[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190129003422.9328-1-rick.p.edgecombe@intel.com>
Date: Mon, 28 Jan 2019 16:34:02 -0800
From: Rick Edgecombe <rick.p.edgecombe@...el.com>
To: Andy Lutomirski <luto@...nel.org>, Ingo Molnar <mingo@...hat.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org, hpa@...or.com,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>,
Nadav Amit <nadav.amit@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>, linux_dti@...oud.com,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, akpm@...ux-foundation.org,
kernel-hardening@...ts.openwall.com, linux-mm@...ck.org,
will.deacon@....com, ard.biesheuvel@...aro.org,
kristen@...ux.intel.com, deneen.t.dock@...el.com,
Rick Edgecombe <rick.p.edgecombe@...el.com>
Subject: [PATCH v2 00/20] Merge text_poke fixes and executable lockdowns
This patchset improves several overlapping issues around stale TLB
entries and W^X violations. It is combined from a slightly tweaked
"x86/alternative: text_poke() enhancements v7" [1] and a next version of
the "Don’t leave executable TLB entries to freed pages v2" [2]
patchsets that were conflicting.
The related issues that this fixes:
1. Fixmap PTEs that are used for patching are available for access from
other cores and might be exploited. They are not even flushed from
the TLB in remote cores, so the risk is even higher. Address this
issue by introducing a temporary mm that is only used during
patching. Unfortunately, due to init ordering, fixmap is still used
during boot-time patching. Future patches can eliminate the need for
it.
2. Missing lockdep assertion to ensure text_mutex is taken. It is
actually not always taken, so fix the instances that were found not
to take the lock (although they should be safe even without taking
the lock).
3. Module_alloc returning memory that is RWX until a module is finished
loading.
4. Sometimes when memory is freed via the module subsystem, an
executable permissioned TLB entry can remain to a freed page. If the
page is re-used to back an address that will receive data from
userspace, it can result in user data being mapped as executable in
the kernel. The root of this behavior is vfree lazily flushing the
TLB, but not lazily freeing the underlying pages.
Changes for v2:
- Adding “Reviewed-by tag” [Masami]
- Comment instead of code to warn against module removal while patching [Masami]
- Avoiding open-coded TLB flush [Andy]
- Remove "This patch" [Borislav Petkov]
- Not set global bit during text poking [Andy, hpa]
- Add Ack from [Pavel Machek]
- Split patch 16 "Plug in new special vfree flag" into 4 patches (16-19)
to make it easier to review. There were no code changes.
The changes from "Don’t leave executable TLB entries to freed pages
v2" to v1:
- Add support for case of hibernate trying to save an unmapped page
on the directmap. (Ard Biesheuvel)
- No week arch breakout for vfree-ing special memory (Andy Lutomirski)
- Avoid changing deferred free code by moving modules init free to work
queue (Andy Lutomirski)
- Plug in new flag for kprobes and ftrace
- More arch generic names for set_pages functions (Ard Biesheuvel)
- Fix for TLB not always flushing the directmap (Nadav Amit)
Changes from "x86/alternative: text_poke() enhancements v7" to v1
- Fix build failure on CONFIG_RANDOMIZE_BASE=n (Rick)
- Remove text_poke usage from ftrace (Nadav)
[1] https://lkml.org/lkml/2018/12/5/200
[2] https://lkml.org/lkml/2018/12/11/1571
Andy Lutomirski (1):
x86/mm: temporary mm struct
Nadav Amit (12):
Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()"
x86/jump_label: Use text_poke_early() during early init
fork: provide a function for copying init_mm
x86/alternative: initializing temporary mm for patching
x86/alternative: use temporary mm for text poking
x86/kgdb: avoid redundant comparison of patched code
x86/ftrace: set trampoline pages as executable
x86/kprobes: instruction pages initialization enhancements
x86: avoid W^X being broken during modules loading
x86/jump-label: remove support for custom poker
x86/alternative: Remove the return value of text_poke_*()
x86/alternative: comment about module removal races
Rick Edgecombe (7):
Add set_alias_ function and x86 implementation
mm: Make hibernate handle unmapped pages
vmalloc: New flags for safe vfree on special perms
modules: Use vmalloc special flag
bpf: Use vmalloc special flag
x86/ftrace: Use vmalloc special flag
x86/kprobes: Use vmalloc special flag
arch/Kconfig | 4 +
arch/x86/Kconfig | 1 +
arch/x86/include/asm/fixmap.h | 2 -
arch/x86/include/asm/mmu_context.h | 32 +++++
arch/x86/include/asm/pgtable.h | 3 +
arch/x86/include/asm/set_memory.h | 3 +
arch/x86/include/asm/text-patching.h | 7 +-
arch/x86/kernel/alternative.c | 199 ++++++++++++++++++++-------
arch/x86/kernel/ftrace.c | 14 +-
arch/x86/kernel/jump_label.c | 19 ++-
arch/x86/kernel/kgdb.c | 25 +---
arch/x86/kernel/kprobes/core.c | 19 ++-
arch/x86/kernel/module.c | 2 +-
arch/x86/mm/init_64.c | 36 +++++
arch/x86/mm/pageattr.c | 16 ++-
arch/x86/xen/mmu_pv.c | 2 -
include/linux/filter.h | 18 +--
include/linux/mm.h | 18 +--
include/linux/sched/task.h | 1 +
include/linux/set_memory.h | 10 ++
include/linux/vmalloc.h | 13 ++
init/main.c | 3 +
kernel/bpf/core.c | 1 -
kernel/fork.c | 24 +++-
kernel/module.c | 82 ++++++-----
mm/page_alloc.c | 7 +-
mm/vmalloc.c | 122 +++++++++++++---
27 files changed, 494 insertions(+), 189 deletions(-)
--
2.17.1
Powered by blists - more mailing lists