| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Jan 2018 14:28:52 +0800
From: Hanjun Guo <guohanjun@...wei.com>
To: Dave Hansen <dave.hansen@...ux.intel.com>,
Jiri Kosina <jikos@...nel.org>
CC: Yisheng Xie <xieyisheng1@...wei.com>,
<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
<richard.fellner@...dent.tugraz.at>, <moritz.lipp@...k.tugraz.at>,
<daniel.gruss@...k.tugraz.at>, <michael.schwarz@...k.tugraz.at>,
<luto@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>,
<keescook@...gle.com>, <hughd@...gle.com>, <x86@...nel.org>,
Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [PATCH 05/23] x86, kaiser: unmap kernel from userspace page
tables (core patch)
Hi Dave,
Thank you very much for the quick response! Minor comments inline.
On 2018/1/6 14:06, Dave Hansen wrote:
> On 01/05/2018 08:54 PM, Hanjun Guo wrote:
>> Do you mean NX bit will be brought back later? I'm asking this because
>> I tested this patch which it fixed the boot panic issue but the system
>> will hang when rebooting the system, because rebooting will also call efi
>> then panic as NS bit is set.
> Wow, you're running a lot of very lighly-used code paths! You actually
> found a similar but totally separate issue from what I gather. Thank
> you immensely for the quick testing and bug reports!
>
> Could you test the attached fix?
>
> For those playing along at home, I think this will end up being needed
> for 4.15 and probably all the backports. I want to see if it works
> before I submit it for real, though.
>
>
> pti-tboot-fix.patch
>
>
> From: Dave Hansen <dave.hansen@...ux.intel.com>
>
> This is another case similar to what EFI does: create a new set of
> page tables, map some code at a low address, and jump to it. PTI
> mistakes this low address for userspace and mistakenly marks it
> non-executable in an effort to make it unusable for userspace. Undo
> the poison to allow execution.
>
> Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Ning Sun <ning.sun@...el.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Ingo Molnar <mingo@...hat.com>
> Cc: "H. Peter Anvin" <hpa@...or.com>
> Cc: x86@...nel.org
> Cc: tboot-devel@...ts.sourceforge.net
> Cc: linux-kernel@...r.kernel.org
> ---
>
> b/arch/x86/kernel/tboot.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
> --- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-05 21:50:55.755554960 -0800
> +++ b/arch/x86/kernel/tboot.c 2018-01-05 22:01:51.393553325 -0800
> @@ -124,6 +124,13 @@ static int map_tboot_page(unsigned long
> pte_t *pte;
>
> pgd = pgd_offset(&tboot_mm, vaddr);
> + /*
> + * PTI poisons low addresses in the kernel page tables in the
> + * name of making them unusable for userspace. To execute
> + * code at such a low address, the poison must be cleared.
> + */
> + pgd->pgd &= ~_PAGE_NX;
...
> +
> p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
Seems pgd will be re-set after p4d_alloc(), so should
we put the code behind (or after pud_alloc())?
> if (!p4d)
> return -1;
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ */
+ pgd->pgd &= ~_PAGE_NX;
We will have a try in a minute, and report back later.
Thanks
Hanjun
Powered by blists - more mailing lists