| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DF353FDA-4A57-4F5E-A403-531DDA0DBC25@amacapital.net>
Date: Sun, 26 Aug 2018 10:25:11 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Kees Cook <keescook@...omium.org>
Cc: Andy Lutomirski <luto@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Nadav Amit <nadav.amit@...il.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Jiri Kosina <jkosina@...e.cz>,
Peter Zijlstra <peterz@...radead.org>,
Will Deacon <will.deacon@....com>,
Benjamin Herrenschmidt <benh@....ibm.com>,
Nick Piggin <npiggin@...il.com>,
the arch/x86 maintainers <x86@...nel.org>,
Borislav Petkov <bp@...en8.de>,
Rik van Riel <riel@...riel.com>,
Jann Horn <jannh@...gle.com>,
Adin Scannell <ascannell@...gle.com>,
Dave Hansen <dave.hansen@...el.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-mm <linux-mm@...ck.org>,
David Miller <davem@...emloft.net>,
Martin Schwidefsky <schwidefsky@...ibm.com>,
Michael Ellerman <mpe@...erman.id.au>
Subject: Re: TLB flushes on fixmap changes
> On Aug 26, 2018, at 9:47 AM, Kees Cook <keescook@...omium.org> wrote:
>
>> On Sun, Aug 26, 2018 at 7:20 AM, Andy Lutomirski <luto@...capital.net> wrote:
>>
>>
>>>> On Aug 25, 2018, at 9:43 PM, Kees Cook <keescook@...omium.org> wrote:
>>>>
>>>>> On Sat, Aug 25, 2018 at 9:21 PM, Andy Lutomirski <luto@...nel.org> wrote:
>>>>> On Sat, Aug 25, 2018 at 7:23 PM, Masami Hiramatsu <mhiramat@...nel.org> wrote:
>>>>> On Fri, 24 Aug 2018 21:23:26 -0700
>>>>> Andy Lutomirski <luto@...nel.org> wrote:
>>>>>> Couldn't text_poke() use kmap_atomic()? Or, even better, just change CR3?
>>>>>
>>>>> No, since kmap_atomic() is only for x86_32 and highmem support kernel.
>>>>> In x86-64, it seems that returns just a page address. That is not
>>>>> good for text_poke, since it needs to make a writable alias for RO
>>>>> code page. Hmm, maybe, can we mimic copy_oldmem_page(), it uses ioremap_cache?
>>>>>
>>>>
>>>> I just re-read text_poke(). It's, um, horrible. Not only is the
>>>> implementation overcomplicated and probably buggy, but it's SLOOOOOW.
>>>> It's totally the wrong API -- poking one instruction at a time
>>>> basically can't be efficient on x86. The API should either poke lots
>>>> of instructions at once or should be text_poke_begin(); ...;
>>>> text_poke_end();.
>>>>
>>>> Anyway, the attached patch seems to boot. Linus, Kees, etc: is this
>>>> too scary of an approach? With the patch applied, text_poke() is a
>>>> fantastic exploit target. On the other hand, even without the patch
>>>> applied, text_poke() is every bit as juicy.
>>>
>>> I tried to convince Ingo to use this method for doing "write rarely"
>>> and he soundly rejected it. :) I've always liked this because AFAICT,
>>> it's local to the CPU. I had proposed it in
>>> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=kspp/write-rarely&id=9ab0cb2618ebbc51f830ceaa06b7d2182fe1a52d
>>
>> Ingo, can you clarify why you hate it? I personally would rather use CR3, but CR0 seems like a fine first step, at least for text_poke.
>
> Sorry, it looks like it was tglx, not Ingo:
>
> https://lkml.kernel.org/r/alpine.DEB.2.20.1704071048360.1716@nanos
>
> This thread is long, and one thing that I think went unanswered was
> "why do we want this to be fast?" the answer is: for doing page table
> updates. Page tables are becoming a bigger target for attacks now, and
> it's be nice if they could stay read-only unless they're getting
> updated (with something like this).
>
>
It kind of sounds like tglx would prefer the CR3 approach. And indeed my patch has a serious problem wrt the NMI code.
Powered by blists - more mailing lists