| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Nov 2017 14:03:46 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
moritz.lipp@...k.tugraz.at,
Daniel Gruss <daniel.gruss@...k.tugraz.at>,
michael.schwarz@...k.tugraz.at, richard.fellner@...dent.tugraz.at,
Andrew Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Kees Cook <keescook@...gle.com>,
Hugh Dickins <hughd@...gle.com>, X86 ML <x86@...nel.org>
Subject: Re: [PATCH 21/30] x86, mm: put mmu-to-h/w ASID translation in one place
On Fri, Nov 10, 2017 at 11:31 AM, Dave Hansen
<dave.hansen@...ux.intel.com> wrote:
>
> From: Dave Hansen <dave.hansen@...ux.intel.com>
>
> There are effectively two ASID types:
> 1. The one stored in the mmu_context that goes from 0->5
> 2. The one programmed into the hardware that goes from 1->6
>
> This consolidates the locations where converting beween the two
> (by doing +1) to a single place which gives us a nice place to
> comment. KAISER will also need to, given an ASID, know which
> hardware ASID to flush for the userspace mapping.
>
> Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@...k.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@...k.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@...k.tugraz.at>
> Cc: Richard Fellner <richard.fellner@...dent.tugraz.at>
> Cc: Andy Lutomirski <luto@...nel.org>
> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Kees Cook <keescook@...gle.com>
> Cc: Hugh Dickins <hughd@...gle.com>
> Cc: x86@...nel.org
> ---
>
> b/arch/x86/include/asm/tlbflush.h | 30 ++++++++++++++++++------------
> 1 file changed, 18 insertions(+), 12 deletions(-)
>
> diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-kern arch/x86/include/asm/tlbflush.h
> --- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-kern 2017-11-10 11:22:16.521244931 -0800
> +++ b/arch/x86/include/asm/tlbflush.h 2017-11-10 11:22:16.525244931 -0800
> @@ -87,21 +87,26 @@ static inline u64 inc_mm_tlb_gen(struct
> */
> #define MAX_ASID_AVAILABLE ((1<<CR3_AVAIL_ASID_BITS) - 2)
>
> -/*
> - * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
> - * bits. This serves two purposes. It prevents a nasty situation in
> - * which PCID-unaware code saves CR3, loads some other value (with PCID
> - * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
> - * the saved ASID was nonzero. It also means that any bugs involving
> - * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
> - * deterministically.
> - */
> +static inline u16 kern_asid(u16 asid)
> +{
> + VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
> + /*
> + * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
> + * bits. This serves two purposes. It prevents a nasty situation in
> + * which PCID-unaware code saves CR3, loads some other value (with PCID
> + * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
> + * the saved ASID was nonzero. It also means that any bugs involving
> + * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
> + * deterministically.
> + */
> + return asid + 1;
> +}
This seems really error-prone. Maybe we should have a pcid_t type and
make all the interfaces that want a h/w PCID take pcid_t.
--Andy
Powered by blists - more mailing lists