Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp802709imm; Mon, 21 May 2018 14:46:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpbaw5PSgGSWHCGGy8sdBWOAAVyzHBDQMmrYOzVHKfZTcLPT5n9YzHQ6plbIVb+QVHgOpq4 X-Received: by 2002:a65:4903:: with SMTP id p3-v6mr2064841pgs.84.1526939198372; Mon, 21 May 2018 14:46:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526939198; cv=none; d=google.com; s=arc-20160816; b=TWAR3udmBHDHVZTtJ6WTjwMjxpEy1EKMsWmC1yaAgsKJ8tPVhSiebV/9r3r0hqN/ro Mmw84AoY+tk5UcCFep/h2fWdpabhyl9UioAKxfuH3RLEJP8l0s14Rz9/yzk7I4MziJrF og98iZePcZxGs5R/3Lr2Dd8MZqwWec4wd1nN1MT2r9C6KUDXsw2kIMx6j/EE1T6v3tYY qLCz2SQDDbDKT5jRluuNVOH95dTqqPdKWAxb91POeQlKIzlE+F+J9OdqZae9nGncLThg /ASdf7dFl4CMrJSPf5WsJtJbE489guhlSjHdUDNsXeA9h/uVL2dwhcOO+mLlIGLDNK+s lDeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=sZW8kXYr4BVq+DsKhS6cba1fOTlwV7rBGM1BWXAEZpA=; b=tlxshfobHEetZgWaybfSfzeLcJrxJ2+HDMCMk+J/5YE6QP13hLx5FSfi/Kv+czupuF DWOv7ckejzJrllFBQjEOUtwjo48mp1TJN/ZIBQtMjPVyr3VmRXmWx2AAkakbhm0KqjeQ kZdeQmQmZT5Js2GB2n5Lev/LFdHRbPk5zj6Lzpx1f0+ECokxy2eIMW5eAs0czATMEyNw R+hSZMcA6wFrIGgRHrBgxhxVWjqaWnG36XY1NqfI5pR97gopTm+OL7lT36EMIZllVj23 81DiVw3YR11/XdsG3sRN9RplcPs++JFXzirLt/10P0c963ybBF/N179/V+2G+trmWX5m BQxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=waLjnWb7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si12235831pgn.54.2018.05.21.14.46.23; Mon, 21 May 2018 14:46:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=waLjnWb7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932335AbeEUVpL (ORCPT + 99 others); Mon, 21 May 2018 17:45:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:38892 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932216AbeEUVYC (ORCPT ); Mon, 21 May 2018 17:24:02 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7117320871; Mon, 21 May 2018 21:24:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937842; bh=3FHdsPk4ureDKhg9TmBDCM2FzsaDUtBcIpO/N2Jyz4E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=waLjnWb7spr2ayPMczJrDcSgn7mhRPD7n7m2tgezSor5dzNgrS83r6s7wN1btsaan uTrBwbddc6k7I1PNmDdj50J0dPGpFC8IMvAjgFFSUANtUq1ZG1wgbmf3llGJ3BKjeN VpEieks9RtZ3R8RMS9wWABFjCd1bGtyxBozUYCOY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dave Hansen , Dave Hansen , Linus Torvalds , Michael Ellermen , Peter Zijlstra , Ram Pai , Shuah Khan , Thomas Gleixner , linux-mm@kvack.org, Ingo Molnar , Andrew Morton Subject: [PATCH 4.16 046/110] x86/pkeys: Do not special case protection key 0 Date: Mon, 21 May 2018 23:11:43 +0200 Message-Id: <20180521210508.373502928@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210503.823249477@linuxfoundation.org> References: <20180521210503.823249477@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dave Hansen commit 2fa9d1cfaf0e02f8abef0757002bff12dfcfa4e6 upstream. mm_pkey_is_allocated() treats pkey 0 as unallocated. That is inconsistent with the manpages, and also inconsistent with mm->context.pkey_allocation_map. Stop special casing it and only disallow values that are actually bad (< 0). The end-user visible effect of this is that you can now use mprotect_pkey() to set pkey=0. This is a bit nicer than what Ram proposed[1] because it is simpler and removes special-casing for pkey 0. On the other hand, it does allow applications to pkey_free() pkey-0, but that's just a silly thing to do, so we are not going to protect against it. The scenario that could happen is similar to what happens if you free any other pkey that is in use: it might get reallocated later and used to protect some other data. The most likely scenario is that pkey-0 comes back from pkey_alloc(), an access-disable or write-disable bit is set in PKRU for it, and the next stack access will SIGSEGV. It's not horribly different from if you mprotect()'d your stack or heap to be unreadable or unwritable, which is generally very foolish, but also not explicitly prevented by the kernel. 1. http://lkml.kernel.org/r/1522112702-27853-1-git-send-email-linuxram@us.ibm.com Signed-off-by: Dave Hansen Cc: Andrew Morton p Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 58ab9a088dda ("x86/pkeys: Check against max pkey to avoid overflows") Link: http://lkml.kernel.org/r/20180509171358.47FD785E@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/mmu_context.h | 2 +- arch/x86/include/asm/pkeys.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h @@ -192,7 +192,7 @@ static inline int init_new_context(struc #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { - /* pkey 0 is the default and always allocated */ + /* pkey 0 is the default and allocated implicitly */ mm->context.pkey_allocation_map = 0x1; /* -1 means unallocated or invalid */ mm->context.execute_only_pkey = -1; --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -51,10 +51,10 @@ bool mm_pkey_is_allocated(struct mm_stru { /* * "Allocated" pkeys are those that have been returned - * from pkey_alloc(). pkey 0 is special, and never - * returned from pkey_alloc(). + * from pkey_alloc() or pkey 0 which is allocated + * implicitly when the mm is created. */ - if (pkey <= 0) + if (pkey < 0) return false; if (pkey >= arch_max_pkey()) return false;