| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200229114919.1abcacc4@p-imbrenda>
Date: Sat, 29 Feb 2020 11:49:19 +0100
From: Claudio Imbrenda <imbrenda@...ux.ibm.com>
To: John Hubbard <jhubbard@...dia.com>
Cc: Christian Borntraeger <borntraeger@...ibm.com>,
<linux-next@...r.kernel.org>, <akpm@...ux-foundation.org>,
<david@...hat.com>, <aarcange@...hat.com>, <linux-mm@...ck.org>,
<frankja@...ux.ibm.com>, <sfr@...b.auug.org.au>,
<linux-kernel@...r.kernel.org>, <linux-s390@...r.kernel.org>,
Will Deacon <will@...nel.org>
Subject: Re: [RFC v1 2/2] mm/gup/writeback: add callbacks for inaccessible
pages
On Fri, 28 Feb 2020 16:08:23 -0800
John Hubbard <jhubbard@...dia.com> wrote:
> On 2/28/20 8:08 AM, Christian Borntraeger wrote:
> > Andrew,
> >
> > while patch 1 is a fixup for the FOLL_PIN work in your patch queue,
> > I would really love to see this patch in 5.7. The exploitation code
> > of kvm/s390 is in Linux next also scheduled for 5.7.
> >
> > Christian
> >
> > On 28.02.20 16:43, Claudio Imbrenda wrote:
> >> With the introduction of protected KVM guests on s390 there is now
> >> a concept of inaccessible pages. These pages need to be made
> >> accessible before the host can access them.
> >>
> >> While cpu accesses will trigger a fault that can be resolved, I/O
> >> accesses will just fail. We need to add a callback into
> >> architecture code for places that will do I/O, namely when
> >> writeback is started or when a page reference is taken.
> >>
> >> This is not only to enable paging, file backing etc, it is also
> >> necessary to protect the host against a malicious user space. For
> >> example a bad QEMU could simply start direct I/O on such protected
> >> memory. We do not want userspace to be able to trigger I/O errors
> >> and thus we the logic is "whenever somebody accesses that page
> >> (gup) or
>
>
> I actually kind of like the sound of that: "We the logic of the
> kernel, in order to form a more perfect computer..." :)
>
> Probably this wording is what you want, though:
>
> "thus the logic is "whenever somebody (gup) accesses that page or"
>
>
> ...
> >> @@ -458,7 +457,6 @@ static struct page *follow_page_pte(struct
> >> vm_area_struct *vma, }
> >>
> >> if (flags & FOLL_SPLIT && PageTransCompound(page)) {
> >> - int ret;
> >> get_page(page);
> >> pte_unmap_unlock(ptep, ptl);
> >> lock_page(page);
> >> @@ -475,6 +473,14 @@ static struct page *follow_page_pte(struct
> >> vm_area_struct *vma, page = ERR_PTR(-ENOMEM);
> >> goto out;
> >> }
> >> + if (flags & FOLL_PIN) {
>
>
> What about FOLL_GET? Unless your calling code has some sort of
> BUG_ON(flags & FOLL_GET), I'm not sure it's a good idea to leave that
> case unhandled.
if I understood the semantics of FOLL_PIN correctly, then we don't need
to make the page accessible for FOLL_GET. FOLL_PIN indicates intent to
access the content of the page, whereas FOLL_GET is only for the struct
page.
if we are not touching the content of the page, there is no need to
make it accessible
> >> + ret = arch_make_page_accessible(page);
> >> + if (ret) {
> >> + unpin_user_page(page);
> >> + page = ERR_PTR(ret);
> >> + goto out;
> >> + }
> >> + }
> >> if (flags & FOLL_TOUCH) {
> >> if ((flags & FOLL_WRITE) &&
> >> !pte_dirty(pte) && !PageDirty(page))
> >> @@ -2143,6 +2149,13 @@ static int gup_pte_range(pmd_t pmd,
> >> unsigned long addr, unsigned long end,
> >> VM_BUG_ON_PAGE(compound_head(page) != head, page);
> >>
> >> + if (flags & FOLL_PIN) {
> >> + ret = arch_make_page_accessible(page);
> >> + if (ret) {
> >> + unpin_user_page(page);
>
>
> Same concern as above, about leaving FOLL_GET unhandled.
and same answer as above :)
Powered by blists - more mailing lists