| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 May 2021 17:38:29 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Joerg Roedel <joro@...tes.org>
Cc: x86@...nel.org, Hyunwook Baek <baekhw@...gle.com>,
Joerg Roedel <jroedel@...e.de>, stable@...r.kernel.org,
hpa@...or.com, Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>,
Jiri Slaby <jslaby@...e.cz>,
Dan Williams <dan.j.williams@...el.com>,
Tom Lendacky <thomas.lendacky@....com>,
Juergen Gross <jgross@...e.com>,
Kees Cook <keescook@...omium.org>,
David Rientjes <rientjes@...gle.com>,
Cfir Cohen <cfir@...gle.com>,
Erdem Aktas <erdemaktas@...gle.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Mike Stunes <mstunes@...are.com>,
Martin Radev <martin.b.radev@...il.com>,
Arvind Sankar <nivedita@...m.mit.edu>,
linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org
Subject: Re: [PATCH 4/6] Revert "x86/sev-es: Handle string port IO to kernel
memory properly"
On Wed, May 12, 2021, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@...e.de>
>
> This reverts commit 7024f60d655272bd2ca1d3a4c9e0a63319b1eea1.
>
> The commit reverted here introduces a short-cut into the #VC handlers
> memory access code which only works reliably in task context. But the
> kernels #VC handler can be invoked from any context, making the
> access_ok() call trigger a warning with CONFIG_DEBUG_ATOMIC_SLEEP
> enabled.
>
> Also the memcpy() used in the reverted patch is wrong, as it has no
> page-fault handling. Access to kernel memory can also fault due to
> kernel bugs, and those should not be reported as faults from the #VC
> handler but as bugs of their real call-site, which is correctly later
> done from vc_forward_exception().
The changelog should call out that a previous patch fixed the original bug by
switching to unchecked versions of get/put. Without that, this reads like we're
reverting to even worse behavior.
Alternatively, and probably even better, fold this revert into the switch to
the unchecked version (sounds like those will use kernel-specific flavors?).
> Fixes: 7024f60d6552 ("x86/sev-es: Handle string port IO to kernel memory properly")
> Cc: stable@...r.kernel.org # v5.11
> Signed-off-by: Joerg Roedel <jroedel@...e.de>
> ---
> arch/x86/kernel/sev.c | 12 ------------
> 1 file changed, 12 deletions(-)
>
> diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
> index 110b39345b40..f4f319004713 100644
> --- a/arch/x86/kernel/sev.c
> +++ b/arch/x86/kernel/sev.c
> @@ -333,12 +333,6 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
> u16 d2;
> u8 d1;
>
> - /* If instruction ran in kernel mode and the I/O buffer is in kernel space */
> - if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
> - memcpy(dst, buf, size);
> - return ES_OK;
> - }
> -
> switch (size) {
> case 1:
> memcpy(&d1, buf, 1);
> @@ -388,12 +382,6 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
> u16 d2;
> u8 d1;
>
> - /* If instruction ran in kernel mode and the I/O buffer is in kernel space */
> - if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
> - memcpy(buf, src, size);
> - return ES_OK;
> - }
> -
> switch (size) {
> case 1:
> if (__get_user(d1, s))
> --
> 2.31.1
>
Powered by blists - more mailing lists