Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp1007942lqp; Fri, 22 Mar 2024 02:46:22 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW1WDvwwt6/JWYJYkoxEwfVANMU9GE+Zc7rpmqDvogYG9SvOy4wS2mJDOuXdn/PbSjV/f60A+C5N2dQoxGQHZOKb7vKHkEUVF4tGfeepg== X-Google-Smtp-Source: AGHT+IExtfhZy76d/maI9SDktIQ2IIIeXPhu8dI0vj/og0KXZG5C6dSi/HX5c6w+DoCO0cmqk/G6 X-Received: by 2002:a05:620a:461f:b0:78a:3f06:f273 with SMTP id br31-20020a05620a461f00b0078a3f06f273mr714229qkb.13.1711100782139; Fri, 22 Mar 2024 02:46:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711100782; cv=pass; d=google.com; s=arc-20160816; b=d0JeLSjHH22ilkNNsMeGo7FZ1/714T+0E9ZILbwYzTZptLx/blil7DlYkUk3q4QI9x CWP2Cc4C8BalGQtgSwZihDJsp1GBTeFU55s2RY5WDwJhtP6vh6qjPA/EZS2tW5FlMBl4 kRfHyC0DSvV4dNVQre6i3R7ktaUmJP9AU8yqea90bynWMEGuSwGRClf7Y88P2uX6LZFM baQhVNsMdV2T8JtIYfqF6zzGOph0s6f5LjCsXoyR1fesam9tSlKU25it40u7DZvPNIf5 T9bBNaZpLEPNbrFp7zXL00L2ulkoPOC7dogHGa4Dxxpmr1wNuKHwhRsEZB+RXVkPQMkx Z64A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:sender:dkim-signature; bh=zCMdhgrdVKnqO69mGNK3lDO/Xxw/v0OhHwhqHjbo2/o=; fh=PCF6eUb3lyQDvqlU7V0pjE8CrOfhYLJCbw8v5r7tAkQ=; b=DvAXQetjcMcaab2XnNmKXzkiudvL0+BzEymEkumXShK7CYOOnp8QTGVC1TqlJo4ry3 dIqxBnbdBF3YtcJAjtRzLHXIahPDWN3f8UOLmk3xch4/QgByJOo7+8W/1imKGRe1mlJv cwwiRN96AvDwmuunr6+fod4x9M7pe62ecv5pOQkne7ZVg+XkDDf/JevBjgV0RXWUjm0m kA6tz8eAqxzFTcvaML2+n6kqkn5juXr9k9HTQe7hjQYpCx4U+h8h3K9L2M5Nu/mo/ysy p0YhMtj5Tx2CxnWoTrcJCUHc5cpg7+DWBavy7xoyjrYNdRAmL9QtJauo12rRO2uoYXmT fG/g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lbx74dXZ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-111243-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-111243-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id l22-20020a05620a0c1600b00789e6f7f6d6si1561529qki.745.2024.03.22.02.46.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Mar 2024 02:46:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-111243-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lbx74dXZ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-111243-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-111243-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 92F921C2173F for ; Fri, 22 Mar 2024 09:46:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3A9DC210EE; Fri, 22 Mar 2024 09:46:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lbx74dXZ" Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77023199AD for ; Fri, 22 Mar 2024 09:46:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711100774; cv=none; b=jHaVqsK3zYjkJh5SuHSG4llnHwJHo34LIxK2v+fCxLMlsEYtt3x/ktCdGfiHoXHLkCbfGTR/M162RqOo8lYP84yxiXtzGs80FUCUhx2Q3rFWuzYHpEuCsYf2wRWclZJbQNI/nNj/B0/Bg9Mi0Ns6eKgQS++6l5CwT8b+9kBpoNk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711100774; c=relaxed/simple; bh=0HGFpWXgAxv11aew5mHIdUlJBH2vlMWPrdJhbQSPObo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mbbxAjA+Jpojm6Yn9RbDCthNlZ/3wVQU2y6UKFymEzLtEpy0bRKhW3Jxknutm+i+gJTT3w/5NVEWwxW3LqCUVVFP2I4ZZ8oB7+4fgQ1ay1nbUIsdYj69hSzFpEbDNUfyf8TXP2bZUVcX7c3GgUpLw3PNP1AsEAEU3YKZpdygEik= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lbx74dXZ; arc=none smtp.client-ip=209.85.221.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-33ec8f13c62so1339793f8f.0 for ; Fri, 22 Mar 2024 02:46:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711100771; x=1711705571; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=zCMdhgrdVKnqO69mGNK3lDO/Xxw/v0OhHwhqHjbo2/o=; b=lbx74dXZyIE6zJ5EY9rUXBZp8xJPAPRa/mfsto/Bhod19XfKc9Tt5BOo7rYhLOAgWK RKtA/XQ2vGbokChSD57YdtBikNIEB9u0h7bHeMui/aRKmOLC1nx0DxPsqFv8uSeryEbS Q6E3ck8uSunNaO38dWRTBAMimrPv9wF+y/he4bfO7MRg3qrjEGm7oVygJ9rcjC3yDr3G sNV/7gGqFyDrLJCTMMP2J4M6k0iEXvfcoG6BS7AG384XazjB3bn+dkKlLKQkpNdrwvN3 TthhCMgLeAZAxXYmFau2arvk1Yj5SsYTFXgy9scXXvpPQohIvnZl++WUiPPVzaDZ3OZL bBOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711100771; x=1711705571; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zCMdhgrdVKnqO69mGNK3lDO/Xxw/v0OhHwhqHjbo2/o=; b=mm49XOYcOrAAxDn8bp+4lonRzjyZm+E/AVC+eIGCyUu+6Pha9Dt2vJBGN4i6CbC4vB 35mklcko6GHQMJd5RKEc7hiWlVfKVw9jp/MGHLIDfTly5PJrVFJHJ61YX58/KmrrfmUm 1Puyxv2qQafQ45sgTtyO0ePSdL1G6wuWeRuxHc+1xv9zt02gxIcFdkMxS6rMMZ1fLjGs X3FmeIHoCQG100c5v6QDigyjCcIdpoIJsQq6RsCIWA/kh24CRk+RbhlzLiteFZi1cuBT mqIBh3LFIdytj+GFgYPUEgmdEEViAnCOt84G64INuw5T98xAnbaYK52LiteocoPtvlty aXuQ== X-Gm-Message-State: AOJu0YwYwLH+dcP93fmk1gCNjDVvv297ZfTQI2X/AK398iK9Ec93wNid J3PtNIFGBC3VzXzTsEJ1zjmjxPsAe7SPBWrYpuRYRYbkSq909N6F X-Received: by 2002:a5d:4250:0:b0:33e:77e6:40bf with SMTP id s16-20020a5d4250000000b0033e77e640bfmr1113151wrr.37.1711100770237; Fri, 22 Mar 2024 02:46:10 -0700 (PDT) Received: from gmail.com (1F2EF04C.nat.pool.telekom.hu. [31.46.240.76]) by smtp.gmail.com with ESMTPSA id i5-20020a5d5585000000b0033ed7181fd1sm1671644wrv.62.2024.03.22.02.46.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Mar 2024 02:46:09 -0700 (PDT) Sender: Ingo Molnar Date: Fri, 22 Mar 2024 10:46:07 +0100 From: Ingo Molnar To: Aruna Ramakrishna Cc: linux-kernel@vger.kernel.org, x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, matthias.neugschwandtner@oracle.com, andrew.brownsword@oracle.com Subject: Re: [RFC PATCH v2 1/1] x86/pkeys: update PKRU to enable pkey 0 before XSAVE Message-ID: References: <20240321215622.3396410-1-aruna.ramakrishna@oracle.com> <20240321215622.3396410-2-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240321215622.3396410-2-aruna.ramakrishna@oracle.com> * Aruna Ramakrishna wrote: > This patch is a workaround for a bug where the PKRU value is not > restored to the init value before the signal handler is invoked. > > Problem description: > Let's assume there's a multithreaded application that runs untrusted > user code. Each thread has its stack/code protected by a non-zero pkey, > and the PKRU register is set up such that only that particular non-zero > pkey is enabled. Each thread also sets up an alternate signal stack to > handle signals, which is protected by pkey zero. The pkeys man page > documents that the PKRU will be reset to init_pkru when the signal > handler is invoked, which means that pkey zero access will be enabled. > But this reset happens after the kernel attempts to push fpu state > to the alternate stack, which is not (yet) accessible by the kernel, > which leads to a new SIGSEGV being sent to the application, terminating > it. > > Enabling both the non-zero pkey (for the thread) and pkey zero (in > userspace) will not work for us. We cannot have the alt stack writeable > by all - the rationale here is that the code running in that thread > (using a non-zero pkey) is untrusted and should not have access to the > alternate signal stack (that uses pkey zero), to prevent the return > address of a function from being changed. The expectation is that kernel > should be able to set up the alternate signal stack and deliver the > signal to the application even if pkey zero is explicitly disabled by > the application. The signal handler accessibility should not be dictated > by the PKRU value that the thread sets up. > > Solution: > The PKRU register is managed by XSAVE, which means the sigframe contents > must match the register contents - which is not the case here. We want > the sigframe to contain the user-defined PKRU value (so that it is > restored correctly from sigcontext) but the actual register must be > reset to init_pkru so that the alt stack is accessible and the signal > can be delivered to the application. It seems that the proper fix here > would be to remove PKRU from the XSAVE framework and manage it > separately, which is quite complicated. As a workaround, this patch does > something like this: > > orig_pkru = rdpkru(); > wrpkru(init_pkru & orig_pkru); > xsave_to_user_sigframe(); > put_user(pkru_sigframe_addr, orig_pkru) > > Signed-off-by: Aruna Ramakrishna > Helped-by: Dave Kleikamp > Helped-by: Prakash Sangappa > --- > arch/x86/include/asm/fpu/signal.h | 3 +- > arch/x86/include/asm/sighandling.h | 10 +++---- > arch/x86/kernel/fpu/signal.c | 44 ++++++++++++++++++++++++++---- > arch/x86/kernel/fpu/xstate.c | 13 +++++++++ > arch/x86/kernel/fpu/xstate.h | 1 + > arch/x86/kernel/signal.c | 40 +++++++++++++++++++++------ > arch/x86/kernel/signal_32.c | 8 +++--- > arch/x86/kernel/signal_64.c | 9 +++--- > 8 files changed, 101 insertions(+), 27 deletions(-) Ok, this looks a lot saner than the first patch. A couple of requests: 1) Please split out all the PKRU parameter passing interface changes into a separate patch. Ie. split out patches that don't change any behavior, and try to make the final feature-enabling (bug-fixing) patch as small and easy to read as possible. Maybe even have 3 patches: - function interface changes - helper function additions - behavioral changes to signal handler pkru context 2) I do agree that isolation of sandboxed execution into a non-zero pkey might make sense. But this really needs an actual testcase. 3) The semantics you've implemented for sigaltstacks are not the only possible ones. In principle, a signal handler with its own stack might want to have its own key(s) enabled. In a way a Linux signal handler is a mini-thread created on the fly, with its own stack and its own attributes. Some thought & analysis should go into which way to go here, and the best path should be chosen. Fixing the SIGSEGV you observed should be a happy side effect of other worthwile improvements. Thanks, Ingo