From: Andy Lutomirski <luto@amacapital.net>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Khalid Aziz <khalid.aziz@oracle.com>,
Andy Lutomirski <luto@kernel.org>,
Juerg Haefliger <juergh@gmail.com>,
Tycho Andersen <tycho@tycho.ws>,
jsteckli@amazon.de, Andi Kleen <ak@linux.intel.com>,
liran.alon@oracle.com, Kees Cook <keescook@google.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
deepa.srinivasan@oracle.com, chris hyser <chris.hyser@oracle.com>,
Tyler Hicks <tyhicks@canonical.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Jon Masters <jcm@redhat.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
kanth.ghatraju@oracle.com,
Joao Martins <joao.m.martins@oracle.com>,
Jim Mattson <jmattson@google.com>,
pradeep.vincent@oracle.com, John Haxby <john.haxby@oracle.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Christoph Hellwig <hch@lst.de>,
steven.sistare@oracle.com, Laura Abbott <labbott@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Aaron Lu <aaron.lu@intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
alexander.h.duyck@linux.intel.com,
Amir Goldstein <amir73il@gmail.com>,
Andrey Konovalov <andreyknvl@google.com>,
aneesh.kumar@linux.ibm.com, anthony.yznaga@oracle.com,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Arnd Bergmann <arnd@arndb.de>,
arunks@codeaurora.org, Ben Hutchings <ben@decadent.org.uk>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
brgl@bgdev.pl, Catalin Marinas <catalin.marinas@arm.com>,
Jonathan Corbet <corbet@lwn.net>,
cpandya@codeaurora.org, Daniel Vetter <daniel.vetter@ffwll.ch>,
Dan Williams <dan.j.williams@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Roman Gushchin <guro@fb.com>,
Johannes Weiner <hannes@cmpxchg.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
James Morse <james.morse@arm.com>, Jann Horn <jannh@google.com>,
Juergen Gross <jgross@suse.com>, Jiri Kosina <jkosina@suse.cz>,
James Morris <jmorris@namei.org>, Joe Perches <joe@perches.com>,
Souptick Joarder <jrdr.linux@gmail.com>,
Joerg Roedel <jroedel@suse.de>,
Keith Busch <keith.busch@intel.com>,
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
Logan Gunthorpe <logang@deltatee.com>,
marco.antonio.780@gmail.com, Mark Rutland <mark.rutland@arm.com>,
Mel Gorman <mgorman@techsingularity.net>,
Michal Hocko <mhocko@suse.com>, Michal Hocko <mhocko@suse.cz>,
Mike Kravetz <mike.kravetz@oracle.com>,
Ingo Molnar <mingo@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Nicholas Piggin <npiggin@gmail.com>,
osalvador@suse.de,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
pavel.tatashin@microsoft.com,
Randy Dunlap <rdunlap@infradead.org>,
richard.weiyang@gmail.com, Rik van Riel <riel@surriel.com>,
David Rientjes <rientjes@google.com>,
Robin Murphy <robin.murphy@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Steve Capper <steve.capper@arm.com>,
thymovanbeers@gmail.com, Vlastimil Babka <vbabka@suse.cz>,
Will Deacon <will.deacon@arm.com>,
Matthew Wilcox <willy@infradead.org>,
yaojun8558363@gmail.com, Huang Ying <ying.huang@intel.com>,
zhangshaokun@hisilicon.com, iommu@lists.linux-foundation.org,
X86 ML <x86@kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LSM List <linux-security-module@vger.kernel.org>,
Khalid Aziz <khalid@gonehiking.org>
Subject: Re: [RFC PATCH v9 12/13] xpfo, mm: Defer TLB flushes for non-current CPUs (x86 only)
Date: Fri, 5 Apr 2019 09:24:50 -0600 [thread overview]
Message-ID: <DFA69954-3F0F-4B79-A9B5-893D33D87E51@amacapital.net> (raw)
In-Reply-To: <26b00051-b03c-9fce-1446-52f0d6ed52f8@intel.com>
> On Apr 5, 2019, at 8:44 AM, Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 4/5/19 12:17 AM, Thomas Gleixner wrote:
>>> process. Is that an acceptable trade-off?
>> You are not seriously asking whether creating a user controllable ret2dir
>> attack window is a acceptable trade-off? April 1st was a few days ago.
>
> Well, let's not forget that this set at least takes us from "always
> vulnerable to ret2dir" to a choice between:
>
> 1. fast-ish and "vulnerable to ret2dir for a user-controllable window"
> 2. slow and "mitigated against ret2dir"
>
> Sounds like we need a mechanism that will do the deferred XPFO TLB
> flushes whenever the kernel is entered, and not _just_ at context switch
> time. This permits an app to run in userspace with stale kernel TLB
> entries as long as it wants... that's harmless.
I don’t think this is good enough. The bad guys can enter the kernel and arrange for the kernel to wait, *in kernel*, for long enough to set up the attack. userfaultfd is the most obvious way, but there are plenty. I suppose we could do the flush at context switch *and* entry. I bet that performance still utterly sucks, though — on many workloads, this turns every entry into a full flush, and we already know exactly how much that sucks — it’s identical to KPTI without PCID. (And yes, if we go this route, we need to merge this logic together — we shouldn’t write CR3 twice on entry).
I feel like this whole approach is misguided. ret2dir is not such a game changer that fixing it is worth huge slowdowns. I think all this effort should be spent on some kind of sensible CFI. For example, we should be able to mostly squash ret2anything by inserting a check that the high bits of RSP match the value on the top of the stack before any code that pops RSP. On an FPO build, there aren’t all that many hot POP RSP instructions, I think.
(Actually, checking the bits is suboptimal. Do:
unsigned long offset = *rsp - rsp;
offset >>= THREAD_SHIFT;
if (unlikely(offset))
BUG();
POP RSP;
This means that it’s also impossible to trick a function to return into a buffer that is on that function’s stack.)
In other words, I think that ret2dir is an insufficient justification for XPFO.
next prev parent reply other threads:[~2019-04-05 15:24 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-03 17:34 [RFC PATCH v9 00/13] Add support for eXclusive Page Frame Ownership Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 01/13] mm: add MAP_HUGETLB support to vm_mmap Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 02/13] x86: always set IF before oopsing from page fault Khalid Aziz
2019-04-04 0:12 ` Andy Lutomirski
2019-04-04 1:42 ` Tycho Andersen
2019-04-04 4:12 ` Andy Lutomirski
2019-04-04 15:47 ` Tycho Andersen
2019-04-04 16:23 ` Sebastian Andrzej Siewior
2019-04-04 16:28 ` Thomas Gleixner
2019-04-04 17:11 ` Andy Lutomirski
2019-04-03 17:34 ` [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) Khalid Aziz
2019-04-04 7:21 ` Peter Zijlstra
2019-04-04 9:25 ` Peter Zijlstra
2019-04-04 14:48 ` Tycho Andersen
2019-04-04 7:43 ` Peter Zijlstra
2019-04-04 15:15 ` Khalid Aziz
2019-04-04 17:01 ` Peter Zijlstra
2019-04-17 16:15 ` Ingo Molnar
2019-04-17 16:49 ` Khalid Aziz
2019-04-17 17:09 ` Ingo Molnar
2019-04-17 17:19 ` Nadav Amit
2019-04-17 17:26 ` Ingo Molnar
2019-04-17 17:44 ` Nadav Amit
2019-04-17 21:19 ` Thomas Gleixner
2019-04-17 23:18 ` Linus Torvalds
2019-04-17 23:42 ` Thomas Gleixner
2019-04-17 23:52 ` Linus Torvalds
2019-04-18 4:41 ` Andy Lutomirski
2019-04-18 5:41 ` Kees Cook
2019-04-18 14:34 ` Khalid Aziz
2019-04-22 19:30 ` Khalid Aziz
2019-04-22 22:23 ` Kees Cook
2019-04-18 6:14 ` Thomas Gleixner
2019-04-17 17:33 ` Khalid Aziz
2019-04-17 19:49 ` Andy Lutomirski
2019-04-17 19:52 ` Tycho Andersen
2019-04-17 20:12 ` Khalid Aziz
2019-05-01 14:49 ` Waiman Long
2019-05-01 15:18 ` Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 04/13] xpfo, x86: Add support for XPFO for x86-64 Khalid Aziz
2019-04-04 7:52 ` Peter Zijlstra
2019-04-04 15:40 ` Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 05/13] mm: add a user_virt_to_phys symbol Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 06/13] lkdtm: Add test for XPFO Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 07/13] arm64/mm: Add support " Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 08/13] swiotlb: Map the buffer if it was unmapped by XPFO Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 09/13] xpfo: add primitives for mapping underlying memory Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 10/13] arm64/mm, xpfo: temporarily map dcache regions Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 11/13] xpfo, mm: optimize spinlock usage in xpfo_kunmap Khalid Aziz
2019-04-04 7:56 ` Peter Zijlstra
2019-04-04 16:06 ` Khalid Aziz
2019-04-03 17:34 ` [RFC PATCH v9 12/13] xpfo, mm: Defer TLB flushes for non-current CPUs (x86 only) Khalid Aziz
2019-04-04 4:10 ` Andy Lutomirski
[not found] ` <91f1dbce-332e-25d1-15f6-0e9cfc8b797b@oracle.com>
2019-04-05 7:17 ` Thomas Gleixner
2019-04-05 14:44 ` Dave Hansen
2019-04-05 15:24 ` Andy Lutomirski [this message]
2019-04-05 15:56 ` Tycho Andersen
2019-04-05 16:32 ` Andy Lutomirski
2019-04-05 15:56 ` Khalid Aziz
2019-04-05 16:01 ` Dave Hansen
2019-04-05 16:27 ` Andy Lutomirski
2019-04-05 16:41 ` Peter Zijlstra
2019-04-05 17:35 ` Khalid Aziz
2019-04-05 15:44 ` Khalid Aziz
2019-04-05 15:24 ` Andy Lutomirski
2019-04-04 8:18 ` Peter Zijlstra
2019-04-03 17:34 ` [RFC PATCH v9 13/13] xpfo, mm: Optimize XPFO TLB flushes by batching them together Khalid Aziz
2019-04-04 16:44 ` [RFC PATCH v9 00/13] Add support for eXclusive Page Frame Ownership Nadav Amit
2019-04-04 17:18 ` Khalid Aziz
2019-04-06 6:40 ` Jon Masters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFA69954-3F0F-4B79-A9B5-893D33D87E51@amacapital.net \
--to=luto@amacapital.net \
--cc=aaron.lu@intel.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.h.duyck@linux.intel.com \
--cc=amir73il@gmail.com \
--cc=andrew.cooper3@citrix.com \
--cc=andreyknvl@google.com \
--cc=aneesh.kumar@linux.ibm.com \
--cc=anthony.yznaga@oracle.com \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=arunks@codeaurora.org \
--cc=ben@decadent.org.uk \
--cc=bigeasy@linutronix.de \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=brgl@bgdev.pl \
--cc=catalin.marinas@arm.com \
--cc=chris.hyser@oracle.com \
--cc=corbet@lwn.net \
--cc=cpandya@codeaurora.org \
--cc=dan.j.williams@intel.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dave.hansen@intel.com \
--cc=deepa.srinivasan@oracle.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=hch@lst.de \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=iommu@lists.linux-foundation.org \
--cc=james.morse@arm.com \
--cc=jannh@google.com \
--cc=jcm@redhat.com \
--cc=jgross@suse.com \
--cc=jkosina@suse.cz \
--cc=jmattson@google.com \
--cc=jmorris@namei.org \
--cc=joao.m.martins@oracle.com \
--cc=joe@perches.com \
--cc=john.haxby@oracle.com \
--cc=jrdr.linux@gmail.com \
--cc=jroedel@suse.de \
--cc=jsteckli@amazon.de \
--cc=juergh@gmail.com \
--cc=kanth.ghatraju@oracle.com \
--cc=keescook@google.com \
--cc=keith.busch@intel.com \
--cc=khalid.aziz@oracle.com \
--cc=khalid@gonehiking.org \
--cc=khlebnikov@yandex-team.ru \
--cc=kirill.shutemov@linux.intel.com \
--cc=konrad.wilk@oracle.com \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=liran.alon@oracle.com \
--cc=logang@deltatee.com \
--cc=luto@kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=marco.antonio.780@gmail.com \
--cc=mark.rutland@arm.com \
--cc=mgorman@techsingularity.net \
--cc=mhocko@suse.com \
--cc=mhocko@suse.cz \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=mst@redhat.com \
--cc=npiggin@gmail.com \
--cc=osalvador@suse.de \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pavel.tatashin@microsoft.com \
--cc=peterz@infradead.org \
--cc=pradeep.vincent@oracle.com \
--cc=rdunlap@infradead.org \
--cc=richard.weiyang@gmail.com \
--cc=riel@surriel.com \
--cc=rientjes@google.com \
--cc=robin.murphy@arm.com \
--cc=rostedt@goodmis.org \
--cc=rppt@linux.vnet.ibm.com \
--cc=sai.praneeth.prakhya@intel.com \
--cc=serge@hallyn.com \
--cc=steve.capper@arm.com \
--cc=steven.sistare@oracle.com \
--cc=tglx@linutronix.de \
--cc=thymovanbeers@gmail.com \
--cc=tycho@tycho.ws \
--cc=tyhicks@canonical.com \
--cc=vbabka@suse.cz \
--cc=will.deacon@arm.com \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yaojun8558363@gmail.com \
--cc=ying.huang@intel.com \
--cc=zhangshaokun@hisilicon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).