From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754408AbbIYGP3 (ORCPT ); Fri, 25 Sep 2015 02:15:29 -0400 Received: from mail-wi0-f181.google.com ([209.85.212.181]:37944 "EHLO mail-wi0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751237AbbIYGP2 (ORCPT ); Fri, 25 Sep 2015 02:15:28 -0400 Date: Fri, 25 Sep 2015 08:15:23 +0200 From: Ingo Molnar To: Dave Hansen Cc: x86@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Linus Torvalds , Andrew Morton , Peter Zijlstra , Andy Lutomirski , Borislav Petkov , Kees Cook Subject: Re: [PATCH 26/26] x86, pkeys: Documentation Message-ID: <20150925061523.GA15753@gmail.com> References: <20150916174903.E112E464@viggo.jf.intel.com> <20150916174913.AF5FEA6D@viggo.jf.intel.com> <20150920085554.GA21906@gmail.com> <55FF88BA.6080006@sr71.net> <20150924094956.GA30349@gmail.com> <56044A88.7030203@sr71.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56044A88.7030203@sr71.net> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Dave Hansen wrote: > > I.e. AFAICS pkeys could be used to create true '--x' permissions for executable > > (user-space) pages. > > Just remember that all of the protections are dependent on the contents of PKRU. > If an attacker controls the Access-Disable bit in PKRU for the executable-only > region, you're sunk. The same is true if the attacker can execute mprotect() calls. > But, that either requires being able to construct and execute arbitrary code > *or* call existing code that sets PKRU to the desired values. Which, I guess, > gets harder to do if all of the the wrpkru's are *in* the execute-only area. Exactly. True --x executable regions makes it harder to 'upgrade' limited attacks. Thanks, Ingo