From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751073AbcGLSDZ (ORCPT ); Tue, 12 Jul 2016 14:03:25 -0400 Received: from mail-vk0-f48.google.com ([209.85.213.48]:36655 "EHLO mail-vk0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750739AbcGLSDW (ORCPT ); Tue, 12 Jul 2016 14:03:22 -0400 MIME-Version: 1.0 In-Reply-To: <57852E3D.6010107@intel.com> References: <3213d3f31959a6467b1feb80a384c1e11341b2be.1468270393.git.luto@kernel.org> <57852E3D.6010107@intel.com> From: Andy Lutomirski Date: Tue, 12 Jul 2016 11:03:02 -0700 Message-ID: Subject: Re: [kernel-hardening] [PATCH v5 13/32] x86/mm/64: In vmalloc_fault(), use CR3 instead of current->active_mm To: Dave Hansen Cc: "kernel-hardening@lists.openwall.com" , X86 ML , "linux-kernel@vger.kernel.org" , linux-arch , Borislav Petkov , Nadav Amit , Kees Cook , Brian Gerst , Linus Torvalds , Josh Poimboeuf , Jann Horn , Heiko Carstens , Andy Lutomirski Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 12, 2016 at 10:51 AM, Dave Hansen wrote: > On 07/11/2016 01:53 PM, Andy Lutomirski wrote: >> If we get a vmalloc fault while current->active_mm->pgd doesn't >> match CR3, we'll crash without this change. I've seen this failure >> mode on heavily instrumented kernels with virtually mapped stacks. > > When does this happen, btw? Crossing page boundaries on the stack > between the time we swap mm's and the time we switch stacks? This can happen for any vmalloc fault between the mm swap and writing to current or current->active_mm. I hit it when playing with KASAN during the first clone. (KASAN has other issues, but this was one of them AFAICT.) --Andy