| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.21.1811270809450.1682@nanos.tec.linutronix.de>
Date: Tue, 27 Nov 2018 08:13:48 +0100 (CET)
From: Thomas Gleixner <tglx@...utronix.de>
To: Jiri Kosina <jikos@...nel.org>
cc: Tim Chen <tim.c.chen@...ux.intel.com>,
Ingo Molnar <mingo@...nel.org>,
LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Tom Lendacky <thomas.lendacky@....com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Andi Kleen <ak@...ux.intel.com>,
Dave Hansen <dave.hansen@...el.com>,
Casey Schaufler <casey.schaufler@...el.com>,
Asit Mallick <asit.k.mallick@...el.com>,
Arjan van de Ven <arjan@...ux.intel.com>,
Jon Masters <jcm@...hat.com>,
Waiman Long <longman9394@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Dave Stewart <david.c.stewart@...el.com>,
Kees Cook <keescook@...omium.org>
Subject: Re: [patch 20/24] x86/speculation: Split out TIF update
On Tue, 27 Nov 2018, Jiri Kosina wrote:
> On Mon, 26 Nov 2018, Thomas Gleixner wrote:
>
> How about the minimalistic aproach below? (only compile tested so far,
> applies on top of your latest WIP.x86/pti branch). The downside of course
> is wasting another TIF bit.
We need to waste another TIF bit in any case.
> *
> * This can only happen for SECCOMP mitigation. For PRCTL it's
> * always the current task.
> + *
> + * If we are updating non-current task, set a flag for it to always
> + * perform the MSR sync on a first context switch, to make sure
> + * the TIF_SPEC_IB above is not out of sync with the MSR value during
> + * task's runtime.
> */
> if (tsk == current && update)
> speculation_ctrl_update_current();
> + else
> + set_tsk_thread_flag(tsk, TIF_SPEC_UPDATE);
> +
> }
>
> static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
> index 3f5e351bdd37..78208234e63e 100644
> --- a/arch/x86/kernel/process.c
> +++ b/arch/x86/kernel/process.c
> @@ -449,8 +449,20 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
> * otherwise avoid the MSR write.
> */
> if (IS_ENABLED(CONFIG_SMP) &&
> - static_branch_unlikely(&switch_to_cond_stibp))
> + static_branch_unlikely(&switch_to_cond_stibp)) {
> updmsr |= !!(tif_diff & _TIF_SPEC_IB);
> + /*
> + * We need to update the MSR if remote task did set
> + * TIF_SPEC_UPDATE on us, and therefore MSR value and
> + * the TIF_SPEC_IB values might be out of sync.
> + *
> + * This can only happen if seccomp task has updated
> + * one of its remote threads.
> + */
> + if (IS_ENABLED(CONFIG_SECCOMP) && !updmsr &&
> + (tifn & TIF_SPEC_UPDATE))
> + updmsr = true;
> + }
>
> if (updmsr)
> spec_ctrl_update_msr(tifn);
> @@ -496,6 +508,8 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p)
> set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
>
> __speculation_ctrl_update(tifp, tifn);
> + if (IS_ENABLED(CONFIG_SECCOMP))
> + clear_tsk_thread_flag(next_p, TIF_SPEC_UPDATE);
That's racy and does not prevent the situation because the TIF flags are
updated befor the UPDATE bit is set. So __speculation_ctrl_update() might
see the new bits, but not TIF_SPEC_UPDATE. You really need shadow storage
to avoid that.
Thanks,
tglx
Powered by blists - more mailing lists