Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp803518imm; Mon, 21 May 2018 14:47:43 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrYCInQb8SuI9afgQ0IHGkQyjSieJAxqDEeQYHEn8UQ8nXv1b2msX5dewq6uwK4xE/dS87w X-Received: by 2002:a17:902:a702:: with SMTP id w2-v6mr21647282plq.8.1526939263159; Mon, 21 May 2018 14:47:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526939263; cv=none; d=google.com; s=arc-20160816; b=SYuexakmiz+ELPm+y0icX/s/yqpSsOxzW4OtUJHEKKlfI0qK++sCWx/jfuWkMBiln/ dVw3na1pYM6E4k+Pvr6kYlhsEtXxpugXAXwbUY8cF5sN+tlebWr8u3dSm2n/Riz5UN59 cQjvGAdo9EM2L7XKw4MgHG6v4iCmGl1XmX1E5fK0xu+0LLaLWPE5F8lZFd0JMnU6uMuw dLXCMFXg7LmqhXaaLfkCvat37uDh9uUCGQVPpMrAf+4o37mJrnPw5SGLRG5Ka87M5GuY ZQnPWdjCG2EdIk47ZZKkT3AmnR8Ldy3YEaJKu/qvRfwlbtdUQ13TgPQYhYxn/WG1kDC7 VYhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=EGInxhD3xoKJlwfaqME8D6p9ximRCfAjN1Dr6z8VUGE=; b=LRycp91HdsZ0uDpLRaUUPEhDz7EPKGjc4O4Z5T49SUQLP6u1QHFQ5XRpotmDv3hqaz 7LBGxSDLbC4sIPEjSOTisHbU62AkPgun9ZNOoFgqyzazE4iH85l210wG37/1Qpj4A8S1 HLM2aTdWkbpobkVxF9GyETG30z2Fv2mPLk9CmaMwu50OWWZlPhVJc6yNejQLFWtAYMko etf7nSQJw+qvTv1/jCwEMT3R6CcP+laDmhs1Pu83IPJLUtrRxrpujueOL7A6gY991+3U NHbH8BQTu8TtnHQvFnvmuxbYuD1RilzcUoTTYU7FNvfW6e5p3FariyxZBlb3sOp9R+CM PNBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LFBbdm5V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p8-v6si11700570pgs.441.2018.05.21.14.47.28; Mon, 21 May 2018 14:47:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LFBbdm5V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932405AbeEUVqD (ORCPT + 99 others); Mon, 21 May 2018 17:46:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:38852 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754056AbeEUVYA (ORCPT ); Mon, 21 May 2018 17:24:00 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E878D20853; Mon, 21 May 2018 21:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937839; bh=8LGl64XpZKwKbTCbl4hl3AQ3loXtr7eO8CDkjMdvdgM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LFBbdm5VvUMbGUzlkniIcvyOWWfEDK1TgOnPxUCF8Mb5X31Hwygr3VZ6A14eBhXYe OSTcgBEO1szX2ppO7V+BGlTNhF7YMHBW2WI7ZdDVh2P7YPDCfizN4VwYkoPoBS7chy CDdMle/z6dacY+zcidJHiIUfQ5FG3cchrB+XG7p0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shakeel Butt , Dave Hansen , Andrew Morton , Dave Hansen , Linus Torvalds , Michael Ellermen , Peter Zijlstra , Ram Pai , Shuah Khan , Thomas Gleixner , linux-mm@kvack.org, Ingo Molnar Subject: [PATCH 4.16 045/110] x86/pkeys: Override pkey when moving away from PROT_EXEC Date: Mon, 21 May 2018 23:11:42 +0200 Message-Id: <20180521210508.147986510@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210503.823249477@linuxfoundation.org> References: <20180521210503.823249477@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dave Hansen commit 0a0b152083cfc44ec1bb599b57b7aab41327f998 upstream. I got a bug report that the following code (roughly) was causing a SIGSEGV: mprotect(ptr, size, PROT_EXEC); mprotect(ptr, size, PROT_NONE); mprotect(ptr, size, PROT_READ); *ptr = 100; The problem is hit when the mprotect(PROT_EXEC) is implicitly assigned a protection key to the VMA, and made that key ACCESS_DENY|WRITE_DENY. The PROT_NONE mprotect() failed to remove the protection key, and the PROT_NONE-> PROT_READ left the PTE usable, but the pkey still in place and left the memory inaccessible. To fix this, we ensure that we always "override" the pkee at mprotect() if the VMA does not have execute-only permissions, but the VMA has the execute-only pkey. We had a check for PROT_READ/WRITE, but it did not work for PROT_NONE. This entirely removes the PROT_* checks, which ensures that PROT_NONE now works. Reported-by: Shakeel Butt Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 62b5f7d013f ("mm/core, x86/mm/pkeys: Add execute-only protection keys support") Link: http://lkml.kernel.org/r/20180509171351.084C5A71@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/pkeys.h | 12 +++++++++++- arch/x86/mm/pkeys.c | 21 +++++++++++---------- 2 files changed, 22 insertions(+), 11 deletions(-) --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -2,6 +2,8 @@ #ifndef _ASM_X86_PKEYS_H #define _ASM_X86_PKEYS_H +#define ARCH_DEFAULT_PKEY 0 + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1) extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, @@ -15,7 +17,7 @@ extern int __execute_only_pkey(struct mm static inline int execute_only_pkey(struct mm_struct *mm) { if (!boot_cpu_has(X86_FEATURE_OSPKE)) - return 0; + return ARCH_DEFAULT_PKEY; return __execute_only_pkey(mm); } @@ -56,6 +58,14 @@ bool mm_pkey_is_allocated(struct mm_stru return false; if (pkey >= arch_max_pkey()) return false; + /* + * The exec-only pkey is set in the allocation map, but + * is not available to any of the user interfaces like + * mprotect_pkey(). + */ + if (pkey == mm->context.execute_only_pkey) + return false; + return mm_pkey_allocation_map(mm) & (1U << pkey); } --- a/arch/x86/mm/pkeys.c +++ b/arch/x86/mm/pkeys.c @@ -94,26 +94,27 @@ int __arch_override_mprotect_pkey(struct */ if (pkey != -1) return pkey; - /* - * Look for a protection-key-drive execute-only mapping - * which is now being given permissions that are not - * execute-only. Move it back to the default pkey. - */ - if (vma_is_pkey_exec_only(vma) && - (prot & (PROT_READ|PROT_WRITE))) { - return 0; - } + /* * The mapping is execute-only. Go try to get the * execute-only protection key. If we fail to do that, * fall through as if we do not have execute-only - * support. + * support in this mm. */ if (prot == PROT_EXEC) { pkey = execute_only_pkey(vma->vm_mm); if (pkey > 0) return pkey; + } else if (vma_is_pkey_exec_only(vma)) { + /* + * Protections are *not* PROT_EXEC, but the mapping + * is using the exec-only pkey. This mapping was + * PROT_EXEC and will no longer be. Move back to + * the default pkey. + */ + return ARCH_DEFAULT_PKEY; } + /* * This is a vanilla, non-pkey mprotect (or we failed to * setup execute-only), inherit the pkey from the VMA we