| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191111220314.519933535@linutronix.de>
Date: Mon, 11 Nov 2019 23:03:14 +0100
From: Thomas Gleixner <tglx@...utronix.de>
To: LKML <linux-kernel@...r.kernel.org>
Cc: x86@...nel.org, Linus Torvalds <torvalds@...uxfoundation.org>,
Andy Lutomirski <luto@...nel.org>,
Stephen Hemminger <stephen@...workplumber.org>,
Willy Tarreau <w@....eu>, Juergen Gross <jgross@...e.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
"H. Peter Anvin" <hpa@...or.com>
Subject: [patch V2 00/16] x86/iopl: Prevent user space from using CLI/STI with
iopl(3)
This is the second version of the attempt to confine the unwanted side
effects of iopl(). The first version of this series can be found here:
https://lore.kernel.org/r/20191106193459.581614484@linutronix.de
The V1 cover letter also contains a longer variant of the
background. Summary:
iopl(level = 3) enables aside of access to all 65536 I/O ports also the
usage of CLI/STI in user space.
Disabling interrupts in user space can lead to system lockups and breaks
assumptions in the kernel that userspace always runs with interrupts
enabled.
iopl() is often preferred over ioperm() as it avoids the overhead of
copying the tasks I/O bitmap to the TSS bitmap on context switch. This
overhead can be avoided by providing a all zeroes bitmap in the TSS and
switching the TSS bitmap offset to this permit all IO bitmap. It's
marginally slower than iopl() which is a one time setup, but prevents the
usage of CLI/STI in user space.
The changes vs. V1:
- Fix the reported fallout on 32bit (0-day/Ingo)
- Implement a sequence count based conditional update (Linus)
- Drop the copy optimization
- Move the bitmap copying out of the context switch into the exit to
user mode machinery. The context switch merely invalidates the TSS
bitmap offset when a task using an I/O bitmap gets scheduled out.
- Move all bitmap information into a data structure to avoid adding
more fields to thread_struct.
- Add a refcount so the potentially pointless duplication of the bitmap
at fork can be avoided.
- Better sharing of update functions (Andy)
- More updates to self tests to verify the share/unshare mechanism and
the restore of an I/O bitmap when iopl() permissions are dropped.
- Pick up a few acked/reviewed-by tags as applicable
The series is also available from git:
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git WIP.x86/iopl
Thanks,
tglx
---
arch/x86/Kconfig | 26 ++++
arch/x86/entry/common.c | 4
arch/x86/include/asm/iobitmap.h | 25 ++++
arch/x86/include/asm/paravirt.h | 4
arch/x86/include/asm/paravirt_types.h | 2
arch/x86/include/asm/pgtable_32_types.h | 2
arch/x86/include/asm/processor.h | 97 +++++++++-------
arch/x86/include/asm/ptrace.h | 6
arch/x86/include/asm/switch_to.h | 10 +
arch/x86/include/asm/xen/hypervisor.h | 2
arch/x86/kernel/cpu/common.c | 175 +++++++++++-----------------
arch/x86/kernel/doublefault.c | 2
arch/x86/kernel/ioport.c | 176 ++++++++++++++++++-----------
arch/x86/kernel/paravirt.c | 2
arch/x86/kernel/process.c | 194 +++++++++++++++++++++++++-------
arch/x86/kernel/process_32.c | 77 ------------
arch/x86/kernel/process_64.c | 86 --------------
arch/x86/kernel/ptrace.c | 12 +
arch/x86/kvm/vmx/vmx.c | 8 -
arch/x86/mm/cpu_entry_area.c | 8 +
arch/x86/xen/enlighten_pv.c | 10 -
tools/testing/selftests/x86/ioperm.c | 16 ++
tools/testing/selftests/x86/iopl.c | 129 +++++++++++++++++++--
23 files changed, 614 insertions(+), 459 deletions(-)
Powered by blists - more mailing lists