• Dave Hansen's avatar
    x86/pkeys: Override pkey when moving away from PROT_EXEC · 0a0b1520
    Dave Hansen authored
    I got a bug report that the following code (roughly) was
    causing a SIGSEGV:
    
    	mprotect(ptr, size, PROT_EXEC);
    	mprotect(ptr, size, PROT_NONE);
    	mprotect(ptr, size, PROT_READ);
    	*ptr = 100;
    
    The problem is hit when the mprotect(PROT_EXEC)
    is implicitly assigned a protection key to the VMA, and made
    that key ACCESS_DENY|WRITE_DENY.  The PROT_NONE mprotect()
    failed to remove the protection key, and the PROT_NONE->
    PROT_READ left the PTE usable, but the pkey still in place
    and left the memory inaccessible.
    
    To fix this, we ensure that we always "override" the pkee
    at mprotect() if the VMA does not have execute-only
    permissions, but the VMA has the execute-only pkey.
    
    We had a check for PROT_READ/WRITE, but it did not work
    for PROT_NONE.  This entirely removes the PROT_* checks,
    which ensures that PROT_NONE now works.
    Reported-by: default avatarShakeel Butt <shakeelb@google.com>
    Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Michael Ellermen <mpe@ellerman.id.au>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Ram Pai <linuxram@us.ibm.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-mm@kvack.org
    Cc: stable@vger.kernel.org
    Fixes: 62b5f7d0 ("mm/core, x86/mm/pkeys: Add execute-only protection keys support")
    Link: http://lkml.kernel.org/r/20180509171351.084C5A71@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    0a0b1520
pkeys.h 3 KB