On Mon, Dec 14, 2015 at 3:39 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Mon, Dec 14, 2015 at 3:37 PM, Dave Hansen <dave@xxxxxxxx> wrote: >> On 12/14/2015 12:05 PM, Kees Cook wrote: >>> On Mon, Dec 14, 2015 at 11:06 AM, Dave Hansen <dave@xxxxxxxx> wrote: >>>> > From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> >>>> > Protection keys provide new page-based protection in hardware. >>>> > But, they have an interesting attribute: they only affect data >>>> > accesses and never affect instruction fetches. That means that >>>> > if we set up some memory which is set as "access-disabled" via >>>> > protection keys, we can still execute from it. >> ... >>>> > I haven't found any userspace that does this today. >>> To realistically take advantage of this, it sounds like the linker >>> would need to know to keep bss and data page-aligned away from text, >>> and then set text to PROT_EXEC only? >>> >>> Do you have any example linker scripts for this? >> >> Nope. My linker-fu is weak. >> >> Can we even depend on the linker by itself? Even if the sections were >> marked --x, we can't actually use them with those permissions unless we >> have protection keys. >> >> Do we need some special tag on the section to tell the linker to map it >> as --x under some conditions and r-x for others? >> > > Why? Wouldn't --x just end up acting like r-x if PKRU is absent? Good point! What was the mixed section problem that came up before? I realize I said "bss/data" before, but that's not right: those are already page-aligned since they're writable, and rodata would be too, only non-executable. What was the case of memory that needed to be readable? ENEEDCOFFEE. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>