[PATCH v3 1/2] arm64: Support execute-only permissions with Enhanced PAN
Catalin Marinas
catalin.marinas at arm.com
Fri Mar 12 12:23:34 GMT 2021
On Fri, Mar 12, 2021 at 11:19:02AM +0000, Vladimir Murzin wrote:
> On 1/26/21 12:23 PM, Will Deacon wrote:
> > On Tue, Jan 26, 2021 at 12:05:42PM +0000, Catalin Marinas wrote:
> >> On Tue, Jan 26, 2021 at 11:03:06AM +0000, Will Deacon wrote:
> >>> On Tue, Jan 19, 2021 at 04:07:22PM +0000, Vladimir Murzin wrote:
> >>>> #define pte_valid_not_user(pte) \
> >>>> - ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID)
> >>>> + ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN))
> >>>> #define pte_valid_user(pte) \
> >>>> ((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER))
> >>>
> >>> Won't pte_valid_user() go wrong for exec-only mappings now?
> >>
> >> I wondered about the same in November (and reproducing my comment
> >> below):
> >>
> >> https://lore.kernel.org/linux-arm-kernel/20201119182236.GN4376@gaia/
> >>
> >> pte_valid_user() checks for both PTE_VALID and PTE_USER. In theory, a
> >> !PTE_UXN is also user-accessible but it's only used in gup_pte_range()
> >> via pte_access_permitted(). If "access" in the latter means only
> >> read/write, we should be ok. If we keep it as is, a comment would
> >> be useful.
> >
> > I think we should ensure that:
> >
> > pte_valid(pte) && (pte_valid_not_user(pte) || pte_valid_user(pte))
> >
> > is always true, but I don't think it is after this patch. It reminds me
> > of some of the tests that Anshuman wrote.
>
> Something like
>
> /*
> * Most of user mappings would have PTE_USER bit set except Execute-only
> * where both PTE_USER and PTE_UXN bits not set
> */
> #define pte_valid_user(pte) \
> (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) || \
> ((pte_val(pte) & (PTE_VALID | PTE_UXN)) == PTE_VALID))
This is equivalent to (valid && (user || !uxn)) which matches how the
EPAN is now specified.
However, I think this change breaks pte_access_permitted() which would
now return true even for execute-only mappings. Since such pages are not
readable, nor writable by user, get_user_pages_fast() should fail. For
example, if we have a futex in such execute-only mapping,
get_futex_key() succeeds with the above. Similarly for the
iov_iter_get_pages().
The slow-path get_user_pages() does the checks on the vma flags and this
can be overridden with FOLL_FORCE (it doesn't use
pte_access_permitted()). I haven't seen any get_user_pages_fast() called
with FOLL_FORCE but even if it does, it looks like it's ignored as the
code relies on pte_access_permitted() only.
I'd say lets scrap pte_valid_user() altogether and move the original
logic to pte_access_permitted() with a comment that it must return false
for execute-only user mappings.
--
Catalin
More information about the linux-arm-kernel
mailing list