From: Borislav Petkov <bp@alien8.de>
To: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com,
Thomas Gleixner <tglx@linutronix.de>,
Nadav Amit <nadav.amit@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
linux_dti@icloud.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, akpm@linux-foundation.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
will.deacon@arm.com, ard.biesheuvel@linaro.org,
kristen@linux.intel.com, deneen.t.dock@intel.com,
Nadav Amit <namit@vmware.com>, Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@intel.com>,
Masami Hiramatsu <mhiramat@kernel.org>
Subject: Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking
Date: Tue, 5 Feb 2019 10:58:53 +0100 [thread overview]
Message-ID: <20190205095853.GJ21801@zn.tnic> (raw)
In-Reply-To: <20190129003422.9328-7-rick.p.edgecombe@intel.com>
On Mon, Jan 28, 2019 at 04:34:08PM -0800, Rick Edgecombe wrote:
> From: Nadav Amit <namit@vmware.com>
>
> text_poke() can potentially compromise the security as it sets temporary
s/the //
> PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
> from other cores accidentally or maliciously, if an attacker gains the
> ability to write onto kernel memory.
Eww, sneaky. That would be a really nasty attack.
> Moreover, since remote TLBs are not flushed after the temporary PTEs are
> removed, the time-window in which the code is writable is not limited if
> the fixmap PTEs - maliciously or accidentally - are cached in the TLB.
> To address these potential security hazards, we use a temporary mm for
> patching the code.
>
> Finally, text_poke() is also not conservative enough when mapping pages,
> as it always tries to map 2 pages, even when a single one is sufficient.
> So try to be more conservative, and do not map more than needed.
>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Dave Hansen <dave.hansen@intel.com>
> Cc: Masami Hiramatsu <mhiramat@kernel.org>
> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Signed-off-by: Nadav Amit <namit@vmware.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> ---
> arch/x86/include/asm/fixmap.h | 2 -
> arch/x86/kernel/alternative.c | 106 +++++++++++++++++++++++++++-------
> arch/x86/xen/mmu_pv.c | 2 -
> 3 files changed, 84 insertions(+), 26 deletions(-)
>
> diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
> index 50ba74a34a37..9da8cccdf3fb 100644
> --- a/arch/x86/include/asm/fixmap.h
> +++ b/arch/x86/include/asm/fixmap.h
> @@ -103,8 +103,6 @@ enum fixed_addresses {
> #ifdef CONFIG_PARAVIRT
> FIX_PARAVIRT_BOOTMAP,
> #endif
> - FIX_TEXT_POKE1, /* reserve 2 pages for text_poke() */
> - FIX_TEXT_POKE0, /* first page is last, because allocation is backward */
Two fixmap slots less - good riddance. :)
> #ifdef CONFIG_X86_INTEL_MID
> FIX_LNW_VRTC,
> #endif
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index ae05fbb50171..76d482a2b716 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -11,6 +11,7 @@
> #include <linux/stop_machine.h>
> #include <linux/slab.h>
> #include <linux/kdebug.h>
> +#include <linux/mmu_context.h>
> #include <asm/text-patching.h>
> #include <asm/alternative.h>
> #include <asm/sections.h>
> @@ -683,41 +684,102 @@ __ro_after_init unsigned long poking_addr;
>
> static void *__text_poke(void *addr, const void *opcode, size_t len)
> {
> + bool cross_page_boundary = offset_in_page(addr) + len > PAGE_SIZE;
> + temporary_mm_state_t prev;
> + struct page *pages[2] = {NULL};
> unsigned long flags;
> - char *vaddr;
> - struct page *pages[2];
> - int i;
> + pte_t pte, *ptep;
> + spinlock_t *ptl;
> + pgprot_t prot;
>
> /*
> - * While boot memory allocator is runnig we cannot use struct
> - * pages as they are not yet initialized.
> + * While boot memory allocator is running we cannot use struct pages as
> + * they are not yet initialized.
> */
> BUG_ON(!after_bootmem);
>
> if (!core_kernel_text((unsigned long)addr)) {
> pages[0] = vmalloc_to_page(addr);
> - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
> + if (cross_page_boundary)
> + pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
> } else {
> pages[0] = virt_to_page(addr);
> WARN_ON(!PageReserved(pages[0]));
> - pages[1] = virt_to_page(addr + PAGE_SIZE);
> + if (cross_page_boundary)
> + pages[1] = virt_to_page(addr + PAGE_SIZE);
> }
> - BUG_ON(!pages[0]);
> + BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
checkpatch fires a lot for this patchset and I think we should tone down
the BUG_ON() use.
WARNING: Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON()
#116: FILE: arch/x86/kernel/alternative.c:711:
+ BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
While the below BUG_ON makes sense, this here could be a WARN_ON or so.
Which begs the next question: AFAICT, nothing looks at text_poke*()'s
retval. So why are we even bothering returning something?
> +
> local_irq_save(flags);
> - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
> - if (pages[1])
> - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
> - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
> - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
> - clear_fixmap(FIX_TEXT_POKE0);
> - if (pages[1])
> - clear_fixmap(FIX_TEXT_POKE1);
> - local_flush_tlb();
> - sync_core();
> - /* Could also do a CLFLUSH here to speed up CPU recovery; but
> - that causes hangs on some VIA CPUs. */
> - for (i = 0; i < len; i++)
> - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
> +
> + /*
> + * The lock is not really needed, but this allows to avoid open-coding.
> + */
> + ptep = get_locked_pte(poking_mm, poking_addr, &ptl);
> +
> + /*
> + * This must not fail; preallocated in poking_init().
> + */
> + VM_BUG_ON(!ptep);
> +
> + /*
> + * flush_tlb_mm_range() would be called when the poking_mm is not
> + * loaded. When PCID is in use, the flush would be deferred to the time
> + * the poking_mm is loaded again. Set the PTE as non-global to prevent
> + * it from being used when we are done.
> + */
> + prot = __pgprot(pgprot_val(PAGE_KERNEL) & ~_PAGE_GLOBAL);
So
_KERNPG_TABLE | _PAGE_NX
as this is pagetable page, AFAICT.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
next prev parent reply other threads:[~2019-02-05 9:59 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-29 0:34 [PATCH v2 00/20] Merge text_poke fixes and executable lockdowns Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 01/20] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 02/20] x86/jump_label: Use text_poke_early() during early init Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 03/20] x86/mm: temporary mm struct Rick Edgecombe
2019-01-31 11:29 ` Borislav Petkov
2019-01-31 22:19 ` Nadav Amit
2019-02-01 0:08 ` Borislav Petkov
2019-02-01 0:25 ` Nadav Amit
2019-02-04 14:28 ` Borislav Petkov
2019-01-29 0:34 ` [PATCH v2 04/20] fork: provide a function for copying init_mm Rick Edgecombe
2019-02-05 8:53 ` Borislav Petkov
2019-02-05 9:03 ` Nadav Amit
2019-01-29 0:34 ` [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching Rick Edgecombe
2019-02-05 9:18 ` Borislav Petkov
2019-02-11 0:39 ` Nadav Amit
2019-02-11 5:18 ` Andy Lutomirski
2019-02-11 18:04 ` Nadav Amit
2019-02-11 19:07 ` Andy Lutomirski
2019-02-11 19:18 ` Nadav Amit
2019-02-11 22:47 ` Andy Lutomirski
2019-02-12 18:23 ` Nadav Amit
2019-01-29 0:34 ` [PATCH v2 06/20] x86/alternative: use temporary mm for text poking Rick Edgecombe
2019-02-05 9:58 ` Borislav Petkov [this message]
2019-02-05 11:31 ` Peter Zijlstra
2019-02-05 12:35 ` Borislav Petkov
2019-02-05 13:25 ` Peter Zijlstra
2019-02-05 17:54 ` Nadav Amit
2019-02-05 13:29 ` Peter Zijlstra
2019-01-29 0:34 ` [PATCH v2 07/20] x86/kgdb: avoid redundant comparison of patched code Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 08/20] x86/ftrace: set trampoline pages as executable Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 09/20] x86/kprobes: instruction pages initialization enhancements Rick Edgecombe
2019-02-11 18:22 ` Borislav Petkov
2019-02-11 19:36 ` Nadav Amit
2019-01-29 0:34 ` [PATCH v2 10/20] x86: avoid W^X being broken during modules loading Rick Edgecombe
2019-02-11 18:29 ` Borislav Petkov
2019-02-11 18:45 ` Nadav Amit
2019-02-11 19:01 ` Borislav Petkov
2019-02-11 19:09 ` Nadav Amit
2019-02-11 19:10 ` Borislav Petkov
2019-02-11 19:27 ` Nadav Amit
2019-02-11 19:42 ` Borislav Petkov
2019-02-11 20:32 ` Nadav Amit
2019-03-07 15:10 ` [PATCH] x86/cpufeature: Remove __pure attribute to _static_cpu_has() Borislav Petkov
2019-03-07 16:43 ` hpa
2019-03-07 17:02 ` Borislav Petkov
2019-03-07 7:29 ` [PATCH v2 10/20] x86: avoid W^X being broken during modules loading Borislav Petkov
2019-03-07 16:53 ` hpa
2019-03-07 17:06 ` Borislav Petkov
2019-03-07 20:02 ` Andy Lutomirski
2019-03-07 20:25 ` Borislav Petkov
2019-01-29 0:34 ` [PATCH v2 11/20] x86/jump-label: remove support for custom poker Rick Edgecombe
2019-02-11 18:37 ` Borislav Petkov
2019-01-29 0:34 ` [PATCH v2 12/20] x86/alternative: Remove the return value of text_poke_*() Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 13/20] Add set_alias_ function and x86 implementation Rick Edgecombe
2019-02-11 19:09 ` Borislav Petkov
2019-02-11 19:27 ` Edgecombe, Rick P
2019-02-11 22:59 ` Andy Lutomirski
2019-02-12 0:01 ` Edgecombe, Rick P
2019-01-29 0:34 ` [PATCH v2 14/20] mm: Make hibernate handle unmapped pages Rick Edgecombe
2019-02-19 11:04 ` Borislav Petkov
2019-02-19 21:28 ` Edgecombe, Rick P
2019-02-20 16:07 ` Borislav Petkov
2019-01-29 0:34 ` [PATCH v2 15/20] vmalloc: New flags for safe vfree on special perms Rick Edgecombe
2019-02-19 12:48 ` Borislav Petkov
2019-02-19 19:42 ` Edgecombe, Rick P
2019-02-20 16:14 ` Borislav Petkov
2019-01-29 0:34 ` [PATCH v2 16/20] modules: Use vmalloc special flag Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 17/20] bpf: " Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 18/20] x86/ftrace: " Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 19/20] x86/kprobes: " Rick Edgecombe
2019-01-29 0:34 ` [PATCH v2 20/20] x86/alternative: comment about module removal races Rick Edgecombe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190205095853.GJ21801@zn.tnic \
--to=bp@alien8.de \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=deneen.t.dock@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=namit@vmware.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).