lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Sep 2017 19:49:43 +0800 From: gengdongjiu <gengdongjiu@...wei.com> To: Marc Zyngier <marc.zyngier@....com>, James Morse <james.morse@....com> CC: <christoffer.dall@...aro.org>, <vladimir.murzin@....com>, <rkrcmar@...hat.com>, <catalin.marinas@....com>, <shankerd@...eaurora.org>, <linux-arm-kernel@...ts.infradead.org>, <kvmarm@...ts.cs.columbia.edu>, <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <zhanghaibin7@...wei.com>, <huangshaoyu@...wei.com> Subject: Re: [PATCH] arm64: KVM: VHE: reset PSTATE.UAO when switch to host On 2017/9/7 18:13, Marc Zyngier wrote: > On 07/09/17 11:05, gengdongjiu wrote: >> Hi James, >> >> On 2017/9/7 17:20, James Morse wrote: >>> Hi Dongjiu Geng, >>> >>> On 07/09/17 06:54, Dongjiu Geng wrote: >>>> In VHE mode, host kernel runs in the EL2 and can enable >>>> 'User Access Override' when fs==KERNEL_DS so that it can >>>> access kernel memory. However, PSTATE.UAO is set to 0 on >>>> an exception taken from EL1 to EL2. Thus when VHE is used >>>> and exception taken from a guest UAO will be disabled and >>>> host will use the incorrect PSTATE.UAO. So check and reset >>>> the PSTATE.UAO when switching to host. >>> >>> This would only be a problem if KVM were calling into world-switch with >>> fs==KERNEL_DS. I can't see where this happens. >> Not only KVM, may also kernel sets the fs == KERNEL_DS before calling into world-switch > > How? Please describe the exact sequence of event that lead to this > situation with the current code base. Hi Marc, Different tasks have different fs, such as USER_DS or KERNEL_DS. In the context switch, it will restore the task's fs. Thus, that depends on task itself, as shown below code. UAO is different with PAN, PAN will be always enabled if hardware CPU supports PAN feature, but UAO is dynamical change. /* * Thread switching. */ __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev, struct task_struct *next) { struct task_struct *last; fpsimd_thread_switch(next); tls_thread_switch(next); hw_breakpoint_thread_switch(next); contextidr_thread_switch(next); entry_task_switch(next); uao_thread_switch(next); .......... } /* Restore the UAO state depending on next's addr_limit */ void uao_thread_switch(struct task_struct *next) { if (IS_ENABLED(CONFIG_ARM64_UAO)) { if (task_thread_info(next)->addr_limit == KERNEL_DS) asm(ALTERNATIVE("nop", SET_PSTATE_UAO(1), ARM64_HAS_UAO)); else asm(ALTERNATIVE("nop", SET_PSTATE_UAO(0), ARM64_HAS_UAO)); } } > > M. >
Powered by blists - more mailing lists