lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 12 Nov 2019 00:32:11 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     zhong jiang <zhongjiang@...wei.com>
cc:     dave.hansen@...ux.intel.com, peterz@...radead.org,
        mingo@...hat.com, luto@...nel.org, bp@...en8.de, hpa@...or.com,
        x86@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] x86/mm: Mask out unsupported bit when it set
 noexec=off

Zhong,

On Mon, 11 Nov 2019, zhong jiang wrote:

> Commit 510bb96fe5b3 ("x86/mm: Prevent bogus warnings with "noexec=off"")
> use  __supported_pte_mask to replace __default_kernel_pte_mask to mask
> out the unsupported bits. It works when the command line set noexec=off.
> 
> It also seems to works to use __supported_pte_mask instead in native_set_fixmap.

"Seems to work" is really not a good engineering principle and neither a
good rationale WHY this change is correct, which it is not.

> @@ -647,7 +647,7 @@ void native_set_fixmap(unsigned /* enum fixed_addresses */ idx,
>  		       phys_addr_t phys, pgprot_t flags)
>  {
>  	/* Sanitize 'prot' against any unsupported bits: */
> -	pgprot_val(flags) &= __default_kernel_pte_mask;
> +	pgprot_val(flags) &= __supported_pte_mask;
>  
>  	__native_set_fixmap(idx, pfn_pte(phys >> PAGE_SHIFT, flags));
>  }

The commit you mentioned switched __early_set_fixmap() to
__supported_pte_mask because __default_kernel_pte_mask is not yet set up at
that point which caused the following warning:

     attempted to set unsupported pgprot:    8000000000000163
                                  bits:      8000000000000000
                                  supported: 7fffffffffffffff

At this point __default_kernel_pte_mask is still compile time initialized
to ~0UL, i.e. all bits set which allows the NX bit to be set, but it's not
supported according to __supported_pte_mask.

Once __default_kernel_pte_mask is properly runtime initialized to:

     __default_kernel_pte_mask = __supported_pte_mask;

in probe_page_size_mask() there is no reason that subsequent code uses
__supported_pte_mask.

In fact that's just wrong because __default_kernel_pte_mask can have extra
bits cleared during runtime initialization, e.g.:

        /* Except when with PTI where the kernel is mostly non-Global: */
        if (cpu_feature_enabled(X86_FEATURE_PTI))
                __default_kernel_pte_mask &= ~_PAGE_GLOBAL;

So your change "works", but subtly breaks PTI protections.

Please be more careful next time and really analyse why your change is
correct and provide this analysis in the changelog.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ