| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Jan 2018 16:42:06 +0800
From: Hanjun Guo <guohanjun@...wei.com>
To: Dave Hansen <dave.hansen@...ux.intel.com>,
Jiri Kosina <jikos@...nel.org>
CC: Yisheng Xie <xieyisheng1@...wei.com>,
<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
<richard.fellner@...dent.tugraz.at>, <moritz.lipp@...k.tugraz.at>,
<daniel.gruss@...k.tugraz.at>, <michael.schwarz@...k.tugraz.at>,
<luto@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>,
<keescook@...gle.com>, <hughd@...gle.com>, <x86@...nel.org>,
Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [PATCH 05/23] x86, kaiser: unmap kernel from userspace page
tables (core patch)
On 2018/1/6 15:55, Dave Hansen wrote:
> On 01/05/2018 10:53 PM, Hanjun Guo wrote:
>>> + /*
>>> + * PTI poisons low addresses in the kernel page tables in the
>>> + * name of making them unusable for userspace. To execute
>>> + * code at such a low address, the poison must be cleared.
>>> + */
>>> + pgd->pgd &= ~_PAGE_NX;
>>>
>>> We will have a try in a minute, and report back later.
>> And it works,we can boot/reboot the system successfully, thank
>> you all the quick response and debug!
> I think I'll just submit the attached patch if there are no objections
> (and if it works, of course!).
We tested that placing the NX clearing after pud_alloc(), and it works,
patch below should work as well.
>
> I just stuck the NX clearing at the bottom.
>
>
> pti-tboot-fix.patch
>
>
> From: Dave Hansen <dave.hansen@...ux.intel.com>
>
> This is another case similar to what EFI does: create a new set of
> page tables, map some code at a low address, and jump to it. PTI
> mistakes this low address for userspace and mistakenly marks it
> non-executable in an effort to make it unusable for userspace. Undo
> the poison to allow execution.
>
> Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Ning Sun <ning.sun@...el.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Ingo Molnar <mingo@...hat.com>
> Cc: "H. Peter Anvin" <hpa@...or.com>
> Cc: x86@...nel.org
> Cc: tboot-devel@...ts.sourceforge.net
> Cc: linux-kernel@...r.kernel.org
> ---
>
> b/arch/x86/kernel/tboot.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
> --- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-05 21:50:55.755554960 -0800
> +++ b/arch/x86/kernel/tboot.c 2018-01-05 23:51:41.368536890 -0800
> @@ -138,6 +138,17 @@ static int map_tboot_page(unsigned long
> return -1;
> set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
> pte_unmap(pte);
> +
> + /*
> + * PTI poisons low addresses in the kernel page tables in the
> + * name of making them unusable for userspace. To execute
> + * code at such a low address, the poison must be cleared.
> + *
> + * Note: 'pgd' actually gets set in p4d_alloc() _or_
> + * pud_alloc() depending on 4/5-level paging.
> + */
> + pgd->pgd &= ~_PAGE_NX;
> +
> return 0;
> }
Thanks
Hanjun
Powered by blists - more mailing lists