| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Feb 2018 14:38:45 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Dave Hansen <dave.hansen@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Andrea Arcangeli <aarcange@...hat.com>,
Jon Masters <jcm@...hat.com>,
Tim Chen <tim.c.chen@...ux.intel.com>,
gnomes@...rguk.ukuu.org.uk, peterz@...radead.org,
ning.sun@...el.com, tboot-devel@...ts.sourceforge.net,
andi@...stfloor.org, luto@...nel.org, law@...hat.com,
pbonzini@...hat.com, torvalds@...ux-foundation.org,
dwmw@...zon.co.uk, nickc@...hat.com, Jiri Kosina <jkosina@...e.cz>,
Hugh Dickins <hughd@...gle.com>, gregkh@...ux-foundation.org
Subject: [PATCH 4.9 16/92] x86/pti: Make unpoison of pgd for trusted boot work for real
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@...ux.intel.com>
commit 445b69e3b75e42362a5bdc13c8b8f61599e2228a upstream
The inital fix for trusted boot and PTI potentially misses the pgd clearing
if pud_alloc() sets a PGD. It probably works in *practice* because for two
adjacent calls to map_tboot_page() that share a PGD entry, the first will
clear NX, *then* allocate and set the PGD (without NX clear). The second
call will *not* allocate but will clear the NX bit.
Defer the NX clearing to a point after it is known that all top-level
allocations have occurred. Add a comment to clarify why.
[ tglx: Massaged changelog ]
[ hughd notes: I have not tested tboot, but this looks to me as necessary
and as safe in old-Kaiser backports as it is upstream; I'm not submitting
the commit-to-be-fixed 262b6b30087, since it was undone by 445b69e3b75e,
and makes conflict trouble because of 5-level's p4d versus 4-level's pgd.]
Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
Reviewed-by: Andrea Arcangeli <aarcange@...hat.com>
Cc: Jon Masters <jcm@...hat.com>
Cc: Tim Chen <tim.c.chen@...ux.intel.com>
Cc: gnomes@...rguk.ukuu.org.uk
Cc: peterz@...radead.org
Cc: ning.sun@...el.com
Cc: tboot-devel@...ts.sourceforge.net
Cc: andi@...stfloor.org
Cc: luto@...nel.org
Cc: law@...hat.com
Cc: pbonzini@...hat.com
Cc: torvalds@...ux-foundation.org
Cc: gregkh@...ux-foundation.org
Cc: dwmw@...zon.co.uk
Cc: nickc@...hat.com
Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com
Cc: Jiri Kosina <jkosina@...e.cz>
Signed-off-by: Hugh Dickins <hughd@...gle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
arch/x86/kernel/tboot.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -134,6 +134,16 @@ static int map_tboot_page(unsigned long
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in pud_alloc().
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
Powered by blists - more mailing lists