| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez1cYsa+5Grbzp0oGTFyjqE4pR-Qe9gb=0TKc9Q5HuOpmA@mail.gmail.com>
Date: Mon, 27 Aug 2018 00:48:13 +0200
From: Jann Horn <jannh@...gle.com>
To: Andy Lutomirski <luto@...nel.org>,
Kees Cook <keescook@...omium.org>
Cc: mhiramat@...nel.org, Nadav Amit <nadav.amit@...il.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Paolo Bonzini <pbonzini@...hat.com>, jkosina@...e.cz,
Peter Zijlstra <peterz@...radead.org>,
Will Deacon <will.deacon@....com>, benh@....ibm.com,
npiggin@...il.com, "the arch/x86 maintainers" <x86@...nel.org>,
Borislav Petkov <bp@...en8.de>,
Rik van Riel <riel@...riel.com>,
Adin Scannell <ascannell@...gle.com>,
Dave Hansen <dave.hansen@...el.com>,
kernel list <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
"David S. Miller" <davem@...emloft.net>,
Martin Schwidefsky <schwidefsky@...ibm.com>,
Michael Ellerman <mpe@...erman.id.au>
Subject: Re: TLB flushes on fixmap changes
On Sun, Aug 26, 2018 at 6:21 AM Andy Lutomirski <luto@...nel.org> wrote:
>
> On Sat, Aug 25, 2018 at 7:23 PM, Masami Hiramatsu <mhiramat@...nel.org> wrote:
> > On Fri, 24 Aug 2018 21:23:26 -0700
> > Andy Lutomirski <luto@...nel.org> wrote:
> >> Couldn't text_poke() use kmap_atomic()? Or, even better, just change CR3?
> >
> > No, since kmap_atomic() is only for x86_32 and highmem support kernel.
> > In x86-64, it seems that returns just a page address. That is not
> > good for text_poke, since it needs to make a writable alias for RO
> > code page. Hmm, maybe, can we mimic copy_oldmem_page(), it uses ioremap_cache?
> >
>
> I just re-read text_poke(). It's, um, horrible. Not only is the
> implementation overcomplicated and probably buggy, but it's SLOOOOOW.
> It's totally the wrong API -- poking one instruction at a time
> basically can't be efficient on x86. The API should either poke lots
> of instructions at once or should be text_poke_begin(); ...;
> text_poke_end();.
>
> Anyway, the attached patch seems to boot. Linus, Kees, etc: is this
> too scary of an approach? With the patch applied, text_poke() is a
> fantastic exploit target. On the other hand, even without the patch
> applied, text_poke() is every bit as juicy.
Twiddling CR0.WP is incompatible with Xen PV, right? It can't let you
do it because you're not actually running in ring 0 (but in ring 1 or
3), so CR0.WP has no influence on what you can access; and it must not
let you bypass write protection because you have read-only access to
host page tables. I think this code has to be compatible with Xen PV,
right?
In theory Xen PV could support this by emulating X86 instructions, but
I don't see anything related to CR0.WP in their emulation code. From
xen/arch/x86/pv/emul-priv-op.c:
case 0: /* Write CR0 */
if ( (val ^ read_cr0()) & ~X86_CR0_TS )
{
gdprintk(XENLOG_WARNING,
"Attempt to change unmodifiable CR0 flags\n");
break;
}
do_fpu_taskswitch(!!(val & X86_CR0_TS));
return X86EMUL_OKAY;
Having a special fallback path for "patch kernel code while running
under Xen PV" would be kinda ugly.
Powered by blists - more mailing lists