| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jan 2016 09:49:09 -0500 From: Matthew Wilcox <willy@...ux.intel.com> To: Andy Lutomirski <luto@...capital.net> Cc: Matthew Wilcox <matthew.r.wilcox@...el.com>, Ingo Molnar <mingo@...hat.com>, Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-mm@...ck.org" <linux-mm@...ck.org> Subject: Re: [PATCH 1/3] x86: Honour passed pgprot in track_pfn_insert() and track_pfn_remap() On Tue, Jan 26, 2016 at 09:44:24PM -0800, Andy Lutomirski wrote: > On Tue, Jan 26, 2016 at 8:40 PM, Matthew Wilcox <willy@...ux.intel.com> wrote: > > On Mon, Jan 25, 2016 at 09:33:35AM -0800, Andy Lutomirski wrote: > >> On Mon, Jan 25, 2016 at 9:25 AM, Matthew Wilcox > >> <matthew.r.wilcox@...el.com> wrote: > >> > From: Matthew Wilcox <willy@...ux.intel.com> > >> > > >> > track_pfn_insert() overwrites the pgprot that is passed in with a value > >> > based on the VMA's page_prot. This is a problem for people trying to > >> > do clever things with the new vm_insert_pfn_prot() as it will simply > >> > overwrite the passed protection flags. If we use the current value of > >> > the pgprot as the base, then it will behave as people are expecting. > >> > > >> > Also fix track_pfn_remap() in the same way. > >> > >> Well that's embarrassing. Presumably it worked for me because I only > >> overrode the cacheability bits and lookup_memtype did the right thing. > >> > >> But shouldn't the PAT code change the memtype if vm_insert_pfn_prot > >> requests it? Or are there no callers that actually need that? (HPET > >> doesn't, because there's a plain old ioremapped mapping.) > > > > I'm confused. Here's what I understand: > > > > - on x86, the bits in pgprot can be considered as two sets of bits; > > the 'cacheability bits' -- those in _PAGE_CACHE_MASK and the > > 'protection bits' -- PRESENT, RW, USER, ACCESSED, NX > > - The purpose of track_pfn_insert() is to ensure that the cacheability bits > > are the same on all mappings of a given page, as strongly advised by the > > Intel manuals [1]. So track_pfn_insert() is really only supposed to > > modify _PAGE_CACHE_MASK of the passed pgprot, but in fact it ends up > > modifying the protection bits as well, due to the bug. > > > > I don't think you overrode the cacheability bits at all. It looks to > > me like your patch ends up mapping the HPET into userspace writable. > > I sure hope not. If vm_page_prot was writable, something was already > broken, because this is the vvar mapping, and the vvar mapping is > VM_READ (and not even VM_MAYREAD). I do beg yor pardon. I thought you were inserting a readonly page into the middle of a writable mapping. Instead you're inserting a non-executable page into the middle of a VM_READ | VM_EXEC mapping. Sorry for the confusion. I should have written: "like your patch ends up mapping the HPET into userspace executable" which is far less exciting. > > I don't think the vm_insert_pfn_prot() call gets to change the memtype. > > For one, that page may already be mapped into a differet userspace using > > the pre-existing memtype, and [1] continues to bite you. Then there > > may be outstanding kernel users of the page that's being mapped in. > > So why was remap_pfn_range different? I'm sure there was a reason. Yeah, doesn't make sense to me either.
Powered by blists - more mailing lists