mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 08:58:07 +00:00
0a0b152083
I got a bug report that the following code (roughly) was
causing a SIGSEGV:
mprotect(ptr, size, PROT_EXEC);
mprotect(ptr, size, PROT_NONE);
mprotect(ptr, size, PROT_READ);
*ptr = 100;
The problem is hit when the mprotect(PROT_EXEC)
is implicitly assigned a protection key to the VMA, and made
that key ACCESS_DENY|WRITE_DENY. The PROT_NONE mprotect()
failed to remove the protection key, and the PROT_NONE->
PROT_READ left the PTE usable, but the pkey still in place
and left the memory inaccessible.
To fix this, we ensure that we always "override" the pkee
at mprotect() if the VMA does not have execute-only
permissions, but the VMA has the execute-only pkey.
We had a check for PROT_READ/WRITE, but it did not work
for PROT_NONE. This entirely removes the PROT_* checks,
which ensures that PROT_NONE now works.
Reported-by: Shakeel Butt <shakeelb@google.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Ellermen <mpe@ellerman.id.au>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ram Pai <linuxram@us.ibm.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: stable@vger.kernel.org
Fixes: 62b5f7d013 ("mm/core, x86/mm/pkeys: Add execute-only protection keys support")
Link: http://lkml.kernel.org/r/20180509171351.084C5A71@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
119 lines
3 KiB
C
119 lines
3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _ASM_X86_PKEYS_H
|
|
#define _ASM_X86_PKEYS_H
|
|
|
|
#define ARCH_DEFAULT_PKEY 0
|
|
|
|
#define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1)
|
|
|
|
extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
|
|
unsigned long init_val);
|
|
|
|
/*
|
|
* Try to dedicate one of the protection keys to be used as an
|
|
* execute-only protection key.
|
|
*/
|
|
extern int __execute_only_pkey(struct mm_struct *mm);
|
|
static inline int execute_only_pkey(struct mm_struct *mm)
|
|
{
|
|
if (!boot_cpu_has(X86_FEATURE_OSPKE))
|
|
return ARCH_DEFAULT_PKEY;
|
|
|
|
return __execute_only_pkey(mm);
|
|
}
|
|
|
|
extern int __arch_override_mprotect_pkey(struct vm_area_struct *vma,
|
|
int prot, int pkey);
|
|
static inline int arch_override_mprotect_pkey(struct vm_area_struct *vma,
|
|
int prot, int pkey)
|
|
{
|
|
if (!boot_cpu_has(X86_FEATURE_OSPKE))
|
|
return 0;
|
|
|
|
return __arch_override_mprotect_pkey(vma, prot, pkey);
|
|
}
|
|
|
|
extern int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
|
|
unsigned long init_val);
|
|
|
|
#define ARCH_VM_PKEY_FLAGS (VM_PKEY_BIT0 | VM_PKEY_BIT1 | VM_PKEY_BIT2 | VM_PKEY_BIT3)
|
|
|
|
#define mm_pkey_allocation_map(mm) (mm->context.pkey_allocation_map)
|
|
#define mm_set_pkey_allocated(mm, pkey) do { \
|
|
mm_pkey_allocation_map(mm) |= (1U << pkey); \
|
|
} while (0)
|
|
#define mm_set_pkey_free(mm, pkey) do { \
|
|
mm_pkey_allocation_map(mm) &= ~(1U << pkey); \
|
|
} while (0)
|
|
|
|
static inline
|
|
bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey)
|
|
{
|
|
/*
|
|
* "Allocated" pkeys are those that have been returned
|
|
* from pkey_alloc(). pkey 0 is special, and never
|
|
* returned from pkey_alloc().
|
|
*/
|
|
if (pkey <= 0)
|
|
return false;
|
|
if (pkey >= arch_max_pkey())
|
|
return false;
|
|
/*
|
|
* The exec-only pkey is set in the allocation map, but
|
|
* is not available to any of the user interfaces like
|
|
* mprotect_pkey().
|
|
*/
|
|
if (pkey == mm->context.execute_only_pkey)
|
|
return false;
|
|
|
|
return mm_pkey_allocation_map(mm) & (1U << pkey);
|
|
}
|
|
|
|
/*
|
|
* Returns a positive, 4-bit key on success, or -1 on failure.
|
|
*/
|
|
static inline
|
|
int mm_pkey_alloc(struct mm_struct *mm)
|
|
{
|
|
/*
|
|
* Note: this is the one and only place we make sure
|
|
* that the pkey is valid as far as the hardware is
|
|
* concerned. The rest of the kernel trusts that
|
|
* only good, valid pkeys come out of here.
|
|
*/
|
|
u16 all_pkeys_mask = ((1U << arch_max_pkey()) - 1);
|
|
int ret;
|
|
|
|
/*
|
|
* Are we out of pkeys? We must handle this specially
|
|
* because ffz() behavior is undefined if there are no
|
|
* zeros.
|
|
*/
|
|
if (mm_pkey_allocation_map(mm) == all_pkeys_mask)
|
|
return -1;
|
|
|
|
ret = ffz(mm_pkey_allocation_map(mm));
|
|
|
|
mm_set_pkey_allocated(mm, ret);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static inline
|
|
int mm_pkey_free(struct mm_struct *mm, int pkey)
|
|
{
|
|
if (!mm_pkey_is_allocated(mm, pkey))
|
|
return -EINVAL;
|
|
|
|
mm_set_pkey_free(mm, pkey);
|
|
|
|
return 0;
|
|
}
|
|
|
|
extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
|
|
unsigned long init_val);
|
|
extern int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
|
|
unsigned long init_val);
|
|
extern void copy_init_pkru_to_fpregs(void);
|
|
|
|
#endif /*_ASM_X86_PKEYS_H */
|