| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJhGHyA1FNtZM9SM=yR9YqUpju81NkeW0jN-UJ9fMNhTjsQhVQ@mail.gmail.com>
Date: Sat, 9 May 2020 17:00:08 +0800
From: Lai Jiangshan <jiangshanlai+lkml@...il.com>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
"Paul E. McKenney" <paulmck@...nel.org>,
Andy Lutomirski <luto@...nel.org>,
Alexandre Chartre <alexandre.chartre@...cle.com>,
Frederic Weisbecker <frederic@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Petr Mladek <pmladek@...e.com>,
Steven Rostedt <rostedt@...dmis.org>,
Joel Fernandes <joel@...lfernandes.org>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
Brian Gerst <brgerst@...il.com>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Will Deacon <will@...nel.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>
Subject: Re: [patch V4 part 1 02/36] x86/hw_breakpoint: Prevent data
breakpoints on cpu_entry_area
On Tue, May 5, 2020 at 10:15 PM Thomas Gleixner <tglx@...utronix.de> wrote:
>
> From: Andy Lutomirski <luto@...nel.org>
>
> A data breakpoint near the top of an IST stack will cause unresoverable
> recursion. A data breakpoint on the GDT, IDT, or TSS is terrifying.
> Prevent either of these from happening.
>
> Co-developed-by: Peter Zijlstra <peterz@...radead.org>
> Signed-off-by: Andy Lutomirski <luto@...nel.org>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
> ---
> arch/x86/kernel/hw_breakpoint.c | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> --- a/arch/x86/kernel/hw_breakpoint.c
> +++ b/arch/x86/kernel/hw_breakpoint.c
> @@ -227,10 +227,35 @@ int arch_check_bp_in_kernelspace(struct
> return (va >= TASK_SIZE_MAX) || ((va + len - 1) >= TASK_SIZE_MAX);
> }
>
> +/*
> + * Checks whether the range from addr to end, inclusive, overlaps the CPU
> + * entry area range.
> + */
> +static inline bool within_cpu_entry_area(unsigned long addr, unsigned long end)
> +{
> + return end >= CPU_ENTRY_AREA_PER_CPU &&
> + addr < (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_TOTAL_SIZE);
> +}
Hello
These two lines:
s/CPU_ENTRY_AREA_PER_CPU/CPU_ENTRY_AREA_BASE/g
or
s/CPU_ENTRY_AREA_PER_CPU/CPU_ENTRY_AREA_RO_IDT/g
or otherwise the RO_IDT is not being protected.
sees:
#define CPU_ENTRY_AREA_PER_CPU (CPU_ENTRY_AREA_RO_IDT + PAGE_SIZE)
#define CPU_ENTRY_AREA_TOTAL_SIZE (CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE)
^ sizeof PER_CPU ^ RO_IDT
Reviewed-by: Lai Jiangshan <jiangshanlai@...il.com>
> +
> static int arch_build_bp_info(struct perf_event *bp,
> const struct perf_event_attr *attr,
> struct arch_hw_breakpoint *hw)
> {
> + unsigned long bp_end;
> +
> + bp_end = attr->bp_addr + attr->bp_len - 1;
> + if (bp_end < attr->bp_addr)
> + return -EINVAL;
> +
> + /*
> + * Prevent any breakpoint of any type that overlaps the
> + * cpu_entry_area. This protects the IST stacks and also
> + * reduces the chance that we ever find out what happens if
> + * there's a data breakpoint on the GDT, IDT, or TSS.
> + */
> + if (within_cpu_entry_area(attr->bp_addr, bp_end))
> + return -EINVAL;
> +
> hw->address = attr->bp_addr;
> hw->mask = 0;
>
>
Powered by blists - more mailing lists