Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp184115imm;
        Thu, 30 Aug 2018 20:09:31 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdZ6NfaJZ3goDU/e+4Nio7N0HGmuR4mGCpGc+HftGmmN93WZLKzecjU0pyRHMtkoh0N9mYZA
X-Received: by 2002:a63:5055:: with SMTP id q21-v6mr12425131pgl.397.1535684971461;
        Thu, 30 Aug 2018 20:09:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535684971; cv=none;
        d=google.com; s=arc-20160816;
        b=vdTa/XPKmFR1arpRcv7499hDoLXS0ZbS5ZWJeqeR7kHfrgVqI1BKIGRAe5AIfQEHS4
         ArAS2662SZ347FtrnmfsDtAbpDUa87CN+mWIHkOX5RAmDROQTy7hXUJS/R7/+r8FBRAM
         Tu1NIceJ9N+c84ZgsNztak+sagPk+IfSGjbIJ3fvtqixo665V65CbYMle7TsdYYdLpKB
         Q1x7xzEAglImz0oDGv3c8HEYIt45lc9gz5Tfsx5jgeF0uEvVXoufR4kaTWgyWZONdKzQ
         lNxWvCG7k/k7PFvcQV63osZKoworGIBsK26jmYJPiHbe0Pew63Vtp16Bzqal20FcKRtV
         BNTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature:arc-authentication-results;
        bh=6gLNmZ4nnEuR4oW8LkqPf9wVLyr2PmXFFcmY19gQLnA=;
        b=BoD6k1Px2C0CBKeJ0Oonb3f/Kc5v4rXW+ALxs4MUUha6wgPXu+MC7+9BXLm5Q09rwI
         jWgiufvNxGu2er6GyFjtb39pO34BDgFmfBJvKCSrKm+ilQsiarw7HB91Cqv2jfXbdo7F
         DKybi+1z+L5azrMv1T/BCTzKBNt3SB++Gt8UH4YNiJvf7/4XV81+OPHczqbIwySNgrMk
         oXDE2oLR8trPVProilje1+I0pnwZQZZIh2oPh7/HO0gooqhPecNVWPBUk6SFElRS/IEc
         YWcG1KjdG4O/ky+u9sn6LDXL3eKCWosyhC2ijLl4ljo5FotV1GUAJxkpdggs0Cleb8HX
         0wkg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=kduKRff9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q16-v6si8305300pgg.619.2018.08.30.20.09.16;
        Thu, 30 Aug 2018 20:09:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=kduKRff9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727208AbeHaHN3 (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 31 Aug 2018 03:13:29 -0400
Received: from mail-pg1-f195.google.com ([209.85.215.195]:33049 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727086AbeHaHN2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Aug 2018 03:13:28 -0400
Received: by mail-pg1-f195.google.com with SMTP id y3-v6so3571035pgv.0
        for <linux-kernel@vger.kernel.org>; Thu, 30 Aug 2018 20:08:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=6gLNmZ4nnEuR4oW8LkqPf9wVLyr2PmXFFcmY19gQLnA=;
        b=kduKRff9QuhE9EAiBE9UyDJKR8J4YGEvW3x1v6Cp1RAmYMJasrTBeZZtlhIAuuON4K
         J+LCgi/j1cfoJ12dJLx1EIsDVfLWVDDT4MgGWSoY4EjfnaDQ3Rgwc1XWUm3HdLmqSp/0
         ytjBpO/baZjZmg3OpHjlFOpD5Hdc4IqpT3TmR1lsZKrAmL2dVH8pbjuWkKu948DmlzpW
         kp28JmvMZVEWUdK4/53aEYecocRRk9PpMwb/3mKblNj4o1lBn5ewnLjz4ypWRuZCLgM1
         kQbp3iMUSEWsWAKgnO2Aa7nr2SrDX+cpb6/9HCMv6cQ4fmvCrePkGp9pCis8g/mf8mgR
         WyLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=6gLNmZ4nnEuR4oW8LkqPf9wVLyr2PmXFFcmY19gQLnA=;
        b=RPU6t2WS18hPfyoZEd+SjY8NcokmbIyXx6CzeMzm5dNNC6OeMFqwQUf0AC0rrrKnX6
         BC6V+3Wuw8tzig5KvJC0dZLnFnKZi0jadfR7RkOsWrnRa8/vswQ2ddczdOTctHVkekEo
         sEBbSoFFqqKROznfv8tMtpTrUQS/d9z5XEQd2q5Tg1Ro8JlkFn3y14GLwUk4kLn9102B
         7dbwk2kewZUlg+Y5/vHGIYb9VvC6GRxF56wp/ae26jio8h5KdMovEE6aCB8arBYigZs9
         CEqVysh0RwWiVBCISzgi0KLarGb0+KFI5+tXBwHXYnApf17XJOjnW6yOpmqF5M0v5Clv
         M4Yw==
X-Gm-Message-State: APzg51BnEtfYmd26CzDWJij49t/c+QPvhz/8Wo0EJrrt6EI0uAtkGG/U
        uDl43exmvYmzM1RF8BAhUkX1DX8sW9E=
X-Received: by 2002:a63:d09:: with SMTP id c9-v6mr12656276pgl.314.1535684892925;
        Thu, 30 Aug 2018 20:08:12 -0700 (PDT)
Received: from ?IPv6:2601:647:5803:15b9:2daa:5548:e5ab:788c? ([2601:647:5803:15b9:2daa:5548:e5ab:788c])
        by smtp.gmail.com with ESMTPSA id q80-v6sm12768822pfd.15.2018.08.30.20.08.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 30 Aug 2018 20:08:11 -0700 (PDT)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a bad area
From:   Andy Lutomirski <luto@amacapital.net>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <CAG48ez1iPr0q-PBYnc9Q4GA0uMEyph9THiV2CrN6aRMzqpEfng@mail.gmail.com>
Date:   Thu, 30 Aug 2018 20:08:10 -0700
Cc:     Dave Hansen <dave.hansen@intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        sean.j.christopherson@intel.com,
        kernel list <linux-kernel@vger.kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H . Peter Anvin" <hpa@zytor.com>,
        the arch/x86 maintainers <x86@kernel.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <22539689-D7E6-4780-9600-CC05B853EC41@amacapital.net>
References: <20180807172920.8766-1-sean.j.christopherson@intel.com> <b7fe6fad-7ce4-c7c1-31d7-cb609cf45b2f@intel.com> <CAG48ez1iPr0q-PBYnc9Q4GA0uMEyph9THiV2CrN6aRMzqpEfng@mail.gmail.com>
To:     Jann Horn <jannh@google.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



> On Aug 30, 2018, at 7:38 PM, Jann Horn <jannh@google.com> wrote:
>=20
>> On Tue, 7 Aug 2018 Dave Hansen <dave.hansen@intel.com> wrote:
>>=20
>>> On 08/07/2018 10:29 AM, Sean Christopherson wrote:
>>>      if (unlikely(fault_in_kernel_space(address))) {
>>> +             /*
>>> +              * We should never encounter a protection keys fault on a
>>> +              * kernel address as kernel address are always mapped with=

>>> +              * _PAGE_USER=3D0, i.e. PKRU isn't enforced.
>>> +              */
>>> +             if (WARN_ON_ONCE(error_code & X86_PF_PK))
>>> +                     goto bad_kernel_address;
>>=20
>> I just realized one more thing: the vsyscall page can bite us here.
>> It's at a fault_in_kernel_space() address and we *can* trigger a pkey
>> fault on it if we jump to an instruction that reads from a
>> pkey-protected area.
>>=20
>> We can make a gadget out of unaligned vsyscall instructions that does
>> that.  See:
>>=20
>> 0xffffffffff600002:  shlb   $0x0,0x0(%rax)
>>=20
>> Then, we turn off access to all pkeys, including pkey-0, then jump to
>> the unaligned vsyscall instruction, which reads %rax, which is a kernel
>> address:
>=20
> Andy got rid of the (native) vsyscall page in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/=
?id=3D076ca272a14cea558b1092ec85cea08510283f2a
> ('x86/vsyscall/64: Drop "native" vsyscalls') a few months ago, right?
> At this point, the vsyscall page should never be executable.

Indeed.

Can one of you cc me on the original patch?=