lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Nov 2017 20:11:11 -0800
From:   Andy Lutomirski <luto@...nel.org>
To:     Andy Lutomirski <luto@...nel.org>
Cc:     X86 ML <x86@...nel.org>, Borislav Petkov <bpetkov@...e.de>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Brian Gerst <brgerst@...il.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [RFC 5/7] x86/asm: Rearrange struct cpu_tss to enlarge
 SYSENTER_stack and fix alignment

On Fri, Nov 10, 2017 at 8:05 PM, Andy Lutomirski <luto@...nel.org> wrote:
> The Intel SDM says (Volume 3, 7.2.1):
>
>    Avoid placing a page boundary in the part of the TSS that the
>    processor reads during a task switch (the first 104 bytes). The
>    processor may not correctly perform address translations if a
>    boundary occurs in this area. During a task switch, the processor
>    reads and writes into the first 104 bytes of each TSS (using
>    contiguous physical addresses beginning with the physical address
>    of the first byte of the TSS). So, after TSS access begins, if
>    part of the 104 bytes is not physically contiguous, the processor
>    will access incorrect information without generating a page-fault
>    exception.

Hmm.  I should add that I suspect we rarely if ever hit this problem
in practice because (a) we only ever task switch on 32-bit
doublefaults, (b) if the old register state gets corrupted by this
issue during a doublefault, we might not notice, and (c) there is
probably rarely a page boundary in the wrong place.  I suspect that
regular kernel entries have the same issue but that esp0 and ss0 were
always in the same page due to cacheline alignment.

FWIW, we really do virtually map the percpu section AFAICT.  The code
does not appear to guarantee that percpu variables are physically
contiguous.

I'd love to make this mapping RO, but the SDM advises against that.  I
don't know whether there's a real concern (on 64-bit) or whether it's
just being overly cautious.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ