lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87h7xyjbob.fsf@linux.ibm.com>
Date:   Sun, 05 Apr 2020 19:07:40 +0530
From:   "Aneesh Kumar K.V" <aneesh.kumar@...ux.ibm.com>
To:     Ram Pai <linuxram@...ibm.com>
Cc:     linuxppc-dev@...ts.ozlabs.org, mpe@...erman.id.au,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        kvm-ppc@...r.kernel.org, npiggin@...il.com, paulus@...abs.org,
        leonardo@...ux.ibm.com, kirill@...temov.name,
        Ram Pai <linuxram@...ux.ibm.com>
Subject: Re: [PATCH v2 01/22] powerpc/pkeys: Avoid using lockless page table
 walk

Ram Pai <linuxram@...ibm.com> writes:

> On Thu, Mar 19, 2020 at 09:25:48AM +0530, Aneesh Kumar K.V wrote:
>> Fetch pkey from vma instead of linux page table. Also document the fact that in
>> some cases the pkey returned in siginfo won't be the same as the one we took
>> keyfault on. Even with linux page table walk, we can end up in a similar scenario.
>
> There is no way to correctly ensure that the key returned through
> siginfo is actually the key that took the fault.  Either get it
> from page table or get it from the corresponding vma.

That is correct.

>
> So we had to choose the lesser evil. Getting it from the page table was
> faster, and did not involve taking any locks.

That is because you are locks which need to be held on page table walk.

>Getting it from the vma
> was slower, since it needed locks.  Also I faintly recall, there
> is a scenario where the address that gets a key fault, has no
> corresponding VMA associated with it yet.

I would be interested in this. For now IIUC even x86 fetch the key from
VMA.

>
> Hence the logic used was --
> 	if it is key-fault, than procure the key quickly
> 	from the page table.  In the unlikely event that the fault is
> 	something else, but still has a non-permissive key associated
> 	with it, get the key from the vma.


I am fixing that logic further in the next patch. I do have a test case
attached for that. We always check for the key in the vma and if it
allows access, then we retry.


>
> A well written application should avoid changing the key of an address
> space without synchronizing the corresponding threads that operate in
> that address range.  However, if the application ignores to do so, than
> it is vulnerable to a undefined behavior. There is no way to prove that
> the reported key is correct or incorrect, since there is no provable
> order between the two events; the key-fault event and the key-change
> event.
>
> Hence I think the change proposed in this patch may not be necessary.
> RP

The change is needed so that we can make the page table walk safer.


-aneesh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ