All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
	X86 ML <x86@kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Brian Gerst <brgerst@gmail.com>,
	David Laight <David.Laight@aculab.com>,
	Kees Cook <keescook@chromium.org>,
	Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH] LDT improvements
Date: Fri, 8 Dec 2017 10:55:36 +0100 (CET)	[thread overview]
Message-ID: <alpine.DEB.2.20.1712081051060.1840@nanos> (raw)
In-Reply-To: <20171208094400.wqnezwukq5yx4mgq@gmail.com>

On Fri, 8 Dec 2017, Ingo Molnar wrote:
> * Thomas Gleixner <tglx@linutronix.de> wrote:
> 
> > On Fri, 8 Dec 2017, Ingo Molnar wrote:
> > > * Andy Lutomirski <luto@amacapital.net> wrote:
> > > > I don't love mucking with user address space.  I'm also quite nervous about 
> > > > putting it in our near anything that could pass an access_ok check, since we're 
> > > > totally screwed if the bad guys can figure out how to write to it.
> > > 
> > > Hm, robustness of the LDT address wrt. access_ok() is a valid concern.
> > > 
> > > Can we have vmas with high addresses, in the vmalloc space for example?
> > > IIRC the GPU code has precedents in that area.
> > > 
> > > Since this is x86-64, limitation of the vmalloc() space is not an issue.
> > > 
> > > I like Thomas's solution:
> > > 
> > >  - have the LDT in a regular mmap space vma (hence per process ASLR randomized), 
> > >    but with the system bit set.
> > > 
> > >  - That would be an advantage even for non-PTI kernels, because mmap() is probably 
> > >    more randomized than kmalloc().
> > 
> > Randomization is pointless as long as you can get the LDT address in user
> > space, i.e. w/o UMIP.
> 
> But with UMIP unprivileged user-space won't be able to get the linear address of 
> the LDT. Now it's written out in /proc/self/maps.

We can expose it nameless like other VMAs, but then it's 128k sized so it
can be figured out. But when it's RO then it's not really a problem, even
the kernel can't write to it.

> > >  - It would also be a cleaner approach all around, and would avoid the fixmap
> > >    complications and the scheduler muckery.
> > 
> > The error code of such an access is always 0x03. So I added a special
> > handler, which checks whether the address is in the LDT map range and
> > verifies that the access bit in the descriptor is 0. If that's the case it
> > sets it and returns. If not, the thing dies. That works.
> 
> Are SMP races possible? For example two threads both triggering the accessed bit 
> fault, but only one of them succeeding in setting it. The other thread should not 
> die in this case, right?

Right. I'm trying to figure out whether there is a way to reliably detect
that write access bit mode.

Thanks,

	tglx

  reply	other threads:[~2017-12-08  9:58 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-07  7:22 [PATCH] LDT improvements Andy Lutomirski
2017-12-07 12:43 ` Borislav Petkov
2017-12-07 17:08   ` Andy Lutomirski
2017-12-07 17:23     ` Thomas Gleixner
2017-12-07 18:21       ` Andy Lutomirski
2017-12-08  7:34         ` Ingo Molnar
2017-12-08  9:34           ` Thomas Gleixner
2017-12-08  9:44             ` Ingo Molnar
2017-12-08  9:55               ` Thomas Gleixner [this message]
2017-12-08 11:31                 ` Ingo Molnar
2017-12-08 16:38                   ` Andy Lutomirski
2017-12-08 17:37                     ` Thomas Gleixner
2017-12-08 17:42                       ` Andy Lutomirski
2017-12-08 17:48                     ` Peter Zijlstra
2017-12-08 13:20             ` Andy Lutomirski
2017-12-08 13:55               ` David Laight
2017-12-08 14:06               ` Peter Zijlstra
2017-12-08 16:20                 ` Peter Zijlstra
2017-12-08 16:33                 ` Andy Lutomirski
2017-12-08 16:46                   ` David Laight
2017-12-08 16:47                     ` Andy Lutomirski
2017-12-08 17:29                       ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.20.1712081051060.1840@nanos \
    --to=tglx@linutronix.de \
    --cc=David.Laight@aculab.com \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=luto@kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.