| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Aug 2021 11:33:28 -0700
From: "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
To: Borislav Petkov <bp@...en8.de>
CC: <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, <linux-kernel@...r.kernel.org>,
<linux-doc@...r.kernel.org>, <linux-mm@...ck.org>,
<linux-arch@...r.kernel.org>, <linux-api@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Eugene Syromiatnikov" <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Dave Martin <Dave.Martin@....com>,
Weijiang Yang <weijiang.yang@...el.com>,
Pengfei Xu <pengfei.xu@...el.com>,
Haitao Huang <haitao.huang@...el.com>,
Rick P Edgecombe <rick.p.edgecombe@...el.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>
Subject: Re: [PATCH v28 12/32] x86/mm: Update ptep_set_wrprotect() and
pmdp_set_wrprotect() for transition from _PAGE_DIRTY to _PAGE_COW
On 8/16/2021 9:01 AM, Borislav Petkov wrote:
> On Thu, Jul 22, 2021 at 01:51:59PM -0700, Yu-cheng Yu wrote:
>> When Shadow Stack is introduced, [R/O + _PAGE_DIRTY] PTE is reserved for
>> shadow stack. Copy-on-write PTEs have [R/O + _PAGE_COW].
>>
>> When a PTE goes from [R/W + _PAGE_DIRTY] to [R/O + _PAGE_COW], it could
>> become a transient shadow stack PTE in two cases:
>>
>> The first case is that some processors can start a write but end up seeing
>> a read-only PTE by the time they get to the Dirty bit, creating a transient
>> shadow stack PTE. However, this will not occur on processors supporting
>> Shadow Stack, and a TLB flush is not necessary.
>>
>> The second case is that when _PAGE_DIRTY is replaced with _PAGE_COW non-
>> atomically, a transient shadow stack PTE can be created as a result.
>> Thus, prevent that with cmpxchg.
>>
>> Dave Hansen, Jann Horn, Andy Lutomirski, and Peter Zijlstra provided many
>> insights to the issue. Jann Horn provided the cmpxchg solution.
>>
>> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@...el.com>
>> Reviewed-by: Kees Cook <keescook@...omium.org>
>> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
>> ---
>> arch/x86/include/asm/pgtable.h | 36 ++++++++++++++++++++++++++++++++++
>> 1 file changed, 36 insertions(+)
>>
>> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
>> index cf7316e968df..df4ce715560a 100644
>> --- a/arch/x86/include/asm/pgtable.h
>> +++ b/arch/x86/include/asm/pgtable.h
>> @@ -1278,6 +1278,24 @@ static inline pte_t ptep_get_and_clear_full(struct mm_struct *mm,
>> static inline void ptep_set_wrprotect(struct mm_struct *mm,
>> unsigned long addr, pte_t *ptep)
>> {
>> + /*
>> + * If Shadow Stack is enabled, pte_wrprotect() moves _PAGE_DIRTY
>> + * to _PAGE_COW (see comments at pte_wrprotect()).
>> + * When a thread reads a RW=1, Dirty=0 PTE and before changing it
>> + * to RW=0, Dirty=0, another thread could have written to the page
>> + * and the PTE is RW=1, Dirty=1 now. Use try_cmpxchg() to detect
>> + * PTE changes and update old_pte, then try again.
>> + */
>> + if (cpu_feature_enabled(X86_FEATURE_SHSTK)) {
>> + pte_t old_pte, new_pte;
>> +
>> + old_pte = READ_ONCE(*ptep);
>> + do {
>> + new_pte = pte_wrprotect(old_pte);
>> + } while (!try_cmpxchg(&ptep->pte, &old_pte.pte, new_pte.pte));
>> +
>> + return;
>> + }
>> clear_bit(_PAGE_BIT_RW, (unsigned long *)&ptep->pte);
>> }
>>
>> @@ -1322,6 +1340,24 @@ static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
>> static inline void pmdp_set_wrprotect(struct mm_struct *mm,
>> unsigned long addr, pmd_t *pmdp)
>> {
>> + /*
>> + * If Shadow Stack is enabled, pmd_wrprotect() moves _PAGE_DIRTY
>> + * to _PAGE_COW (see comments at pmd_wrprotect()).
>> + * When a thread reads a RW=1, Dirty=0 PMD and before changing it
>> + * to RW=0, Dirty=0, another thread could have written to the page
>> + * and the PMD is RW=1, Dirty=1 now. Use try_cmpxchg() to detect
>> + * PMD changes and update old_pmd, then try again.
>> + */
>> + if (cpu_feature_enabled(X86_FEATURE_SHSTK)) {
>> + pmd_t old_pmd, new_pmd;
>> +
>> + old_pmd = READ_ONCE(*pmdp);
>> + do {
>> + new_pmd = pmd_wrprotect(old_pmd);
>> + } while (!try_cmpxchg((pmdval_t *)pmdp, (pmdval_t *)&old_pmd, pmd_val(new_pmd)));
>
> Why is that try_cmpxchg() call doing casting to its operands instead of
> like the pte one above?
>
> I.e., why aren't you doing here the same thing as above:
>
> ...
> } while (!try_cmpxchg(&pmdp->pmd, &old_pmd.pmd, new_pmd.pmd));
>
> ?
If !(CONFIG_PGTABLE_LEVELS > 2), we don't have pmd_t.pmd.
>
> Thx.
>
Powered by blists - more mailing lists