lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20180316213604.167305-1-shakeelb@google.com>
Date:   Fri, 16 Mar 2018 14:36:04 -0700
From:   Shakeel Butt <shakeelb@...gle.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Greg Thelen <gthelen@...gle.com>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        John Sperbeck <jsperbeck@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-mm@...ck.org, linux-kernel@...r.kernel.org, x86@...nel.org,
        Shakeel Butt <shakeelb@...gle.com>
Subject: SIGSEGV on OSPKE machine

Hi all,

The following simple program is producing SIGSEGV on machines which have
X86_FEATURE_OSPKE feature on 4.15 kernel.

#include <sys/mman.h>

int main(int argc, char *argv[])
{
	void *p = mmap(0, 4096, PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE,
		       -1, 0);
	mprotect(p, 4096, PROT_NONE);
	mprotect(p, 4096, PROT_READ);
	(void)*(volatile unsigned char *)p;
}

On further inspection it seems like transition from PROT_EXEC to
PROT_NONE leaves the exec-only pkey lingering in the vma flags.  That
is, new_vma_pkey is non-zero in do_mprotect_pkey().  Later, then
enabling PROT_READ, the pkey remains and overrides the normal page
protections.

This change seems to help but is this the right way to solve it?

---
 arch/x86/mm/pkeys.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/mm/pkeys.c b/arch/x86/mm/pkeys.c
index d7bc0eea20a5..4a837a220516 100644
--- a/arch/x86/mm/pkeys.c
+++ b/arch/x86/mm/pkeys.c
@@ -94,6 +94,10 @@ int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot, int pkey
 	 */
 	if (pkey != -1)
 		return pkey;
+
+	if ((prot & (PROT_READ|PROT_WRITE|PROT_EXEC)) == 0)
+		return 0;
+
 	/*
 	 * Look for a protection-key-drive execute-only mapping
 	 * which is now being given permissions that are not
-- 
2.16.2.804.g6dcf76e118-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ