From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B5ADC43387 for ; Thu, 17 Jan 2019 22:32:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 304EC20851 for ; Thu, 17 Jan 2019 22:32:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726398AbfAQWcn convert rfc822-to-8bit (ORCPT ); Thu, 17 Jan 2019 17:32:43 -0500 Received: from terminus.zytor.com ([198.137.202.136]:45339 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726091AbfAQWcn (ORCPT ); Thu, 17 Jan 2019 17:32:43 -0500 Received: from wld62.hos.anvin.org (c-24-5-245-234.hsd1.ca.comcast.net [24.5.245.234] (may be forged)) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id x0HMW1mP924604 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 17 Jan 2019 14:32:01 -0800 Date: Thu, 17 Jan 2019 14:31:53 -0800 User-Agent: K-9 Mail for Android In-Reply-To: References: <20190117003259.23141-1-rick.p.edgecombe@intel.com> <20190117003259.23141-7-rick.p.edgecombe@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking To: Nadav Amit , Andy Lutomirski CC: Rick Edgecombe , Ingo Molnar , LKML , X86 ML , Thomas Gleixner , Borislav Petkov , Dave Hansen , Peter Zijlstra , linux_dti@icloud.com, linux-integrity , LSM List , Andrew Morton , Kernel Hardening , Linux-MM , Will Deacon , Ard Biesheuvel , Kristen Carlson Accardi , "Dock, Deneen T" , Kees Cook , Dave Hansen , Masami Hiramatsu From: hpa@zytor.com Message-ID: <7E4A4400-0A2E-4393-B22C-DBD708610BB5@zytor.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On January 17, 2019 1:43:54 PM PST, Nadav Amit wrote: >> On Jan 17, 2019, at 12:47 PM, Andy Lutomirski >wrote: >> >> On Thu, Jan 17, 2019 at 12:27 PM Andy Lutomirski >wrote: >>> On Wed, Jan 16, 2019 at 4:33 PM Rick Edgecombe >>> wrote: >>>> From: Nadav Amit >>>> >>>> text_poke() can potentially compromise the security as it sets >temporary >>>> PTEs in the fixmap. These PTEs might be used to rewrite the kernel >code >>>> from other cores accidentally or maliciously, if an attacker gains >the >>>> ability to write onto kernel memory. >>> >>> i think this may be sufficient, but barely. >>> >>>> + pte_clear(poking_mm, poking_addr, ptep); >>>> + >>>> + /* >>>> + * __flush_tlb_one_user() performs a redundant TLB flush >when PTI is on, >>>> + * as it also flushes the corresponding "user" address >spaces, which >>>> + * does not exist. >>>> + * >>>> + * Poking, however, is already very inefficient since it >does not try to >>>> + * batch updates, so we ignore this problem for the time >being. >>>> + * >>>> + * Since the PTEs do not exist in other kernel >address-spaces, we do >>>> + * not use __flush_tlb_one_kernel(), which when PTI is on >would cause >>>> + * more unwarranted TLB flushes. >>>> + * >>>> + * There is a slight anomaly here: the PTE is a >supervisor-only and >>>> + * (potentially) global and we use __flush_tlb_one_user() >but this >>>> + * should be fine. >>>> + */ >>>> + __flush_tlb_one_user(poking_addr); >>>> + if (cross_page_boundary) { >>>> + pte_clear(poking_mm, poking_addr + PAGE_SIZE, ptep >+ 1); >>>> + __flush_tlb_one_user(poking_addr + PAGE_SIZE); >>>> + } >>> >>> In principle, another CPU could still have the old translation. >Your >>> mutex probably makes this impossible, but it makes me nervous. >>> Ideally you'd use flush_tlb_mm_range(), but I guess you can't do >that >>> with IRQs off. Hmm. I think you should add an inc_mm_tlb_gen() >here. >>> Arguably, if you did that, you could omit the flushes, but maybe >>> that's silly. >>> >>> If we start getting new users of use_temporary_mm(), we should give >>> some serious thought to the SMP semantics. >>> >>> Also, you're using PAGE_KERNEL. Please tell me that the global bit >>> isn't set in there. >> >> Much better solution: do unuse_temporary_mm() and *then* >> flush_tlb_mm_range(). This is entirely non-sketchy and should be >just >> about optimal, too. > >This solution sounds nice and clean. The fact the global-bit was set >didn’t >matter before (since __flush_tlb_one_user would get rid of it no matter >what), but would matter now, so I’ll change it too. > >Thanks! > >Nadav You can just disable the global bit at the top level, obviously. This approach also should make it far easier to do batching if desired. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.