Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a bad area

From: Dave Hansen
Date: Tue Aug 07 2018 - 14:29:03 EST


On 08/07/2018 10:29 AM, Sean Christopherson wrote:
> if (unlikely(fault_in_kernel_space(address))) {
> + /*
> + * We should never encounter a protection keys fault on a
> + * kernel address as kernel address are always mapped with
> + * _PAGE_USER=0, i.e. PKRU isn't enforced.
> + */
> + if (WARN_ON_ONCE(error_code & X86_PF_PK))
> + goto bad_kernel_address;

I just realized one more thing: the vsyscall page can bite us here.
It's at a fault_in_kernel_space() address and we *can* trigger a pkey
fault on it if we jump to an instruction that reads from a
pkey-protected area.

We can make a gadget out of unaligned vsyscall instructions that does
that. See:

0xffffffffff600002: shlb $0x0,0x0(%rax)

Then, we turn off access to all pkeys, including pkey-0, then jump to
the unaligned vsyscall instruction, which reads %rax, which is a kernel
address:

asm("movl $0xffffffff, %eax;\
movl $0x00000000, %ecx;\
movl $0x00000000, %edx;\
wrpkru;\
movq $0xffffffffff600000, %rax;\
movq $0xffffffffff600002, %rbx;\
jmpq *%rbx;");

So, my bad. It was not a good suggestion to do a WARN_ON(). But, the
other funny thing is I would have expected spurious_fault() to get us
into a fault loop, which it doesn't. It's definitely getting *called*
with my little test program (I see it in ftrace) but it's not quite
doing what I expect.

I need to dig a bit more.