? I did not notice it.
>>>
>>> There have been to changes to the patches that warranted updating the
>>> manpages until now. I'll send the update immediately.
>>
>> Do those updated pages include discussion of the point noted above?
>> I could not see it mentioned there.
>
> I added the following text to pkey_alloc.2. I somehow neglected to send
> it out in the v3 update of the manpages RFC:
>
> An application should not call
> .BR pkey_free ()
> on any protection key which has been assigned to an address
> range by
> .BR pkey_mprotect ()
> and which is still in use. The behavior in this case is
> undefined and may result in an error.
>
> I'll add that in the version (v4) I send out shortly.
>
>> Just by the way, the above behavior seems to offer possibilities
>> for users to shoot themselves in the foot, in a way that has security
>> implications. (Or do I misunderstand?)
>
> Protection keys has the potential to add a layer of security and
> reliability to applications. But, it has not been primarily designed as
> a security feature. For instance, WRPKRU is a completely unprivileged
> instruction, so pkeys are useless in any case that an attacker controls
> the PKRU register or can execute arbitrary instructions.
>
> That said, this mechanism does, indeed, allow a user to shoot themselves
> in the foot and in a way that could have security implications.
>
> For instance, say the following happened:
> 1. A sensitive bit of data in memory was marked with a pkey
> 2. That pkey was set as PKEY_DISABLE_ACCESS
> 3. The application called pkey_free() on the pkey, without freeing
> the sensitive data
> 4. Application calls pkey_alloc() and then clears PKEY_DISABLE_ACCESS
> 5. Applocation can now read the sensitive data
>
> The application has to have basically "leaked" a reference to the pkey.
> It forgot that it had sensitive data marked with that key.
>
> The kernel _could_ enforce that no in-use pkey may have pkey_free()
> called on it. But, doing that has tradeoffs which could make
> pkey_free() extremely slow:
>
>> It's not ideal. It would be _best_ if we during mm_pkey_free(), we
>> ensured that no VMAs under that mm have that vma_pkey() set. But, that
>> search would be potentially expensive (a walk over all VMAs), or would
>> force us to keep a data structure with a count of all the VMAs with a
>> given key.
>
> In addition, that checking _could_ be implemented in an application by
> inspecting /proc/$pid/smaps for "ProtectionKey: $foo" before calling
> pkey_free($foo).
So, I think all of the above needs to be made abundantly clear in
pkeys(7).
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-06-03 19:27 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 15:28 [PATCH 0/8] System Calls for Memory Protection Keys Dave Hansen
2016-05-31 15:28 ` [PATCH 1/8] x86, pkeys: add fault handling for PF_PK page fault bit Dave Hansen
2016-05-31 15:28 ` [PATCH 2/8] mm: implement new pkey_mprotect() system call Dave Hansen
2016-05-31 15:28 ` [PATCH 3/8] x86, pkeys: make mprotect_key() mask off additional vm_flags Dave Hansen
2016-05-31 15:28 ` [PATCH 4/8] x86: wire up mprotect_key() system call Dave Hansen
2016-05-31 15:28 ` [PATCH 5/8] x86, pkeys: allocation/free syscalls Dave Hansen
2016-06-01 18:37 ` Jonathan Corbet
2016-06-01 19:32 ` Dave Hansen
2016-06-02 0:11 ` Michael Kerrisk (man-pages)
2016-06-02 0:17 ` Dave Hansen
2016-06-03 0:26 ` Michael Kerrisk (man-pages)
2016-06-03 17:28 ` Dave Hansen
2016-06-03 19:27 ` Michael Kerrisk (man-pages) [this message]
2016-06-01 20:48 ` Arnd Bergmann
2016-06-02 21:10 ` Dave Hansen
2016-05-31 15:28 ` [PATCH 6/8] x86, pkeys: add pkey set/get syscalls Dave Hansen
2016-05-31 15:28 ` [PATCH 7/8] pkeys: add details of system call use to Documentation/ Dave Hansen
2016-06-01 16:43 ` Jonathan Corbet
2016-06-01 16:46 ` Dave Hansen
2016-06-01 16:49 ` Jonathan Corbet
2016-06-01 17:10 ` Dave Hansen
2016-05-31 15:28 ` [PATCH 8/8] x86, pkeys: add self-tests Dave Hansen
-- strict thread matches above, loose matches on Subject: below --
2016-04-11 15:54 [PATCH 0/8] System Calls for Memory Protection Keys Dave Hansen
2016-04-11 15:54 ` [PATCH 5/8] x86, pkeys: allocation/free syscalls Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d4f9b224-2ce2-8e45-516c-5dddcfd95724@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dave@sr71.net \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).