lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 26 Nov 2017 23:41:26 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Borislav Petkov <bp@...en8.de>
cc:     Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...capital.net>,
        "H . Peter Anvin" <hpa@...or.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 25/43] x86/mm/kaiser: Unmap kernel from userspace page
 tables (core patch), noexec=off

On Sun, 26 Nov 2017, Borislav Petkov wrote:
> On Fri, Nov 24, 2017 at 06:23:53PM +0100, Ingo Molnar wrote:
> > + * Take a PGD location (pgdp) and a pgd value that needs
> > + * to be set there.  Populates the shadow and returns
> > + * the resulting PGD that must be set in the kernel copy
> > + * of the page tables.
> > + */
> > +static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
> > +{
> > +#ifdef CONFIG_KAISER
> > +	if (pgd_userspace_access(pgd)) {
> > +		if (pgdp_maps_userspace(pgdp)) {
> > +			/*
> > +			 * The user/shadow page tables get the full
> > +			 * PGD, accessible from userspace:
> > +			 */
> > +			kernel_to_shadow_pgdp(pgdp)->pgd = pgd.pgd;
> > +			/*
> > +			 * For the copy of the pgd that the kernel
> > +			 * uses, make it unusable to userspace.  This
> > +			 * ensures if we get out to userspace with the
> > +			 * wrong CR3 value, userspace will crash
> > +			 * instead of running.
> > +			 */
> > +			pgd.pgd |= _PAGE_NX;
> 
> Lemme hold this down here so that we don't forget (and tglx is working on it
> already... ):

A worse problem exists vs. PAGE_GLOBAL. Its enforced by KAISER
unconditionally... Fixes are posted soon as an update to the series I sent
earlier today.

> So we need to handle the case where we boot with "noexec=off" and thus
> clear _PAGE_NX from __supported_pte_mask. I'd vouch for a conservative
> solution where we warn if _PAGE_NX is not set in __supported_pte_mask
> and thus at least tell the user that she shouldn't do noexec kernels and
> expect kaiser protection...

Let me add that.

Thanks,

	tglx

Powered by blists - more mailing lists