lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181206190115.GC10086@cisco>
Date:   Thu, 6 Dec 2018 12:01:15 -0700
From:   Tycho Andersen <tycho@...ho.ws>
To:     Andy Lutomirski <luto@...nel.org>
Cc:     Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Will Deacon <will.deacon@....com>,
        Rick Edgecombe <rick.p.edgecombe@...el.com>,
        Nadav Amit <nadav.amit@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Jessica Yu <jeyu@...nel.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Linux-MM <linux-mm@...ck.org>, Jann Horn <jannh@...gle.com>,
        "Dock, Deneen T" <deneen.t.dock@...el.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Kristen Carlson Accardi <kristen@...ux.intel.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Ingo Molnar <mingo@...hat.com>,
        Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
        Kernel Hardening <kernel-hardening@...ts.openwall.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        "Naveen N . Rao" <naveen.n.rao@...ux.vnet.ibm.com>,
        "David S. Miller" <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>,
        Dave Hansen <dave.hansen@...el.com>
Subject: Re: [PATCH 1/2] vmalloc: New flag for flush before releasing pages

On Thu, Dec 06, 2018 at 10:53:50AM -0800, Andy Lutomirski wrote:
> > On Dec 5, 2018, at 11:29 PM, Ard Biesheuvel <ard.biesheuvel@...aro.org> wrote:
> >
> >> On Thu, 6 Dec 2018 at 00:16, Andy Lutomirski <luto@...nel.org> wrote:
> >>
> >>> On Wed, Dec 5, 2018 at 3:41 AM Will Deacon <will.deacon@....com> wrote:
> >>>
> >>>> On Tue, Dec 04, 2018 at 12:09:49PM -0800, Andy Lutomirski wrote:
> >>>> On Tue, Dec 4, 2018 at 12:02 PM Edgecombe, Rick P
> >>>> <rick.p.edgecombe@...el.com> wrote:
> >>>>>
> >>>>>> On Tue, 2018-12-04 at 16:03 +0000, Will Deacon wrote:
> >>>>>> On Mon, Dec 03, 2018 at 05:43:11PM -0800, Nadav Amit wrote:
> >>>>>>>> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@...el.com>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Since vfree will lazily flush the TLB, but not lazily free the underlying
> >>>>>>>> pages,
> >>>>>>>> it often leaves stale TLB entries to freed pages that could get re-used.
> >>>>>>>> This is
> >>>>>>>> undesirable for cases where the memory being freed has special permissions
> >>>>>>>> such
> >>>>>>>> as executable.
> >>>>>>>
> >>>>>>> So I am trying to finish my patch-set for preventing transient W+X mappings
> >>>>>>> from taking space, by handling kprobes & ftrace that I missed (thanks again
> >>>>>>> for
> >>>>>>> pointing it out).
> >>>>>>>
> >>>>>>> But all of the sudden, I don’t understand why we have the problem that this
> >>>>>>> (your) patch-set deals with at all. We already change the mappings to make
> >>>>>>> the memory wrAcked-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
> > itable before freeing the memory, so why can’t we make it
> >>>>>>> non-executable at the same time? Actually, why do we make the module memory,
> >>>>>>> including its data executable before freeing it???
> >>>>>>
> >>>>>> Yeah, this is really confusing, but I have a suspicion it's a combination
> >>>>>> of the various different configurations and hysterical raisins. We can't
> >>>>>> rely on module_alloc() allocating from the vmalloc area (see nios2) nor
> >>>>>> can we rely on disable_ro_nx() being available at build time.
> >>>>>>
> >>>>>> If we *could* rely on module allocations always using vmalloc(), then
> >>>>>> we could pass in Rick's new flag and drop disable_ro_nx() altogether
> >>>>>> afaict -- who cares about the memory attributes of a mapping that's about
> >>>>>> to disappear anyway?
> >>>>>>
> >>>>>> Is it just nios2 that does something different?
> >>>>>>
> >>>>> Yea it is really intertwined. I think for x86, set_memory_nx everywhere would
> >>>>> solve it as well, in fact that was what I first thought the solution should be
> >>>>> until this was suggested. It's interesting that from the other thread Masami
> >>>>> Hiramatsu referenced, set_memory_nx was suggested last year and would have
> >>>>> inadvertently blocked this on x86. But, on the other architectures I have since
> >>>>> learned it is a bit different.
> >>>>>
> >>>>> It looks like actually most arch's don't re-define set_memory_*, and so all of
> >>>>> the frob_* functions are actually just noops. In which case allocating RWX is
> >>>>> needed to make it work at all, because that is what the allocation is going to
> >>>>> stay at. So in these archs, set_memory_nx won't solve it because it will do
> >>>>> nothing.
> >>>>>
> >>>>> On x86 I think you cannot get rid of disable_ro_nx fully because there is the
> >>>>> changing of the permissions on the directmap as well. You don't want some other
> >>>>> caller getting a page that was left RO when freed and then trying to write to
> >>>>> it, if I understand this.
> >>>>>
> >>>>
> >>>> Exactly.
> >>>
> >>> Of course, I forgot about the linear mapping. On arm64, we've just queued
> >>> support for reflecting changes to read-only permissions in the linear map
> >>> [1]. So, whilst the linear map is always non-executable, we will need to
> >>> make parts of it writable again when freeing the module.
> >>>
> >>>> After slightly more thought, I suggest renaming VM_IMMEDIATE_UNMAP to
> >>>> VM_MAY_ADJUST_PERMS or similar.  It would have the semantics you want,
> >>>> but it would also call some arch hooks to put back the direct map
> >>>> permissions before the flush.  Does that seem reasonable?  It would
> >>>> need to be hooked up that implement set_memory_ro(), but that should
> >>>> be quite easy.  If nothing else, it could fall back to set_memory_ro()
> >>>> in the absence of a better implementation.
> >>>
> >>> You mean set_memory_rw() here, right? Although, eliding the TLB invalidation
> >>> would open up a window where the vmap mapping is executable and the linear
> >>> mapping is writable, which is a bit rubbish.
> >>>
> >>
> >> Right, and Rick pointed out the same issue.  Instead, we should set
> >> the direct map not-present or its ARM equivalent, then do the flush,
> >> then make it RW.  I assume this also works on arm and arm64, although
> >> I don't know for sure.  On x86, the CPU won't cache not-present PTEs.
> >
> > If we are going to unmap the linear alias, why not do it at vmalloc()
> > time rather than vfree() time?
> 
> That’s not totally nuts. Do we ever have code that expects __va() to
> work on module data?  Perhaps crypto code trying to encrypt static
> data because our APIs don’t understand virtual addresses.  I guess if
> highmem is ever used for modules, then we should be fine.
> 
> RO instead of not present might be safer.  But I do like the idea of
> renaming Rick's flag to something like VM_XPFO or VM_NO_DIRECT_MAP and
> making it do all of this.

Yeah, doing it for everything automatically seemed like it was/is
going to be a lot of work to debug all the corner cases where things
expect memory to be mapped but don't explicitly say it. And in
particular, the XPFO series only does it for user memory, whereas an
additional flag like this would work for extra paranoid allocations
of kernel memory too.

Seems like maybe we should do this for rodata today?

> (It seems like some people call it the linear map and some people call
> it the direct map.  Is there any preference?)

...and some people call it the physmap :)

Tycho

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ