From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Pavel Tatashin <pasha.tatashin@oracle.com>,
Steven Sistare <steven.sistare@oracle.com>
Subject: [PATCH 4.4 47/87] x86/pti/efi: broken conversion from efi to kernel page table
Date: Mon, 15 Jan 2018 13:34:46 +0100 [thread overview]
Message-ID: <20180115123354.171649681@linuxfoundation.org> (raw)
In-Reply-To: <20180115123349.252309699@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Tatashin <pasha.tatashin@oracle.com>
In entry_64.S we have code like this:
/* Unconditionally use kernel CR3 for do_nmi() */
/* %rax is saved above, so OK to clobber here */
ALTERNATIVE "jmp 2f", "movq %cr3, %rax", X86_FEATURE_KAISER
/* If PCID enabled, NOFLUSH now and NOFLUSH on return */
ALTERNATIVE "", "bts $63, %rax", X86_FEATURE_PCID
pushq %rax
/* mask off "user" bit of pgd address and 12 PCID bits: */
andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), %rax
movq %rax, %cr3
2:
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
call do_nmi
With this instruction:
andq $(~(X86_CR3_PCID_ASID_MASK | KAISER_SHADOW_PGD_OFFSET)), %rax
We unconditionally switch from whatever our CR3 was to kernel page table.
But, in arch/x86/platform/efi/efi_64.c We temporarily set a different page
table, that does not have the kernel page table with 0x1000 offset from it.
Look in efi_thunk() and efi_thunk_set_virtual_address_map().
So, while CR3 points to the other page table, we get an NMI interrupt,
and clear 0x1000 from CR3, resulting in a bogus CR3 if the 0x1000 bit was
set.
The efi page table comes from realmode/rm/trampoline_64.S:
arch/x86/realmode/rm/trampoline_64.S
141 .bss
142 .balign PAGE_SIZE
143 GLOBAL(trampoline_pgd) .space PAGE_SIZE
Notice: alignment is PAGE_SIZE, so after applying KAISER_SHADOW_PGD_OFFSET
which equal to PAGE_SIZE, we can get a different page table.
But, even if we fix alignment, here the trampoline binary is later copied
into dynamically allocated memory in reserve_real_mode(), so we need to
fix that place as well.
Fixes: 8a43ddfb93a0 ("KAISER: Kernel Address Isolation")
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kaiser.h | 10 ++++++++++
arch/x86/realmode/init.c | 4 +++-
arch/x86/realmode/rm/trampoline_64.S | 3 ++-
3 files changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/include/asm/kaiser.h
+++ b/arch/x86/include/asm/kaiser.h
@@ -19,6 +19,16 @@
#define KAISER_SHADOW_PGD_OFFSET 0x1000
+#ifdef CONFIG_PAGE_TABLE_ISOLATION
+/*
+ * A page table address must have this alignment to stay the same when
+ * KAISER_SHADOW_PGD_OFFSET mask is applied
+ */
+#define KAISER_KERNEL_PGD_ALIGNMENT (KAISER_SHADOW_PGD_OFFSET << 1)
+#else
+#define KAISER_KERNEL_PGD_ALIGNMENT PAGE_SIZE
+#endif
+
#ifdef __ASSEMBLY__
#ifdef CONFIG_PAGE_TABLE_ISOLATION
--- a/arch/x86/realmode/init.c
+++ b/arch/x86/realmode/init.c
@@ -4,6 +4,7 @@
#include <asm/cacheflush.h>
#include <asm/pgtable.h>
#include <asm/realmode.h>
+#include <asm/kaiser.h>
struct real_mode_header *real_mode_header;
u32 *trampoline_cr4_features;
@@ -15,7 +16,8 @@ void __init reserve_real_mode(void)
size_t size = PAGE_ALIGN(real_mode_blob_end - real_mode_blob);
/* Has to be under 1M so we can execute real-mode AP code. */
- mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE);
+ mem = memblock_find_in_range(0, 1 << 20, size,
+ KAISER_KERNEL_PGD_ALIGNMENT);
if (!mem)
panic("Cannot allocate trampoline\n");
--- a/arch/x86/realmode/rm/trampoline_64.S
+++ b/arch/x86/realmode/rm/trampoline_64.S
@@ -30,6 +30,7 @@
#include <asm/msr.h>
#include <asm/segment.h>
#include <asm/processor-flags.h>
+#include <asm/kaiser.h>
#include "realmode.h"
.text
@@ -139,7 +140,7 @@ tr_gdt:
tr_gdt_end:
.bss
- .balign PAGE_SIZE
+ .balign KAISER_KERNEL_PGD_ALIGNMENT
GLOBAL(trampoline_pgd) .space PAGE_SIZE
.balign 8
next prev parent reply other threads:[~2018-01-15 12:40 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-15 12:33 [PATCH 4.4 00/87] 4.4.112-stable review Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 01/87] dm bufio: fix shrinker scans when (nr_to_scan < retain_target) Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 02/87] KVM: Fix stack-out-of-bounds read in write_mmio Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 03/87] can: gs_usb: fix return value of the "set_bittiming" callback Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 04/87] IB/srpt: Disable RDMA access by the initiator Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 05/87] MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 06/87] MIPS: Factor out NT_PRFPREG regset access helpers Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 07/87] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 08/87] MIPS: Consistently handle buffer counter " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 09/87] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 10/87] MIPS: Also verify sizeof `elf_fpreg_t with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 11/87] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 12/87] net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 13/87] kvm: vmx: Scrub hardware GPRs at VM-exit Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 14/87] x86/vsdo: Fix build on PARAVIRT_CLOCK=y, KVM_GUEST=n Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 15/87] x86/acpi: Handle SCI interrupts above legacy space gracefully Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 16/87] iommu/arm-smmu-v3: Dont free page table ops twice Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 17/87] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 18/87] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 19/87] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 20/87] ALSA: pcm: Allow aborting mutex lock at " Greg Kroah-Hartman
2018-01-23 23:35 ` Ben Hutchings
2018-02-12 8:34 ` Takashi Iwai
2018-02-14 16:20 ` Ben Hutchings
2018-02-14 16:43 ` Takashi Iwai
2018-01-15 12:34 ` [PATCH 4.4 21/87] ALSA: aloop: Release cable upon open error path Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 22/87] ALSA: aloop: Fix inconsistent format due to incomplete rule Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 23/87] ALSA: aloop: Fix racy hw constraints adjustment Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 24/87] x86/acpi: Reduce code duplication in mp_override_legacy_irq() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 25/87] mm/compaction: fix invalid free_pfn and compact_cached_free_pfn Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 26/87] mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 27/87] mm/page-writeback: fix dirty_ratelimit calculation Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 28/87] mm/zswap: use workqueue to destroy pool Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 29/87] zswap: dont param_set_charp while holding spinlock Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 30/87] locks: dont check for race with close when setting OFD lock Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 31/87] futex: Replace barrier() in unqueue_me() with READ_ONCE() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 32/87] locking/mutex: Allow next waiter lockless wakeup Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 33/87] [media] usbvision fix overflow of interfaces array Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 34/87] usb: musb: ux500: Fix NULL pointer dereference at system PM Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 35/87] r8152: fix the wake event Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 36/87] r8152: use test_and_clear_bit Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 37/87] r8152: adjust ALDPS function Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 38/87] lan78xx: use skb_cow_head() to deal with cloned skbs Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 39/87] sr9700: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 40/87] smsc75xx: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 41/87] cx82310_eth: " Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 42/87] x86/mm/pat, /dev/mem: Remove superfluous error message Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 43/87] hwrng: core - sleep interruptible in read Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 44/87] sysrq: Fix warning in sysrq generated crash Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 45/87] xhci: Fix ring leak in failure path of xhci_alloc_virt_device() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 46/87] Revert "userfaultfd: selftest: vm: allow to build in vm/ directory" Greg Kroah-Hartman
2018-01-15 12:34 ` Greg Kroah-Hartman [this message]
2018-01-15 12:34 ` [PATCH 4.4 48/87] 8021q: fix a memory leak for VLAN 0 device Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 49/87] ip6_tunnel: disable dst caching if tunnel is dual-stack Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 50/87] net: core: fix module type in sock_diag_bind Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 51/87] RDS: Heap OOB write in rds_message_alloc_sgs() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 52/87] RDS: null pointer dereference in rds_atomic_free_op Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 53/87] sh_eth: fix TSU resource handling Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 54/87] sh_eth: fix SH7757 GEther initialization Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 55/87] net: stmmac: enable EEE in MII, GMII or RGMII only Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 56/87] ipv6: fix possible mem leaks in ipv6_make_skb() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 57/87] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 58/87] rbd: set max_segments to USHRT_MAX Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 59/87] x86/microcode/intel: Extend BDW late-loading with a revision check Greg Kroah-Hartman
2018-01-15 12:34 ` [PATCH 4.4 60/87] KVM: x86: Add memory barrier on vmcs field lookup Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 61/87] drm/vmwgfx: Potential off by one in vmw_view_add() Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 62/87] kaiser: Set _PAGE_NX only if supported Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 63/87] bpf: add bpf_patch_insn_single helper Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 64/87] bpf: dont (ab)use instructions to store state Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 65/87] bpf: move fixup_bpf_calls() function Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 66/87] bpf: refactor fixup_bpf_calls() Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 67/87] bpf: adjust insn_aux_data when patching insns Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 68/87] bpf: prevent out-of-bounds speculation Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 69/87] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 70/87] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 71/87] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 72/87] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 73/87] USB: serial: cp210x: add new device ID ELV ALC 8xxx Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 74/87] usb: misc: usb3503: make sure reset is low for at least 100us Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 75/87] USB: fix usbmon BUG trigger Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 76/87] usbip: remove kernel addresses from usb device and urb debug msgs Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 77/87] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 78/87] Bluetooth: Prevent stack info leak from the EFS element Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 79/87] uas: ignore UAS for Norelsys NS1068(X) chips Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 80/87] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 81/87] x86/Documentation: Add PTI description Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 82/87] sysfs/cpu: Add vulnerability folder Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 83/87] x86/cpu: Implement CPU vulnerabilites sysfs functions Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 84/87] sysfs/cpu: Fix typos in vulnerability documentation Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 85/87] x86/alternatives: Fix optimize_nops() checking Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 86/87] x86/alternatives: Add missing \n at end of ALTERNATIVE inline asm Greg Kroah-Hartman
2018-01-15 12:35 ` [PATCH 4.4 87/87] selftests/x86: Add test_vsyscall Greg Kroah-Hartman
2018-01-15 13:01 ` [PATCH 4.4 00/87] 4.4.112-stable review Greg Kroah-Hartman
2018-01-15 13:47 ` Greg Kroah-Hartman
2018-01-15 16:28 ` kernelci.org bot
2018-01-15 16:39 ` Nathan Chancellor
2018-01-15 18:02 ` Greg Kroah-Hartman
2018-01-15 21:59 ` Dan Rue
2018-01-16 5:53 ` Greg Kroah-Hartman
2018-01-16 11:22 ` Naresh Kamboju
2018-01-16 12:15 ` Greg Kroah-Hartman
2018-01-16 14:29 ` Guenter Roeck
2018-01-16 20:24 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180115123354.171649681@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pasha.tatashin@oracle.com \
--cc=stable@vger.kernel.org \
--cc=steven.sistare@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).