eXecute Only Memory from Intel Labs blackhat.com/docs/asia-18/a
Conversation
This Tweet was deleted by the Tweet author. Learn more
By the way, I checked again and the patch did land for Linux 5.0:
github.com/torvalds/linux
If your use case depends on the key state being present after fork, you'll need to disable that part of the feature (such as dlopen library support) on kernels earlier than Linux 5.0.
This Tweet was deleted by the Tweet author. Learn more
I don't think there's a safe in-process way to safely detect the patch, so unfortunately disabling features depending on it after fork on older kernels or simply not activating them at all seems like the only viable option. Can't work around it since the patch may be backported.
1
If you assume pkey state is lost on older kernels and set things up again that's going to be broken on kernels with it backported. I asked them to add a no-op flag to pkey_alloc so implementations could tell if pkey state is preserved on fork and handle both but they didn't...
1
My plan is to check for Linux 5.0+ and disable code turning off the feature after fork. It'd be possible to make a table with stable/longterm branches and enable it on those once they're past the point that it was backported upstream. I wish the fix could just be easily detected.
1
MAP_FIXED_NOREPLACE has a similar portability issue due to this bug I hit: patchwork.kernel.org/patch/10634763/ . On older kernels, it's completely broken and clobbers mappings. Not all distributions backport these fixes. Unlike the pkey issue it's easy to safely detect the bug in-process.
1
I've also run into some VMA merging bugs which I haven't yet reported since I haven't narrowed it down completely. It's mostly a performance issue rather than a correctness / security issue but it's disconcerting that VMA merging code doesn't work properly in fairly simple cases.
1
The VMA merging bugs are annoying because mremap doesn't work unless the range being remapped is a single VMA, so the kernel failing to merge VMAs leads to spurious mremap failures. I'm not even doing anything particularly strange, just using randomly sized guard pages in malloc.
1
You're working on similar things so you might run into those bugs too.