Re: [patch 05/16] mm: Allow special mappings with user access cleared

From: Peter Zijlstra
Date: Wed Dec 13 2017 - 10:55:10 EST


On Wed, Dec 13, 2017 at 07:47:46AM -0800, Dave Hansen wrote:
> On 12/13/2017 07:32 AM, Peter Zijlstra wrote:
> >> This will fault writing a byte to 'addr':
> >>
> >> char *addr = malloc(PAGE_SIZE);
> >> pkey_mprotect(addr, PAGE_SIZE, 13);
> >> pkey_deny_access(13);
> >> *addr[0] = 'f';
> >>
> >> But this will write one byte to addr successfully (if it uses the kernel
> >> mapping of the physical page backing 'addr'):
> >>
> >> char *addr = malloc(PAGE_SIZE);
> >> pkey_mprotect(addr, PAGE_SIZE, 13);
> >> pkey_deny_access(13);
> >> read(fd, addr, 1);
> >>
> > This seems confused to me; why are these two cases different?
>
> Protection keys doesn't work in the kernel direct map, so if the read()
> was implemented by writing to the direct map alias of 'addr' then this
> would bypass protection keys.

Which is why get_user_pages() _should_ enforce this.

What use are protection keys if you can trivially circumvent them?