Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <32219CAE-7D49-4848-9497-A17E0D809B3E@gmail.com>
Date: Thu, 17 Jan 2019 14:29:36 -0800
From: Nadav Amit <nadav.amit@...il.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Rick Edgecombe <rick.p.edgecombe@...el.com>,
 Ingo Molnar <mingo@...hat.com>,
 LKML <linux-kernel@...r.kernel.org>,
 X86 ML <x86@...nel.org>,
 "H. Peter Anvin" <hpa@...or.com>,
 Thomas Gleixner <tglx@...utronix.de>,
 Borislav Petkov <bp@...en8.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>,
 Peter Zijlstra <peterz@...radead.org>,
 Damian Tometzki <linux_dti@...oud.com>,
 linux-integrity <linux-integrity@...r.kernel.org>,
 LSM List <linux-security-module@...r.kernel.org>,
 Andrew Morton <akpm@...ux-foundation.org>,
 Kernel Hardening <kernel-hardening@...ts.openwall.com>,
 Linux-MM <linux-mm@...ck.org>,
 Will Deacon <will.deacon@....com>,
 Ard Biesheuvel <ard.biesheuvel@...aro.org>,
 Kristen Carlson Accardi <kristen@...ux.intel.com>,
 "Dock, Deneen T" <deneen.t.dock@...el.com>,
 Kees Cook <keescook@...omium.org>,
 Dave Hansen <dave.hansen@...el.com>,
 Masami Hiramatsu <mhiramat@...nel.org>
Subject: Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking

> On Jan 17, 2019, at 1:43 PM, Nadav Amit <nadav.amit@...il.com> wrote:
> 
>> On Jan 17, 2019, at 12:47 PM, Andy Lutomirski <luto@...nel.org> wrote:
>> 
>> On Thu, Jan 17, 2019 at 12:27 PM Andy Lutomirski <luto@...nel.org> wrote:
>>> On Wed, Jan 16, 2019 at 4:33 PM Rick Edgecombe
>>> <rick.p.edgecombe@...el.com> wrote:
>>>> From: Nadav Amit <namit@...are.com>
>>>> 
>>>> text_poke() can potentially compromise the security as it sets temporary
>>>> PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
>>>> from other cores accidentally or maliciously, if an attacker gains the
>>>> ability to write onto kernel memory.
>>> 
>>> i think this may be sufficient, but barely.
>>> 
>>>> +       pte_clear(poking_mm, poking_addr, ptep);
>>>> +
>>>> +       /*
>>>> +        * __flush_tlb_one_user() performs a redundant TLB flush when PTI is on,
>>>> +        * as it also flushes the corresponding "user" address spaces, which
>>>> +        * does not exist.
>>>> +        *
>>>> +        * Poking, however, is already very inefficient since it does not try to
>>>> +        * batch updates, so we ignore this problem for the time being.
>>>> +        *
>>>> +        * Since the PTEs do not exist in other kernel address-spaces, we do
>>>> +        * not use __flush_tlb_one_kernel(), which when PTI is on would cause
>>>> +        * more unwarranted TLB flushes.
>>>> +        *
>>>> +        * There is a slight anomaly here: the PTE is a supervisor-only and
>>>> +        * (potentially) global and we use __flush_tlb_one_user() but this
>>>> +        * should be fine.
>>>> +        */
>>>> +       __flush_tlb_one_user(poking_addr);
>>>> +       if (cross_page_boundary) {
>>>> +               pte_clear(poking_mm, poking_addr + PAGE_SIZE, ptep + 1);
>>>> +               __flush_tlb_one_user(poking_addr + PAGE_SIZE);
>>>> +       }
>>> 
>>> In principle, another CPU could still have the old translation.  Your
>>> mutex probably makes this impossible, but it makes me nervous.
>>> Ideally you'd use flush_tlb_mm_range(), but I guess you can't do that
>>> with IRQs off.  Hmm.  I think you should add an inc_mm_tlb_gen() here.
>>> Arguably, if you did that, you could omit the flushes, but maybe
>>> that's silly.
>>> 
>>> If we start getting new users of use_temporary_mm(), we should give
>>> some serious thought to the SMP semantics.
>>> 
>>> Also, you're using PAGE_KERNEL.  Please tell me that the global bit
>>> isn't set in there.
>> 
>> Much better solution: do unuse_temporary_mm() and *then*
>> flush_tlb_mm_range().  This is entirely non-sketchy and should be just
>> about optimal, too.
> 
> This solution sounds nice and clean. The fact the global-bit was set didn’t
> matter before (since __flush_tlb_one_user would get rid of it no matter
> what), but would matter now, so I’ll change it too.

Err.. so actually text_poke() might be called with disabled IRQs (by kgdb).
flush_tlb_mm_range() should still work fine even with disabled IRQs since no
core would use poking_mm at this point. I can add a comment to
flush_tlb_mm_range(), but all in all it is actually not very pretty.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.