Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a bad area

[Andy Lutomirski]

> On Aug 30, 2018, at 7:38 PM, Jann Horn <jannh@xxxxxxxxxx> wrote:
> 
>> On Tue, 7 Aug 2018 Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
>> 
>>> On 08/07/2018 10:29 AM, Sean Christopherson wrote:
>>>      if (unlikely(fault_in_kernel_space(address))) {
>>> +             /*
>>> +              * We should never encounter a protection keys fault on a
>>> +              * kernel address as kernel address are always mapped with
>>> +              * _PAGE_USER=0, i.e. PKRU isn't enforced.
>>> +              */
>>> +             if (WARN_ON_ONCE(error_code & X86_PF_PK))
>>> +                     goto bad_kernel_address;
>> 
>> I just realized one more thing: the vsyscall page can bite us here.
>> It's at a fault_in_kernel_space() address and we *can* trigger a pkey
>> fault on it if we jump to an instruction that reads from a
>> pkey-protected area.
>> 
>> We can make a gadget out of unaligned vsyscall instructions that does
>> that.  See:
>> 
>> 0xffffffffff600002:  shlb   $0x0,0x0(%rax)
>> 
>> Then, we turn off access to all pkeys, including pkey-0, then jump to
>> the unaligned vsyscall instruction, which reads %rax, which is a kernel
>> address:
> 
> Andy got rid of the (native) vsyscall page in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=076ca272a14cea558b1092ec85cea08510283f2a
> ('x86/vsyscall/64: Drop "native" vsyscalls') a few months ago, right?
> At this point, the vsyscall page should never be executable.

Indeed.

Can one of you cc me on the original patch?