On Wed, Dec 13, 2017 at 07:47:46AM -0800, Dave Hansen wrote: > On 12/13/2017 07:32 AM, Peter Zijlstra wrote: > >> This will fault writing a byte to 'addr': > >> > >> char *addr = malloc(PAGE_SIZE); > >> pkey_mprotect(addr, PAGE_SIZE, 13); > >> pkey_deny_access(13); > >> *addr[0] = 'f'; > >> > >> But this will write one byte to addr successfully (if it uses the kernel > >> mapping of the physical page backing 'addr'): > >> > >> char *addr = malloc(PAGE_SIZE); > >> pkey_mprotect(addr, PAGE_SIZE, 13); > >> pkey_deny_access(13); > >> read(fd, addr, 1); > >> > > This seems confused to me; why are these two cases different? > > Protection keys doesn't work in the kernel direct map, so if the read() > was implemented by writing to the direct map alias of 'addr' then this > would bypass protection keys.
Which is why get_user_pages() _should_ enforce this. What use are protection keys if you can trivially circumvent them?
