| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Dec 2015 12:49:02 -0800 From: Andy Lutomirski <luto@...capital.net> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Oleg Nesterov <oleg@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>, Brian Gerst <brgerst@...il.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Christoph Hellwig <hch@....de> Subject: Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit? On Fri, Dec 18, 2015 at 12:37 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Fri, Dec 18, 2015 at 12:07 PM, Dave Hansen > <dave.hansen@...ux.intel.com> wrote: >> >> But, I think it's a small one. Basically, RSP would have to pointing at >> a place which was allowed by protection keys for all of the sigframe >> setup. > > Note that the whole "stack is special" is not at all a new issue. > > It's the main reason why sigaltstack() and SS_ONSTACK exists. This is > in no way new to PKRU, people have had to handle the issue of > stack-related SIGSEGV faults for a long time. > > So any application that uses PKRU and may play games that affects the > stack, will always have to have a separate "safe stack" that it uses > for signal handling. But that is in no way PKRU-specific, it's been > the case for a lot of other memory management faults. > The trouble is that this isn't just limited to special "safe stack" SA_ONSTACK aware code. It even affects normally innocuous things. The thing that's new is that, before PKRU, the HW stack might have been unsafe in the sense that accessing it would fault and we need a different backup stack for some signals. With PKRU, we might be in a transient extra-privileged (permissive PKRU) state, and we want to tighten permissions for *all* signal deliveries so that, in case the current stack is erroneous, we don't corrupt it. Admittedly, ending up with permissive PKRU in some short sequence and corrupt RSP is likely to corrupt things no matter what the kernel does. But I don't think we want to deliver SIGALRM to a library while the main program is in a specially permissive PKRU region. IOW, I like my idea in which signal delivery always sets PKRU to the application-requested-by-syscall values and sigreturn restores it. Kinda like sigaltstack, but applies to all signals and affects PKRU instead of RSP. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists