Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp2806847rwa; Mon, 22 Aug 2022 14:19:35 -0700 (PDT) X-Google-Smtp-Source: AA6agR5jl9mMTZDVaveZIAyg6xMTi3EimEwdFDRz4cqId20xePP1mmd4tsqpnXn/T8W8aE7A2LAe X-Received: by 2002:a17:906:8a74:b0:73d:8224:6bb0 with SMTP id hy20-20020a1709068a7400b0073d82246bb0mr4476688ejc.14.1661203175012; Mon, 22 Aug 2022 14:19:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661203175; cv=none; d=google.com; s=arc-20160816; b=NwkhdYsGgpZn2b47ln6vGd+8pb4g0R2mMP5ru9LyPZTmrAbkuvndkMf7yO4+wjA13B 8X37/+/UBy24yzY+SCgG/NBycFQxrdxaYdXhcDNYU/wWZwMG9YUOs3PU0LovxEW24/Qw QhxFd+UnQLeBah5JLeaC1PpDbV7fVa+0BQL42fEFj++Vig23FK08WZRI5EaR7HJ+6xuW Zgc59UJPJxHwEWylD+3BnfHL4FTKOcFaWzxXTlqxj2KeHlIKUAyLW7nN/aoQFIbFw6gl cAwE9HE0EHgslSnR8k5NyvnNKao9q62M1z93KU4fS/Lr+28LZspmJN0XGYuhz7ST16YZ 7/cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=d7fpYnbv4MIaa6FYIhC4NA6BD+DYO5g24DbvXisNJXI=; b=ckpBY15957BTobBKoWdqfCXsl/4WQH13RPwbB2P+ygtJajT4frQEw960EphhD21O5p s10AvfWTEdDAnlhAAU6kbr0DRohK/qziqp0qdXUzK+sIpgiaF+6497VxOyUPdvTrAIs5 ALfuTwrle9R9A0YjwVcDYBHBhcn39XAiD94fXLr27P8I0oK65eaDyyFqZAlQ2urgfwAQ ifiunT3UBrqc/svjva42jfW7WNl2fKBthyIoSshloh4sTVdm+59KCPDRx0VnUD9msLKJ z0FCvWUeiY/7/D2trUkJ+5m6z1xl+0717t1cGfKWB3wh7XdcLMpEuOR6UUwEWBjfK3W4 Dgpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YdHTEHQG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qf37-20020a1709077f2500b007307c356ccesi12274140ejc.720.2022.08.22.14.19.08; Mon, 22 Aug 2022 14:19:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=YdHTEHQG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237871AbiHVVLN (ORCPT + 99 others); Mon, 22 Aug 2022 17:11:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237048AbiHVVLL (ORCPT ); Mon, 22 Aug 2022 17:11:11 -0400 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D47EB47BB2 for ; Mon, 22 Aug 2022 14:11:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1661202669; x=1692738669; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=9uEjUrx1BvA19/wl9sg2vuY7NmpmeLBmaJAfmOpH5FA=; b=YdHTEHQGtd43Y47TI7lBLHp/BNTvFokUQsntMRG8PBIJfSIrlMiJP4He 6Sr9ucMRFTtqcoN7wVVYfODa2/1mDM+YGT4E4HEYQ1ug8Omo90lR6SQzX M0LSElgyl1KSHguVURzi2fmF0u+xrkuGt6+tCthQecd2Q+51eOUpybRLi xZkr91BlwB9ce+YwSaFONWZjgev7cdfuB1xzDYC9cSfprXDLO0K85thvm q4/lXhgbb7ydP1Z2XIcUZG0Pm9Ox+oDm77YCZCUsVmTQU5g+f3mAdG6Jd AkDk7FAmC2BVd7s1nlJNEug1FNdfQGAOu+7KLjFiiQN73z/pleSBMA/lS g==; X-IronPort-AV: E=McAfee;i="6500,9779,10447"; a="294805221" X-IronPort-AV: E=Sophos;i="5.93,255,1654585200"; d="scan'208";a="294805221" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Aug 2022 14:11:09 -0700 X-IronPort-AV: E=Sophos;i="5.93,255,1654585200"; d="scan'208";a="751434809" Received: from sraksht-mobl.amr.corp.intel.com (HELO [10.212.204.203]) ([10.212.204.203]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Aug 2022 14:11:08 -0700 Message-ID: Date: Mon, 22 Aug 2022 14:11:07 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: PKU usage improvements for threads Content-Language: en-US To: Kees Cook , Dave Hansen Cc: =?UTF-8?Q?Stephen_R=c3=b6ttger?= , x86@kernel.org, linux-kernel@vger.kernel.org, Andy Lutomirski References: <202208221331.71C50A6F@keescook> From: Dave Hansen In-Reply-To: <202208221331.71C50A6F@keescook> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/22/22 13:40, Kees Cook wrote: > 1) It appears to be a bug that a thread without the correct PK can make > VMAs covered by a separate PK, out from under other threads. (e.g. mmap > a new mapping to wipe out the defined PK for it.) It seems that PK checks > should be made when modifying VMAs. Hi Kees, Could you give an example of this? Is this something along the lines of a mmap(MAP_FIXED) wiping out an earlier mapping? Or, is it more subtle than that? I'm not sure I know of any bugs in the area. > 2) It would be very helpful to have a mechanism for the signal stack to > be PK aware, in the sense that the kernel would switch to a predefined > PK. i.e. having a new interface to sigaltstack() which includes a PK. Are you thinking that when switching to the sigaltstack that it would also pick up a specific PKRU value? Or, that it would ensure that PKRU allows access to the sigaltstack's pkey? Logically something like this: stack_t sas = { ss_sp = stack_ptr; ss_flags = ... flags; ss_size = ...; ss_pkey = 12; }; Then the kernel would set up RSP to point to ss_sp, and do (logically): pkkru &= ~(3<<(12*2)); // clear Write and Access-disable for pkey-12 before building the signal frame running the signal handler? > Are either of these something the PKU authors have considered? (Or are > there some details we're missing in this area?) We've talked about having signal behavior which might give different PKRU values at signal entry, but nothing too concrete. Something like that wouldn't be *awful* to implement. It would also be nice that it would be confined to folks that set up special signal handlers anyway and that context is already pretty special. I'd love to hear more why this behavior is useful and how it will be used.