From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755405AbdDGUpC (ORCPT ); Fri, 7 Apr 2017 16:45:02 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:44695 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751690AbdDGUo4 (ORCPT ); Fri, 7 Apr 2017 16:44:56 -0400 Date: Fri, 7 Apr 2017 22:44:39 +0200 (CEST) From: Thomas Gleixner To: Andy Lutomirski cc: Mathias Krause , Kees Cook , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , PaX Team , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() In-Reply-To: Message-ID: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 7 Apr 2017, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> I really do not care whether PaX wants to chase and verify that over and > >> over. I certainly don't want to take the chance to leak CR0.WP ever and I > >> very much care about extra stuff to check in the entry/exit path. > > > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. :) > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. As I said before. It should be fused to 1. > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) That works too, though I'm not sure that it's more efficient than temporarily creating and undoing a single cpu local alias mapping similar to the kmap_atomic mechanism in the highmem case. Aside of that the alias mapping requires a full PGDIR entry unless you want to get into the mess of keeping yet another identity mapping up to date. Thanks, tglx From mboxrd@z Thu Jan 1 00:00:00 1970 From: tglx@linutronix.de (Thomas Gleixner) Date: Fri, 7 Apr 2017 22:44:39 +0200 (CEST) Subject: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() In-Reply-To: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> Message-ID: To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Fri, 7 Apr 2017, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> I really do not care whether PaX wants to chase and verify that over and > >> over. I certainly don't want to take the chance to leak CR0.WP ever and I > >> very much care about extra stuff to check in the entry/exit path. > > > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. :) > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. As I said before. It should be fused to 1. > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) That works too, though I'm not sure that it's more efficient than temporarily creating and undoing a single cpu local alias mapping similar to the kmap_atomic mechanism in the highmem case. Aside of that the alias mapping requires a full PGDIR entry unless you want to get into the mess of keeping yet another identity mapping up to date. Thanks, tglx From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 7 Apr 2017 22:44:39 +0200 (CEST) From: Thomas Gleixner In-Reply-To: Message-ID: References: <1490811363-93944-1-git-send-email-keescook@chromium.org> <1490811363-93944-5-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Subject: Re: [kernel-hardening] Re: [RFC v2][PATCH 04/11] x86: Implement __arch_rare_write_begin/unmap() To: Andy Lutomirski Cc: Mathias Krause , Kees Cook , "kernel-hardening@lists.openwall.com" , Mark Rutland , Hoeun Ryu , PaX Team , Emese Revfy , Russell King , X86 ML , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , Peter Zijlstra List-ID: On Fri, 7 Apr 2017, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 6:30 AM, Mathias Krause wrote: > > On 7 April 2017 at 15:14, Thomas Gleixner wrote: > >> I really do not care whether PaX wants to chase and verify that over and > >> over. I certainly don't want to take the chance to leak CR0.WP ever and I > >> very much care about extra stuff to check in the entry/exit path. > > > > Fair enough. However, placing a BUG_ON(!(read_cr0() & X86_CR0_WP)) > > somewhere sensible should make those "leaks" visible fast -- and their > > exploitation impossible, i.e. fail hard. > > The leaks surely exist and now we'll just add an exploitable BUG. :) > I think we're approaching this all wrong, actually. The fact that x86 > has this CR0.WP thing is arguably a historical accident, and the fact > that PaX uses it doesn't mean that PaX is doing it the best way for > upstream Linux. As I said before. It should be fused to 1. > Why don't we start at the other end and do a generic non-arch-specific > implementation: set up an mm_struct that contains an RW alias of the > relevant parts of rodata and use use_mm to access it. (That is, > get_fs() to back up the old fs, set_fs(USER_DS), > use_mm(&rare_write_mm), do the write using copy_to_user, undo > everything.) That works too, though I'm not sure that it's more efficient than temporarily creating and undoing a single cpu local alias mapping similar to the kmap_atomic mechanism in the highmem case. Aside of that the alias mapping requires a full PGDIR entry unless you want to get into the mess of keeping yet another identity mapping up to date. Thanks, tglx