| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jun 2019 09:35:27 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Yu-cheng Yu <yu-cheng.yu@...el.com>
Cc: Peter Zijlstra <peterz@...radead.org>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
Arnd Bergmann <arnd@...db.de>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
Dave Martin <Dave.Martin@....com>
Subject: Re: [PATCH v7 03/14] x86/cet/ibt: Add IBT legacy code bitmap setup function
> On Jun 7, 2019, at 9:23 AM, Yu-cheng Yu <yu-cheng.yu@...el.com> wrote:
>
>> On Fri, 2019-06-07 at 10:08 +0200, Peter Zijlstra wrote:
>>> On Thu, Jun 06, 2019 at 01:09:15PM -0700, Yu-cheng Yu wrote:
>>> Indirect Branch Tracking (IBT) provides an optional legacy code bitmap
>>> that allows execution of legacy, non-IBT compatible library by an
>>> IBT-enabled application. When set, each bit in the bitmap indicates
>>> one page of legacy code.
>>>
>>> The bitmap is allocated and setup from the application.
>>> +int cet_setup_ibt_bitmap(unsigned long bitmap, unsigned long size)
>>> +{
>>> + u64 r;
>>> +
>>> + if (!current->thread.cet.ibt_enabled)
>>> + return -EINVAL;
>>> +
>>> + if (!PAGE_ALIGNED(bitmap) || (size > TASK_SIZE_MAX))
>>> + return -EINVAL;
>>> +
>>> + current->thread.cet.ibt_bitmap_addr = bitmap;
>>> + current->thread.cet.ibt_bitmap_size = size;
>>> +
>>> + /*
>>> + * Turn on IBT legacy bitmap.
>>> + */
>>> + modify_fpu_regs_begin();
>>> + rdmsrl(MSR_IA32_U_CET, r);
>>> + r |= (MSR_IA32_CET_LEG_IW_EN | bitmap);
>>> + wrmsrl(MSR_IA32_U_CET, r);
>>> + modify_fpu_regs_end();
>>> +
>>> + return 0;
>>> +}
>>
>> So you just program a random user supplied address into the hardware.
>> What happens if there's not actually anything at that address or the
>> user munmap()s the data after doing this?
>
> This function checks the bitmap's alignment and size, and anything else is the
> app's responsibility. What else do you think the kernel should check?
>
One might reasonably wonder why this state is privileged in the first place and, given that, why we’re allowing it to be written like this.
Arguably we should have another prctl to lock these values (until exec) as a gardening measure.
Powered by blists - more mailing lists