From: Nadav Amit <namit@vmware.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@redhat.com>,
<x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
<linux-arch@vger.kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Nadav Amit <nadav.amit@gmail.com>, Nadav Amit <namit@vmware.com>,
Jiri Kosina <jkosina@suse.cz>, Andy Lutomirski <luto@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: [PATCH v2 0/6] x86/alternatives: text_poke() fixes
Date: Sun, 2 Sep 2018 10:32:18 -0700 [thread overview]
Message-ID: <20180902173224.30606-1-namit@vmware.com> (raw)
This patch-set addresses some issues that were raised in a recent
correspondence and might affect the security and the correctness of code
patching. (Note that patching performance is not addressed by this
patch-set).
The main issue that the patches deal with is the fact that the fixmap
PTEs that are used for patching are available for access from other
cores and might be exploited. They are not even flushed from the TLB in
remote cores, so the risk is even higher. Address this issue by
introducing a temporary mm that is only used during patching.
Unfortunately, due to init ordering, fixmap is still used during
boot-time patching. Future patches can eliminate the need for it.
The second issue is the missing lockdep assertion to ensure text_mutex
is taken. It is actually not always taken, so fix the instances that
were found not to take the lock (although they should be safe even
without taking the lock).
Finally, try to be more conservative and to map a single page, instead
of two, when possible. This helps both security and performance.
In addition, there is some cleanup of the patching code to make it more
readable.
v1->v2:
- Partial revert of 9222f606506c added to 1/6 [masami]
- Added Masami's reviewed-by tag
RFC->v1:
- Added handling of error in get_locked_pte()
- Remove lockdep assertion, clarify text_mutex use instead [masami]
- Comment fix [peterz]
- Removed remainders of text_poke return value [masami]
- Use __weak for poking_init instead of macros [masami]
- Simplify error handling in poking_init [masami]
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.org/lkml/2018/8/24/586
Andy Lutomirski (1):
x86/mm: temporary mm struct
Nadav Amit (5):
Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()"
fork: provide a function for copying init_mm
x86/alternatives: initializing temporary mm for patching
x86/alternatives: use temporary mm for text poking
x86/alternatives: remove text_poke() return value
arch/x86/include/asm/mmu_context.h | 20 +++
arch/x86/include/asm/pgtable.h | 3 +
arch/x86/include/asm/text-patching.h | 4 +-
arch/x86/kernel/alternative.c | 175 +++++++++++++++++++++++----
arch/x86/mm/init_64.c | 29 +++++
include/linux/sched/task.h | 1 +
init/main.c | 3 +
kernel/fork.c | 24 +++-
8 files changed, 227 insertions(+), 32 deletions(-)
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Nadav Amit <namit@vmware.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
linux-arch@vger.kernel.org,
Dave Hansen <dave.hansen@linux.intel.com>,
Nadav Amit <nadav.amit@gmail.com>, Nadav Amit <namit@vmware.com>,
Jiri Kosina <jkosina@suse.cz>, Andy Lutomirski <luto@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: [PATCH v2 0/6] x86/alternatives: text_poke() fixes
Date: Sun, 2 Sep 2018 10:32:18 -0700 [thread overview]
Message-ID: <20180902173224.30606-1-namit@vmware.com> (raw)
This patch-set addresses some issues that were raised in a recent
correspondence and might affect the security and the correctness of code
patching. (Note that patching performance is not addressed by this
patch-set).
The main issue that the patches deal with is the fact that the fixmap
PTEs that are used for patching are available for access from other
cores and might be exploited. They are not even flushed from the TLB in
remote cores, so the risk is even higher. Address this issue by
introducing a temporary mm that is only used during patching.
Unfortunately, due to init ordering, fixmap is still used during
boot-time patching. Future patches can eliminate the need for it.
The second issue is the missing lockdep assertion to ensure text_mutex
is taken. It is actually not always taken, so fix the instances that
were found not to take the lock (although they should be safe even
without taking the lock).
Finally, try to be more conservative and to map a single page, instead
of two, when possible. This helps both security and performance.
In addition, there is some cleanup of the patching code to make it more
readable.
v1->v2:
- Partial revert of 9222f606506c added to 1/6 [masami]
- Added Masami's reviewed-by tag
RFC->v1:
- Added handling of error in get_locked_pte()
- Remove lockdep assertion, clarify text_mutex use instead [masami]
- Comment fix [peterz]
- Removed remainders of text_poke return value [masami]
- Use __weak for poking_init instead of macros [masami]
- Simplify error handling in poking_init [masami]
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.org/lkml/2018/8/24/586
Andy Lutomirski (1):
x86/mm: temporary mm struct
Nadav Amit (5):
Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()"
fork: provide a function for copying init_mm
x86/alternatives: initializing temporary mm for patching
x86/alternatives: use temporary mm for text poking
x86/alternatives: remove text_poke() return value
arch/x86/include/asm/mmu_context.h | 20 +++
arch/x86/include/asm/pgtable.h | 3 +
arch/x86/include/asm/text-patching.h | 4 +-
arch/x86/kernel/alternative.c | 175 +++++++++++++++++++++++----
arch/x86/mm/init_64.c | 29 +++++
include/linux/sched/task.h | 1 +
init/main.c | 3 +
kernel/fork.c | 24 +++-
8 files changed, 227 insertions(+), 32 deletions(-)
--
2.17.1
next reply other threads:[~2018-09-02 17:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-02 17:32 Nadav Amit [this message]
2018-09-02 17:32 ` [PATCH v2 0/6] x86/alternatives: text_poke() fixes Nadav Amit
2018-09-02 17:32 ` [PATCH v2 1/6] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-06 19:40 ` Peter Zijlstra
2018-09-06 19:42 ` Nadav Amit
2018-09-06 19:53 ` Peter Zijlstra
2018-09-06 19:58 ` Nadav Amit
2018-09-06 20:25 ` Peter Zijlstra
2018-09-06 20:57 ` Nadav Amit
2018-09-06 21:41 ` Peter Zijlstra
2018-09-02 17:32 ` [PATCH v2 2/6] x86/mm: temporary mm struct Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 3/6] fork: provide a function for copying init_mm Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 4/6] x86/alternatives: initializing temporary mm for patching Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-06 9:01 ` Peter Zijlstra
2018-09-07 20:52 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 5/6] x86/alternatives: use temporary mm for text poking Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 6/6] x86/alternatives: remove text_poke() return value Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-05 18:56 ` [PATCH v2 0/6] x86/alternatives: text_poke() fixes Peter Zijlstra
2018-09-05 19:02 ` Nadav Amit
2018-09-05 19:10 ` Nadav Amit
2018-09-06 8:13 ` Peter Zijlstra
2018-09-06 8:42 ` Peter Zijlstra
2018-09-06 9:18 ` Peter Zijlstra
2018-09-06 10:16 ` Peter Zijlstra
2018-09-06 17:01 ` Nadav Amit
2018-09-06 17:17 ` Peter Zijlstra
2018-09-06 17:58 ` Nadav Amit
2018-09-06 18:09 ` Andy Lutomirski
2018-09-06 18:31 ` Peter Zijlstra
2018-09-06 18:38 ` Nadav Amit
2018-09-06 19:19 ` Peter Zijlstra
2018-09-06 17:23 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180902173224.30606-1-namit@vmware.com \
--to=namit@vmware.com \
--cc=arnd@arndb.de \
--cc=dave.hansen@linux.intel.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.