From: Dave Hansen <dave.hansen@intel.com>
To: Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@linux.intel.com>
Cc: "Stephen Röttger" <sroettger@google.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
"Andy Lutomirski" <luto@kernel.org>
Subject: Re: PKU usage improvements for threads
Date: Mon, 22 Aug 2022 14:11:07 -0700 [thread overview]
Message-ID: <a5df4929-24aa-79bf-c5d0-98efbf323132@intel.com> (raw)
In-Reply-To: <202208221331.71C50A6F@keescook>
On 8/22/22 13:40, Kees Cook wrote:
> 1) It appears to be a bug that a thread without the correct PK can make
> VMAs covered by a separate PK, out from under other threads. (e.g. mmap
> a new mapping to wipe out the defined PK for it.) It seems that PK checks
> should be made when modifying VMAs.
Hi Kees,
Could you give an example of this? Is this something along the lines of
a mmap(MAP_FIXED) wiping out an earlier mapping? Or, is it more subtle
than that?
I'm not sure I know of any bugs in the area.
> 2) It would be very helpful to have a mechanism for the signal stack to
> be PK aware, in the sense that the kernel would switch to a predefined
> PK. i.e. having a new interface to sigaltstack() which includes a PK.
Are you thinking that when switching to the sigaltstack that it would
also pick up a specific PKRU value? Or, that it would ensure that PKRU
allows access to the sigaltstack's pkey? Logically something like this:
stack_t sas = {
ss_sp = stack_ptr;
ss_flags = ... flags;
ss_size = ...;
ss_pkey = 12;
};
Then the kernel would set up RSP to point to ss_sp, and do (logically):
pkkru &= ~(3<<(12*2)); // clear Write and Access-disable for pkey-12
before building the signal frame running the signal handler?
> Are either of these something the PKU authors have considered? (Or are
> there some details we're missing in this area?)
We've talked about having signal behavior which might give different
PKRU values at signal entry, but nothing too concrete. Something like
that wouldn't be *awful* to implement. It would also be nice that it
would be confined to folks that set up special signal handlers anyway
and that context is already pretty special.
I'd love to hear more why this behavior is useful and how it will be used.
next prev parent reply other threads:[~2022-08-22 21:11 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 20:40 PKU usage improvements for threads Kees Cook
2022-08-22 21:11 ` Dave Hansen [this message]
2022-08-23 11:08 ` Stephen Röttger
2022-08-23 18:12 ` Dave Hansen
2022-08-23 18:24 ` Andy Lutomirski
2022-08-24 8:51 ` Stephen Röttger
2022-08-24 16:28 ` Dave Hansen
2022-08-24 16:45 ` Andy Lutomirski
2022-08-25 12:30 ` Stephen Röttger
2022-08-25 14:36 ` Dave Hansen
2022-09-02 17:18 ` Andy Lutomirski
2022-09-03 0:16 ` Fangfei Yang
2022-09-03 0:14 ` Fangfei Yang
2022-09-06 4:34 ` Andy Lutomirski
2022-09-06 5:58 ` Fangfei Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5df4929-24aa-79bf-c5d0-98efbf323132@intel.com \
--to=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sroettger@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox