[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151002070943.GA1623@gmail.com>
Date: Fri, 2 Oct 2015 09:09:43 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Dave Hansen <dave@...1.net>, Kees Cook <keescook@...gle.com>,
"x86@...nel.org" <x86@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Andy Lutomirski <luto@...nel.org>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH 26/26] x86, pkeys: Documentation
* Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> On Thu, Oct 1, 2015 at 6:33 PM, Dave Hansen <dave@...1.net> wrote:
> >
> > Here it is in a quite fugly form (well, it's not opt-in). Init crashes if I
> > boot with this, though.
> >
> > I'll see if I can turn it in to a bit more of an opt-in and see what's
> > actually going wrong.
>
> It's quite likely that you will find that compilers put read-only constants in
> the text section, knowing that executable means readable.
At least with pkeys enabling true --x mappings, that compiler practice becomes a
(mild) security problem: it provides a readable and executable return target for
stack/buffer overflow attacks - FWIIW. (It's a limited concern because the true
code areas are executable already.)
I'd expect such readonly data to eventually move out into the regular data
sections, the moment the kernel gives a tool to distros to enforce true PROT_EXEC
mappings.
> So it's entirely possible that it's pretty much all over.
I'd expect that too.
> That said, I don't understand your patch. Why check PROT_WRITE? We've had
> :"execute but not write" forever. It's "execute and not *read*" that is
> interesting.
Yeah, but almost none of user-space seems to be using it.
> So I wonder if your testing is just bogus. But maybe I'm mis-reading this?
I don't think you are mis-reading it: my (hacky! bad! not signed off!) debug idea
was to fudge PROT_EXEC|PROT_READ bits into pure PROT_EXEC only - at least to get
pkeys used in a much more serious fashion than standalone testcases, without
having to change the distro itself.
You are probably right that true data reads from executable sections are very
common, so this might not be a viable technique even for testing purposes.
But worth a try.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists