From patchwork Mon May 21 21:11:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 10416475 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EF15060365 for ; Mon, 21 May 2018 21:19:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDC8C286E5 for ; Mon, 21 May 2018 21:19:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D200128A75; Mon, 21 May 2018 21:19:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 172EB286E5 for ; Mon, 21 May 2018 21:19:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1630B6B0003; Mon, 21 May 2018 17:19:24 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 0EAC66B0006; Mon, 21 May 2018 17:19:24 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ECEF36B0007; Mon, 21 May 2018 17:19:23 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pl0-f72.google.com (mail-pl0-f72.google.com [209.85.160.72]) by kanga.kvack.org (Postfix) with ESMTP id A4E826B0003 for ; Mon, 21 May 2018 17:19:23 -0400 (EDT) Received: by mail-pl0-f72.google.com with SMTP id a5-v6so10660626plp.8 for ; Mon, 21 May 2018 14:19:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:in-reply-to:references:user-agent:mime-version; bh=8ITHYratHskM+Zr6Y9s0NiejHBeeezmSPmPLxr3nuAw=; b=dc6pRGi764Vkp5j4TogYoV8SPjA02GWmIUvjwi3ATHe+k4ovgmsvuuH3A1YxSwQrL3 pLRNedmqiI2fWj6KVJbjT/wF0dbCYci21Y30Ne/BjBX2pA8lJWK0xjKjp9muuu4Jox9l Ll2uU80oH1zsFI0oSqkdFfS4Fzge05t2BOzbgBQrXvPb98/tOUlnCM0jMl28iu8dSJO4 GKFft85czli3tEJKqJIT2bkT97qDBn5fBw76M0n4ccUkj4p/U5kK6sxpUQ5AJSs5XAuB ypHFcAkZSHfYZdwrj6v/SXZN5ZLvllv8VZgvvRN4hzJn5glCJEtCom4zV86aPHUQIw2u ZmnA== X-Gm-Message-State: ALKqPwesMhnPNP03Iw+3XHk2zB5F99EGqIQnJa2LnTiBgxmHPS1PcbV2 zJdw3oDDkFrWUe2YuVdJlbpvu/unJkrQnE04r9TWOEyYntXrdSjdHfLe8Wa1iaKmVDGEP7LA+MC k55Ev5xg1heiuZ/P+YmCFTiOj+38nAnXZM5mwClinweNRVjLgTc9/CfXSMzfSgkw= X-Received: by 2002:a63:774a:: with SMTP id s71-v6mr7831454pgc.290.1526937563301; Mon, 21 May 2018 14:19:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpIcKNIz+Lmih58PL+xk/nnvJ8X8eXKh5quqhTd2w0uDrP1fIhYL8RzZCf2i3E8uKU79zZ9 X-Received: by 2002:a63:774a:: with SMTP id s71-v6mr7831425pgc.290.1526937562545; Mon, 21 May 2018 14:19:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526937562; cv=none; d=google.com; s=arc-20160816; b=fb3anbDa+EiDD25M2fCFtL7Gr7jqVEk2vny4e8wahu9trhKzddPe8erAorkd6wAdMb AmoKHF4lkfSSQR82ZDmX5Dh17mcIlf9ECVLsk7E61gIlKxAKNIWiXyuMp2tEs2gRcCSy DY0XowWwkgGUHPW15cmX8i/DP+mVa10+br5K5hV6cD8VjwwI9WLa41ceEFxQ9dLMwKJM KrZbxP4IMs6nfbT7xhzZkTdwgCxdEqtk2C2YzK4uJreQFpCZ/ZcqeK0RR99z2Bomd2eD BoQLKyojPYRCfGp3JUkwKTWqtsgMT0U2uhg12o72EvuDKUd75M6bj/Ktkl8fI46Y0rcT LnOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=8ITHYratHskM+Zr6Y9s0NiejHBeeezmSPmPLxr3nuAw=; b=olytMteDwsuP6m4E+vE01tfZwNfU46NytAKxPxcakCMqbsTY1a9Nk49geYs46cLetB Xa74m6lncgVUZa8UkZZeFQI2BwtXeYVn+KGiFxTgJ5YoaBe8yE6JFifRvmEpVvnFr8H8 CzDbsfQMnM9RaEoP/8NHLZktb5+wifNF0hDbqz347/rGbpt8cRJ2wMBFDUZzH4nFtTLf fUaKoHFcH78LdZBHtu7aWgXV+BQRKfMHcAkiXuMtNUcDAnKjYtZnMkBnqDcl+1u/I0zD Ce4AQdByRFbcbyqIV9poSjyRJ1jxZcEuyrZEbZBxG2VjDpb05BKPA9q1zf2AlQJKCiEg CLFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jLittXwX; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id 1-v6si15466198pld.450.2018.05.21.14.19.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 May 2018 14:19:22 -0700 (PDT) Received-SPF: pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) client-ip=198.145.29.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jLittXwX; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AE9BC20853; Mon, 21 May 2018 21:19:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937562; bh=91Ww5oszC3NmldFJfsd++JscJPfsrbAVapBsNqCbXrY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jLittXwX58w82Ke/hnLwYqeban6pyWbXAqgriLbdzJ7++Uec9bmRruzdAfnAI1/ib +St+CeEahpN/4KcIb7QwgFvrSDYQGFYvnAb1Ap1c1KFgucooNil3K5z6M0Nxf2FcYk MFEkfMvaXVg+XA/tzJbWycqpubZVh2mHO5W8dTbc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shakeel Butt , Dave Hansen , Andrew Morton , Dave Hansen , Linus Torvalds , Michael Ellermen , Peter Zijlstra , Ram Pai , Shuah Khan , Thomas Gleixner , linux-mm@kvack.org, Ingo Molnar Subject: [PATCH 4.14 32/95] x86/pkeys: Override pkey when moving away from PROT_EXEC Date: Mon, 21 May 2018 23:11:22 +0200 Message-Id: <20180521210454.684335787@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210447.219380974@linuxfoundation.org> References: <20180521210447.219380974@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dave Hansen commit 0a0b152083cfc44ec1bb599b57b7aab41327f998 upstream. I got a bug report that the following code (roughly) was causing a SIGSEGV: mprotect(ptr, size, PROT_EXEC); mprotect(ptr, size, PROT_NONE); mprotect(ptr, size, PROT_READ); *ptr = 100; The problem is hit when the mprotect(PROT_EXEC) is implicitly assigned a protection key to the VMA, and made that key ACCESS_DENY|WRITE_DENY. The PROT_NONE mprotect() failed to remove the protection key, and the PROT_NONE-> PROT_READ left the PTE usable, but the pkey still in place and left the memory inaccessible. To fix this, we ensure that we always "override" the pkee at mprotect() if the VMA does not have execute-only permissions, but the VMA has the execute-only pkey. We had a check for PROT_READ/WRITE, but it did not work for PROT_NONE. This entirely removes the PROT_* checks, which ensures that PROT_NONE now works. Reported-by: Shakeel Butt Signed-off-by: Dave Hansen Cc: Andrew Morton Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 62b5f7d013f ("mm/core, x86/mm/pkeys: Add execute-only protection keys support") Link: http://lkml.kernel.org/r/20180509171351.084C5A71@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/pkeys.h | 12 +++++++++++- arch/x86/mm/pkeys.c | 21 +++++++++++---------- 2 files changed, 22 insertions(+), 11 deletions(-) --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -2,6 +2,8 @@ #ifndef _ASM_X86_PKEYS_H #define _ASM_X86_PKEYS_H +#define ARCH_DEFAULT_PKEY 0 + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1) extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, @@ -15,7 +17,7 @@ extern int __execute_only_pkey(struct mm static inline int execute_only_pkey(struct mm_struct *mm) { if (!boot_cpu_has(X86_FEATURE_OSPKE)) - return 0; + return ARCH_DEFAULT_PKEY; return __execute_only_pkey(mm); } @@ -56,6 +58,14 @@ bool mm_pkey_is_allocated(struct mm_stru return false; if (pkey >= arch_max_pkey()) return false; + /* + * The exec-only pkey is set in the allocation map, but + * is not available to any of the user interfaces like + * mprotect_pkey(). + */ + if (pkey == mm->context.execute_only_pkey) + return false; + return mm_pkey_allocation_map(mm) & (1U << pkey); } --- a/arch/x86/mm/pkeys.c +++ b/arch/x86/mm/pkeys.c @@ -94,26 +94,27 @@ int __arch_override_mprotect_pkey(struct */ if (pkey != -1) return pkey; - /* - * Look for a protection-key-drive execute-only mapping - * which is now being given permissions that are not - * execute-only. Move it back to the default pkey. - */ - if (vma_is_pkey_exec_only(vma) && - (prot & (PROT_READ|PROT_WRITE))) { - return 0; - } + /* * The mapping is execute-only. Go try to get the * execute-only protection key. If we fail to do that, * fall through as if we do not have execute-only - * support. + * support in this mm. */ if (prot == PROT_EXEC) { pkey = execute_only_pkey(vma->vm_mm); if (pkey > 0) return pkey; + } else if (vma_is_pkey_exec_only(vma)) { + /* + * Protections are *not* PROT_EXEC, but the mapping + * is using the exec-only pkey. This mapping was + * PROT_EXEC and will no longer be. Move back to + * the default pkey. + */ + return ARCH_DEFAULT_PKEY; } + /* * This is a vanilla, non-pkey mprotect (or we failed to * setup execute-only), inherit the pkey from the VMA we