lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CC80AED2-E5A5-4E09-BCBB-4F9EAD0AD0AC@oracle.com>
Date: Fri, 22 Mar 2024 18:28:24 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@...cle.com>
To: Dave Hansen <dave.hansen@...el.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        "dave.hansen@...ux.intel.com"
	<dave.hansen@...ux.intel.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        Matthias Neugschwandtner <matthias.neugschwandtner@...cle.com>,
        Andrew
 Brownsword <andrew.brownsword@...cle.com>
Subject: Re: [RFC PATCH v2 1/1] x86/pkeys: update PKRU to enable pkey 0 before
 XSAVE


> On Mar 22, 2024, at 8:40 AM, Dave Hansen <dave.hansen@...el.com> wrote:
> 
> On 3/21/24 14:56, Aruna Ramakrishna wrote:
>> +/*
>> + * Ensure that the both the current stack and the alternate signal
>> + * stack is writeable. The alternate stack must be accessible by the
>> + * init PKRU value.
>> + */
>> +static inline u32 sig_prepare_pkru(void)
>> +{
>> + u32 current_pkru = read_pkru();
>> + u32 init_pkru_snapshot = pkru_get_init_value();
>> +
>> + write_pkru(current_pkru & init_pkru_snapshot);
>> + return current_pkru;
>> +}
> 
> That comment is quite misleading.  This code has *ZERO* knowledge of the
> permissions on either the current or alternate stack.  It _assumes_ that
> the current PKRU permissions allow writes to the current stack and
> _assumes_ that the init PKRU value can write to the alternative stack.
> 
> Those aren't bad assumptions, but they _are_ assumptions and need to be
> clearly called out as such.
> 
> The '&' operation looks rather random and needs an explanation.  What is
> that logically trying to do?  It's trying to clear bits in the old
> (pre-signal) PKRU value so that it gains write access to the alt stack.
> Please say that.
> 
> Which leads me to ask: Why bother with the '&'?  It would be simpler to,
> for instance, just wrpkru(0).  What is being written to the old stack at
> this point?

Right. This works only for the very specific use case where the alt stack
is protected by init_pkru and the current execution stack is protected by
the thread’s PKRU. If those assumptions do not hold for an application,
then it would still run into the same issue. 

I wasn’t sure if enabling all pkeys before XSAVE - i.e. wrpkru(0) - will be
acceptable from a security standpoint. If it is, that seems like a more
generic solution than what’s in this patch. 

> 
> I also dislike something being called 'current_pkru' when it's clearly
> the old value by the time it is returned.
> 
>> +static inline void sig_restore_pkru(u32 pkru)
>> +{
>> + write_pkru(pkru);
>> +}
> 
> This seems like unnecessary abstraction.

Yeah. Just trying to be consistent with the prep/restore…

I can remove this.

Thanks,
Aruna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ