Re: [PATCH 2/9] mm: implement new pkey_mprotect() system call

From: Dave Hansen
Date: Thu Jul 07 2016 - 12:52:12 EST


On 07/07/2016 07:40 AM, Mel Gorman wrote:
> On Thu, Jul 07, 2016 at 05:47:22AM -0700, Dave Hansen wrote:
>> +#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
>> static inline int vma_pkey(struct vm_area_struct *vma)
>> {
>> - u16 pkey = 0;
>> -#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
>> unsigned long vma_pkey_mask = VM_PKEY_BIT0 | VM_PKEY_BIT1 |
>> VM_PKEY_BIT2 | VM_PKEY_BIT3;
>> - pkey = (vma->vm_flags & vma_pkey_mask) >> VM_PKEY_SHIFT;
>> -#endif
>> - return pkey;
>> +
>> + return (vma->vm_flags & vma_pkey_mask) >> VM_PKEY_SHIFT;
>> +}
>> +#else
>> +static inline int vma_pkey(struct vm_area_struct *vma)
>> +{
>> + return 0;
>> }
>> +#endif
>>
>> static inline bool __pkru_allows_pkey(u16 pkey, bool write)
>> {
>
> Looks like MASK could have been statically defined and be a simple shift
> and mask known at compile time. Minor though.

The VM_PKEY_BIT*'s are only ever defined as masks and not bit numbers.
So, if you want to use a mask, you end up doing something like:

unsigned long mask = (NR_PKEYS-1) << ffz(~VM_PKEY_BIT0);

Which ends up with the same thing, but I think ends up being pretty on
par for ugliness.

...
>> +/*
>> + * When setting a userspace-provided value, we need to ensure
>> + * that it is valid. The __ version can get used by
>> + * kernel-internal uses like the execute-only support.
>> + */
>> +int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
>> + unsigned long init_val)
>> +{
>> + if (!validate_pkey(pkey))
>> + return -EINVAL;
>> + return __arch_set_user_pkey_access(tsk, pkey, init_val);
>> +}
>
> There appears to be a subtle bug fixed for validate_key. It appears
> there wasn't protection of the dedicated key before but nothing could
> reach it.

Right. There was no user interface that took a key and we trusted that
the kernel knew what it was doing.

> The arch_max_pkey and PKEY_DEDICATE_EXECUTE_ONLY interaction is subtle
> but I can't find a problem with it either.
>
> That aside, the validate_pkey check looks weak. It might be a number
> that works but no guarantee it's an allocated key or initialised
> properly. At this point, garbage can be handed into the system call
> potentially but maybe that gets fixed later.

It's called in three paths:
1. by the kernel when setting up execute-only support
2. by pkey_alloc() on the pkey we just allocated
3. by pkey_set() on a pkey we just checked was allocated

So, it isn't broken, but it's also not clear at all why it is safe and
what validate_pkey() is actually validating.

But, that said, this does make me realize that with
pkey_alloc()/pkey_free(), this is probably redundant. We verify that
the key is allocated, and we only allow valid keys to be allocated.

IOW, I think I can remove validate_pkey(), but only if we keep pkey_alloc().

...
>> - newflags = calc_vm_prot_bits(prot, pkey);
>> + new_vma_pkey = arch_override_mprotect_pkey(vma, prot, pkey);
>> + newflags = calc_vm_prot_bits(prot, new_vma_pkey);
>> newflags |= (vma->vm_flags & ~(VM_READ | VM_WRITE | VM_EXEC));
>>
>
> On CPUs that do not support the feature, arch_override_mprotect_pkey
> returns 0 and the normal protections are used. It's not clear how an
> application is meant to detect if the operation succeeded or not. What
> if the application relies on pkeys to be working?

It actually shows up as -ENOSPC from pkey_alloc(). This sounds goofy,
but it teaches programs something very important: they always have to
look for ENOSPC, and must always be prepared to function without
protection keys. A library might have stolen all the keys, or an
LD_PRELOAD, so an app can never be sure what is available.

If we teach them to check for ENOSPC from day one, they'll never be
surprised.

I've tried to spell this out a bit more clearly in the manpages. I'll
also add it to the changelog.