From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C5F6C43387 for ; Thu, 10 Jan 2019 17:32:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DB297208E3 for ; Thu, 10 Jan 2019 17:32:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730383AbfAJRcr (ORCPT ); Thu, 10 Jan 2019 12:32:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:46774 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730023AbfAJRcr (ORCPT ); Thu, 10 Jan 2019 12:32:47 -0500 Received: from gandalf.local.home (cpe-66-24-56-78.stny.res.rr.com [66.24.56.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E8FC220675; Thu, 10 Jan 2019 17:32:44 +0000 (UTC) Date: Thu, 10 Jan 2019 12:32:43 -0500 From: Steven Rostedt To: Josh Poimboeuf Cc: Nadav Amit , X86 ML , LKML , Ard Biesheuvel , Andy Lutomirski , Peter Zijlstra , Ingo Molnar , Thomas Gleixner , Linus Torvalds , Masami Hiramatsu , Jason Baron , Jiri Kosina , David Laight , Borislav Petkov , Julia Cartwright , Jessica Yu , "H. Peter Anvin" , Rasmus Villemoes , Edward Cree , Daniel Bristot de Oliveira Subject: Re: [PATCH v3 5/6] x86/alternative: Use a single access in text_poke() where possible Message-ID: <20190110123243.3b9e0856@gandalf.local.home> In-Reply-To: <20190110172004.wuh45xoafynfm2df@treble> References: <279b8003f7f0a6831d090ab822d37bc958f974de.1547073843.git.jpoimboe@redhat.com> <8138A1EE-359D-4CD2-8E96-5BF00313AB3B@vmware.com> <20190110172004.wuh45xoafynfm2df@treble> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 10 Jan 2019 11:20:04 -0600 Josh Poimboeuf wrote: > > While I can't find a reason for hypervisors to emulate this instruction, > > smarter people might find ways to turn it into a security exploit. > > Interesting point... but I wonder if it's a realistic concern. BTW, > text_poke_bp() also relies on undocumented behavior. But we did get an official OK from Intel that it will work. Took a bit of arm twisting to get them to do so, but they did. And it really is pretty robust. I would really like an acknowledgment from the HW vendors before we do go this route. -- Steve > > The entire instruction doesn't need to be read atomically; just the > 32-bit call destination. Assuming the hypervisor is x86-64, and it uses > a 32-bit access to read the call destination (which seems logical), the > intra-cacheline reads will be atomic, as stated in the SDM. > > If the above assumptions are not true, and the hypervisor reads the call > destination non-atomically (which seems unlikely IMO), even then I don't > see how it could be realistically exploitable. It would just oops from > calling a corrupt address. >