7  *  * how to set/clear bits in pkey registers (the rights register)
8  *  * how to handle SEGV_PKUERR signals and extract pkey-relevant
17  *	look for pkey "leaks" where it is still set on a VMA but "freed" back to the kernel
18  *	do a plain mprotect() to a mprotect_pkey() area and make sure the pkey sticks
49 #include "pkey-helpers.h"
178 static u32 hw_pkey_get(int pkey, unsigned long flags)
182 	dprintf1("%s(pkey=%d, flags=%lx) = %x / %d\n",
183 			__func__, pkey, flags, 0, 0);
186 	return (u32) get_pkey_bits(pkey_reg, pkey);
189 static int hw_pkey_set(int pkey, unsigned long rights, unsigned long flags)
199 	new_pkey_reg = set_pkey_bits(old_pkey_reg, pkey, rights);
203 	dprintf3("%s(pkey=%d, rights=%lx, flags=%lx) = %x"
205 		__func__, pkey, rights, flags, 0, __read_pkey_reg(),
210 void pkey_disable_set(int pkey, int flags)
218 		pkey, flags);
221 	pkey_rights = hw_pkey_get(pkey, syscall_flags);
224 			pkey, pkey, pkey_rights);
230 	ret = hw_pkey_set(pkey, pkey_rights, syscall_flags);
233 	shadow_pkey_reg = set_pkey_bits(shadow_pkey_reg, pkey, pkey_rights);
235 		__func__, pkey, shadow_pkey_reg);
239 	pkey_rights = hw_pkey_get(pkey, syscall_flags);
241 			pkey, pkey, pkey_rights);
244 		__func__, pkey, read_pkey_reg());
248 		pkey, flags);
251 void pkey_disable_clear(int pkey, int flags)
255 	int pkey_rights = hw_pkey_get(pkey, syscall_flags);
261 			pkey, pkey, pkey_rights);
266 	ret = hw_pkey_set(pkey, pkey_rights, 0);
267 	shadow_pkey_reg = set_pkey_bits(shadow_pkey_reg, pkey, pkey_rights);
270 	pkey_rights = hw_pkey_get(pkey, syscall_flags);
272 			pkey, pkey, pkey_rights);
275 			pkey, read_pkey_reg());
280 void pkey_write_allow(int pkey)
282 	pkey_disable_clear(pkey, PKEY_DISABLE_WRITE);
284 void pkey_write_deny(int pkey)
286 	pkey_disable_set(pkey, PKEY_DISABLE_WRITE);
288 void pkey_access_allow(int pkey)
290 	pkey_disable_clear(pkey, PKEY_DISABLE_ACCESS);
292 void pkey_access_deny(int pkey)
294 	pkey_disable_set(pkey, PKEY_DISABLE_ACCESS);
384 	dprintf1("pkey from siginfo: %016llx\n", siginfo_pkey);
462 		unsigned long pkey)
466 	dprintf2("%s(0x%p, %zx, prot=%lx, pkey=%lx)\n", __func__,
467 			ptr, size, orig_prot, pkey);
470 	sret = syscall(__NR_pkey_mprotect, ptr, size, orig_prot, pkey);
535 int sys_pkey_free(unsigned long pkey)
537 	int ret = syscall(SYS_pkey_free, pkey);
538 	dprintf1("%s(pkey=%ld) syscall ret: %d\n", __func__, pkey, ret);
543  * I had a bug where pkey bits could be set by mprotect() but
545  * and clears on the vma and pte pkey bits.
588 		unsigned long pkey)
595 		ret = sys_mprotect_pkey(ptr, size, orig_prot, pkey);
596 		dprintf1("sys_mprotect_pkey(%p, %zx, prot=0x%lx, pkey=%ld) ret: %d\n",
597 				ptr, size, orig_prot, pkey, ret);
611 	pkey_assert(pkey < NR_PKEYS);
613 	ret = sys_mprotect_pkey(ptr, size, orig_prot, pkey);
614 	dprintf1("mprotect_pkey(%p, %zx, prot=0x%lx, pkey=%ld) ret: %d\n",
615 			ptr, size, orig_prot, pkey, ret);
696 void *malloc_pkey_with_mprotect(long size, int prot, u16 pkey)
702 	dprintf1("doing %s(size=%ld, prot=0x%x, pkey=%d)\n", __func__,
703 			size, prot, pkey);
704 	pkey_assert(pkey < NR_PKEYS);
707 	ret = mprotect_pkey((void *)ptr, PAGE_SIZE, prot, pkey);
712 	dprintf1("%s() for pkey %d @ %p\n", __func__, pkey, ptr);
716 void *malloc_pkey_anon_huge(long size, int prot, u16 pkey)
721 	dprintf1("doing %s(size=%ld, prot=0x%x, pkey=%d)\n", __func__,
722 			size, prot, pkey);
731 	mprotect_pkey(ptr, size, prot, pkey);
742 	dprintf1("mmap()'d thp for pkey %d @ %p\n", pkey, ptr);
797 void *malloc_pkey_hugetlb(long size, int prot, u16 pkey)
805 	dprintf1("doing %s(%ld, %x, %x)\n", __func__, size, prot, pkey);
807 	pkey_assert(pkey < NR_PKEYS);
810 	mprotect_pkey(ptr, size, prot, pkey);
814 	dprintf1("mmap()'d hugetlbfs for pkey %d @ %p\n", pkey, ptr);
818 void *malloc_pkey_mmap_dax(long size, int prot, u16 pkey)
823 	dprintf1("doing %s(size=%ld, prot=0x%x, pkey=%d)\n", __func__,
824 			size, prot, pkey);
825 	pkey_assert(pkey < NR_PKEYS);
832 	mprotect_pkey(ptr, size, prot, pkey);
836 	dprintf1("mmap()'d for pkey %d @ %p\n", pkey, ptr);
841 void *(*pkey_malloc[])(long size, int prot, u16 pkey) = {
853 void *malloc_pkey(long size, int prot, u16 pkey)
859 	pkey_assert(pkey < NR_PKEYS);
864 		ret = pkey_malloc[malloc_type](size, prot, pkey);
878 	dprintf3("%s(%ld, prot=%x, pkey=%x) returning: %p\n", __func__,
879 			size, prot, pkey, ret);
885 void expected_pkey_fault(int pkey)
889 	dprintf2("%s(%d): last_si_pkey: %d\n", __func__, pkey, last_si_pkey);
893 	* For exec-only memory, we do not know the pkey in
896 	if (pkey != UNKNOWN_PKEY)
897 		pkey_assert(last_si_pkey == pkey);
963 void test_pkey_alloc_free_attach_pkey0(int *ptr, u16 pkey)
1015 void test_read_of_write_disabled_region(int *ptr, u16 pkey)
1020 	pkey_write_deny(pkey);
1025 void test_read_of_access_disabled_region(int *ptr, u16 pkey)
1029 	dprintf1("disabling access to PKEY[%02d], doing read @ %p\n", pkey, ptr);
1031 	pkey_access_deny(pkey);
1034 	expected_pkey_fault(pkey);
1038 		u16 pkey)
1043 				pkey, ptr);
1048 	pkey_access_deny(pkey);
1051 	expected_pkey_fault(pkey);
1055 		u16 pkey)
1059 		"to PKEY[%02d], doing write\n", pkey);
1060 	pkey_write_deny(pkey);
1062 	expected_pkey_fault(pkey);
1065 void test_write_of_write_disabled_region(int *ptr, u16 pkey)
1067 	dprintf1("disabling write access to PKEY[%02d], doing write\n", pkey);
1068 	pkey_write_deny(pkey);
1070 	expected_pkey_fault(pkey);
1072 void test_write_of_access_disabled_region(int *ptr, u16 pkey)
1074 	dprintf1("disabling access to PKEY[%02d], doing write\n", pkey);
1075 	pkey_access_deny(pkey);
1077 	expected_pkey_fault(pkey);
1081 			u16 pkey)
1085 		" to PKEY[%02d], doing write\n", pkey);
1086 	pkey_access_deny(pkey);
1088 	expected_pkey_fault(pkey);
1091 void test_kernel_write_of_access_disabled_region(int *ptr, u16 pkey)
1097 		 "having kernel read() to buffer\n", pkey);
1098 	pkey_access_deny(pkey);
1103 void test_kernel_write_of_write_disabled_region(int *ptr, u16 pkey)
1108 	pkey_write_deny(pkey);
1116 void test_kernel_gup_of_access_disabled_region(int *ptr, u16 pkey)
1126 		 "having kernel vmsplice from buffer\n", pkey);
1127 	pkey_access_deny(pkey);
1138 void test_kernel_gup_write_to_write_disabled_region(int *ptr, u16 pkey)
1145 		 "doing futex gunk in buffer\n", pkey);
1147 	pkey_write_deny(pkey);
1155 /* Assumes that all pkeys other than 'pkey' are unallocated */
1156 void test_pkey_syscalls_on_non_allocated_pkey(int *ptr, u16 pkey)
1161 	/* Note: 0 is the default pkey, so don't mess with it */
1163 		if (pkey == i)
1166 		dprintf1("trying get/set/free to non-allocated pkey: %2d\n", i);
1178 /* Assumes that all pkeys other than 'pkey' are unallocated */
1179 void test_pkey_syscalls_bad_args(int *ptr, u16 pkey)
1184 	/* pass a known-invalid pkey in: */
1204 /* Assumes that all pkeys other than 'pkey' are unallocated */
1205 void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
1223 			dprintf2("%s() failed to allocate pkey after %d tries\n",
1252 	 *      'pkey' to this function.
1259 	 * the time we get here. These include pkey-0, pkey-1,
1260 	 * exec-only pkey and the one allocated by the test code.
1308  * a long-running test that continually checks the pkey
1311 void test_pkey_init_state(int *ptr, u16 pkey)
1345  * pkey 0 is special.  It is allocated by default, so you do not
1349 void test_mprotect_with_pkey_0(int *ptr, u16 pkey)
1366 	/* Use pkey 0 */
1369 	/* Make sure that we can set it back to the original pkey. */
1370 	mprotect_pkey(ptr, size, prot, pkey);
1373 void test_ptrace_of_child(int *ptr, u16 pkey)
1409 	pkey_access_deny(pkey);
1410 	pkey_write_deny(pkey);
1419 	 * Try to access the pkey-protected "ptr" via ptrace:
1426 	expected_pkey_fault(pkey);
1429 	 * Try to access the NON-pkey-protected "plain_ptr" via ptrace:
1470 void test_executing_on_unreadable_memory(int *ptr, u16 pkey)
1482 	ret = mprotect_pkey(p1, PAGE_SIZE, PROT_EXEC, (u64)pkey);
1484 	pkey_access_deny(pkey);
1494 	expect_fault_on_read_execonly_key(p1, pkey);
1497 void test_implicit_mprotect_exec_only_memory(int *ptr, u16 pkey)
1518 	 * the actual allocated pkey is unknown.
1532 	 * exec-only pkey off the VMA and allow it to be readable
1534 	 * that did not clear the pkey when doing PROT_NONE.
1546 void test_ptrace_modifies_pkru(int *ptr, u16 pkey)
1668 void test_mprotect_pkey_on_unsupported_cpu(int *ptr, u16 pkey)
1678 	sret = syscall(__NR_pkey_mprotect, ptr, size, PROT_READ, pkey);
1682 void (*pkey_tests[])(int *ptr, u16 pkey) = {
1714 		int pkey;
1721 		pkey = alloc_random_pkey();
1722 		dprintf1("test %d starting with pkey: %d\n", test_nr, pkey);
1723 		ptr = malloc_pkey(PAGE_SIZE, prot, pkey);
1725 		pkey_tests[test_nr](ptr, pkey);
1728 		sys_pkey_free(pkey);

Indexes created Wed May 08 10:03:12 MDT 2024