Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a bad area

[Thomas Gleixner]

On Tue, 7 Aug 2018, Dave Hansen wrote:
> On 08/07/2018 10:29 AM, Sean Christopherson wrote:
> >  	if (unlikely(fault_in_kernel_space(address))) {
> > +		/*
> > +		 * We should never encounter a protection keys fault on a
> > +		 * kernel address as kernel address are always mapped with
> > +		 * _PAGE_USER=0, i.e. PKRU isn't enforced.
> > +		 */
> > +		if (WARN_ON_ONCE(error_code & X86_PF_PK))
> > +			goto bad_kernel_address;
> 
> I just realized one more thing: the vsyscall page can bite us here.
> It's at a fault_in_kernel_space() address and we *can* trigger a pkey
> fault on it if we jump to an instruction that reads from a
> pkey-protected area.
> 
> We can make a gadget out of unaligned vsyscall instructions that does
> that.  See:
> 
> 0xffffffffff600002:  shlb   $0x0,0x0(%rax)
> 
> Then, we turn off access to all pkeys, including pkey-0, then jump to
> the unaligned vsyscall instruction, which reads %rax, which is a kernel
> address:
> 
>         asm("movl $0xffffffff, %eax;\
>              movl $0x00000000, %ecx;\
>              movl $0x00000000, %edx;\
>              wrpkru;\
>              movq $0xffffffffff600000, %rax;\
>              movq $0xffffffffff600002, %rbx;\
>              jmpq *%rbx;");
> 
> So, my bad.  It was not a good suggestion to do a WARN_ON().  But, the
> other funny thing is I would have expected spurious_fault() to get us
> into a fault loop, which it doesn't.  It's definitely getting *called*
> with my little test program (I see it in ftrace) but it's not quite
> doing what I expect.
> 
> I need to dig a bit more.

Given the time span you should be close to ground water with your digging
by now.

Thanks,

	tglx