Re: [patch 05/16] mm: Allow special mappings with user access cleared

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 13, 2017 at 07:47:46AM -0800, Dave Hansen wrote:
> On 12/13/2017 07:32 AM, Peter Zijlstra wrote:
> >> This will fault writing a byte to 'addr':
> >>
> >> 	char *addr = malloc(PAGE_SIZE);
> >> 	pkey_mprotect(addr, PAGE_SIZE, 13);
> >> 	pkey_deny_access(13);
> >> 	*addr[0] = 'f';
> >>
> >> But this will write one byte to addr successfully (if it uses the kernel
> >> mapping of the physical page backing 'addr'):
> >>
> >> 	char *addr = malloc(PAGE_SIZE);
> >> 	pkey_mprotect(addr, PAGE_SIZE, 13);
> >> 	pkey_deny_access(13);
> >> 	read(fd, addr, 1);
> >>
> > This seems confused to me; why are these two cases different?
> 
> Protection keys doesn't work in the kernel direct map, so if the read()
> was implemented by writing to the direct map alias of 'addr' then this
> would bypass protection keys.

Which is why get_user_pages() _should_ enforce this.

What use are protection keys if you can trivially circumvent them?

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]
  Powered by Linux