| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190205113146.GP17528@hirez.programming.kicks-ass.net>
Date: Tue, 5 Feb 2019 12:31:46 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Borislav Petkov <bp@...en8.de>
Cc: Rick Edgecombe <rick.p.edgecombe@...el.com>,
Andy Lutomirski <luto@...nel.org>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
x86@...nel.org, hpa@...or.com,
Thomas Gleixner <tglx@...utronix.de>,
Nadav Amit <nadav.amit@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
linux_dti@...oud.com, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, akpm@...ux-foundation.org,
kernel-hardening@...ts.openwall.com, linux-mm@...ck.org,
will.deacon@....com, ard.biesheuvel@...aro.org,
kristen@...ux.intel.com, deneen.t.dock@...el.com,
Nadav Amit <namit@...are.com>,
Kees Cook <keescook@...omium.org>,
Dave Hansen <dave.hansen@...el.com>,
Masami Hiramatsu <mhiramat@...nel.org>
Subject: Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text
poking
On Tue, Feb 05, 2019 at 10:58:53AM +0100, Borislav Petkov wrote:
> > @@ -683,41 +684,102 @@ __ro_after_init unsigned long poking_addr;
> >
> > static void *__text_poke(void *addr, const void *opcode, size_t len)
> > {
> > + bool cross_page_boundary = offset_in_page(addr) + len > PAGE_SIZE;
> > + temporary_mm_state_t prev;
> > + struct page *pages[2] = {NULL};
> > unsigned long flags;
> > - char *vaddr;
> > - struct page *pages[2];
> > - int i;
> > + pte_t pte, *ptep;
> > + spinlock_t *ptl;
> > + pgprot_t prot;
> >
> > /*
> > - * While boot memory allocator is runnig we cannot use struct
> > - * pages as they are not yet initialized.
> > + * While boot memory allocator is running we cannot use struct pages as
> > + * they are not yet initialized.
> > */
> > BUG_ON(!after_bootmem);
> >
> > if (!core_kernel_text((unsigned long)addr)) {
> > pages[0] = vmalloc_to_page(addr);
> > - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
> > + if (cross_page_boundary)
> > + pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
> > } else {
> > pages[0] = virt_to_page(addr);
> > WARN_ON(!PageReserved(pages[0]));
> > - pages[1] = virt_to_page(addr + PAGE_SIZE);
> > + if (cross_page_boundary)
> > + pages[1] = virt_to_page(addr + PAGE_SIZE);
> > }
> > - BUG_ON(!pages[0]);
> > + BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
>
> checkpatch fires a lot for this patchset and I think we should tone down
> the BUG_ON() use.
I've been pushing for BUG_ON() in this patch set; sod checkpatch.
Maybe not this BUG_ON in particular, but a number of them introduced
here are really situations where we can't do anything sane.
This BUG_ON() in particular is the choice between corrupted text or an
instantly dead machine; what would you do?
In general, text_poke() cannot fail:
- suppose changing a single jump label requires poking multiple sites
(not uncommon), we fail halfway through and then have to undo the
first pokes, but those pokes fail again.
- this then leaves us no way forward and no way back, we've got
inconsistent text state -> FAIL.
So even an 'early' fail (like here) doesn't work in the rollback
scenario if you combine them.
So while in general I agree with BUG_ON() being undesirable, I think
liberal sprinking in text_poke() is fine; you really _REALLY_ want this
to work or fail loudly. Text corruption is just painful.
Powered by blists - more mailing lists