From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756398AbdDGUAF (ORCPT ); Fri, 7 Apr 2017 16:00:05 -0400 Received: from r00tworld.com ([212.85.137.150]:55809 "EHLO r00tworld.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751131AbdDGT74 (ORCPT ); Fri, 7 Apr 2017 15:59:56 -0400 X-Greylist: delayed 325 seconds by postgrey-1.27 at vger.kernel.org; Fri, 07 Apr 2017 15:59:56 EDT From: "PaX Team" To: Mathias Krause , Andy Lutomirski Date: Fri, 07 Apr 2017 21:58:40 +0200 MIME-Version: 1.0 Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() Reply-to: pageexec@freemail.hu CC: Thomas Gleixner , Kees Cook , Andy Lutomirski , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra Message-ID: <58E7EF70.30766.621C4F44@pageexec.freemail.hu> In-reply-to: References: <1490811363-93944-1-git-send-email-keescook@chromium.org>, , X-mailer: Pegasus Mail for Windows (4.72.572) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.12 (r00tworld.com [212.85.137.150]); Fri, 07 Apr 2017 21:58:40 +0200 (CEST) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7 Apr 2017 at 9:14, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> On Fri, 7 Apr 2017, Mathias Krause wrote: > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. can you please share those leaks that 'surely exist' and CC oss-security while at it? > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. > > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) > > Then someone who cares about performance can benchmark the CR0.WP > approach against it and try to argue that it's a good idea. This > benchmark should wait until I'm done with my PCID work, because PCID > is going to make use_mm() a whole heck of a lot faster. in my measurements switching PCID is hovers around 230 cycles for snb-ivb and 200-220 for hsw-skl whereas cr0 writes are around 230-240 cycles. there's of course a whole lot more impact for switching address spaces so it'll never be fast enough to beat cr0.wp. From mboxrd@z Thu Jan 1 00:00:00 1970 From: pageexec@freemail.hu (PaX Team) Date: Fri, 07 Apr 2017 21:58:40 +0200 Subject: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() In-Reply-To: References: <1490811363-93944-1-git-send-email-keescook@chromium.org>, , Message-ID: <58E7EF70.30766.621C4F44@pageexec.freemail.hu> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On 7 Apr 2017 at 9:14, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> On Fri, 7 Apr 2017, Mathias Krause wrote: > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. can you please share those leaks that 'surely exist' and CC oss-security while at it? > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. > > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) > > Then someone who cares about performance can benchmark the CR0.WP > approach against it and try to argue that it's a good idea. This > benchmark should wait until I'm done with my PCID work, because PCID > is going to make use_mm() a whole heck of a lot faster. in my measurements switching PCID is hovers around 230 cycles for snb-ivb and 200-220 for hsw-skl whereas cr0 writes are around 230-240 cycles. there's of course a whole lot more impact for switching address spaces so it'll never be fast enough to beat cr0.wp. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "PaX Team" Date: Fri, 07 Apr 2017 21:58:40 +0200 MIME-Version: 1.0 Message-ID: <58E7EF70.30766.621C4F44@pageexec.freemail.hu> In-reply-to: References: <1490811363-93944-1-git-send-email-keescook@chromium.org>, , Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() To: Mathias Krause , Andy Lutomirski Cc: Thomas Gleixner , Kees Cook , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra List-ID: On 7 Apr 2017 at 9:14, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> On Fri, 7 Apr 2017, Mathias Krause wrote: > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. can you please share those leaks that 'surely exist' and CC oss-security while at it? > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. > > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) > > Then someone who cares about performance can benchmark the CR0.WP > approach against it and try to argue that it's a good idea. This > benchmark should wait until I'm done with my PCID work, because PCID > is going to make use_mm() a whole heck of a lot faster. in my measurements switching PCID is hovers around 230 cycles for snb-ivb and 200-220 for hsw-skl whereas cr0 writes are around 230-240 cycles. there's of course a whole lot more impact for switching address spaces so it'll never be fast enough to beat cr0.wp.