lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20201109112319.264511-21-alexandre.chartre@oracle.com>
Date:   Mon,  9 Nov 2020 12:23:15 +0100
From:   Alexandre Chartre <alexandre.chartre@...cle.com>
To:     "tglx@...utronix.de"@userv0122.oracle.com,
        "mingo@...hat.com"@userv0122.oracle.com,
        "bp@...en8.de"@userv0122.oracle.com,
        "hpa@...or.com"@userv0122.oracle.com,
        "x86@...nel.org"@userv0122.oracle.com,
        "dave.hansen@...ux.intel.com"@userv0122.oracle.com,
        "luto@...nel.org"@userv0122.oracle.com,
        "peterz@...radead.org"@userv0122.oracle.com,
        "linux-kernel@...r.kernel.org"@userv0122.oracle.com,
        "thomas.lendacky@....com"@userv0122.oracle.com,
        "jroedel@...e.de"@userv0122.oracle.com
Cc:     "konrad.wilk@...cle.com"@userv0122.oracle.com,
        "jan.setjeeilers@...cle.com"@userv0122.oracle.com,
        "junaids@...gle.com"@userv0122.oracle.com,
        "oweisse@...gle.com"@userv0122.oracle.com,
        "rppt@...ux.vnet.ibm.com"@userv0122.oracle.com,
        "graf@...zon.de"@userv0122.oracle.com,
        "mgross@...ux.intel.com"@userv0122.oracle.com,
        "kuzuno@...il.com"@userv0122.oracle.com,
        "alexandre.chartre@...cle.com"@userv0122.oracle.com
Subject: [RFC][PATCH 20/24] x86/pti: Execute NMI handler on the kernel stack

After a NMI from userland, the kernel is entered and it switches
the stack to the PTI stack which is mapped both in the kernel and in
the user page-table. When executing the NMI handler, switch to the
kernel stack (which is mapped only in the kernel page-table) so that
no kernel data leak to the userland through the stack.

Signed-off-by: Alexandre Chartre <alexandre.chartre@...cle.com>
---
 arch/x86/kernel/nmi.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
index 4bc77aaf1303..be0f654c3095 100644
--- a/arch/x86/kernel/nmi.c
+++ b/arch/x86/kernel/nmi.c
@@ -506,8 +506,18 @@ DEFINE_IDTENTRY_RAW(exc_nmi)
 
 	inc_irq_stat(__nmi_count);
 
-	if (!ignore_nmis)
-		default_do_nmi(regs);
+	if (!ignore_nmis) {
+		if (user_mode(regs)) {
+			/*
+			 * If we come from userland then we are on the
+			 * trampoline stack, switch to the kernel stack
+			 * to execute the NMI handler.
+			 */
+			run_idt(default_do_nmi, regs);
+		} else {
+			default_do_nmi(regs);
+		}
+	}
 
 	idtentry_exit_nmi(regs, irq_state);
 
-- 
2.18.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ