lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202205101504.5B5C693F7C@keescook>
Date:   Tue, 10 May 2022 15:08:56 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Ira Weiny <ira.weiny@...el.com>
Cc:     Dave Hansen <dave.hansen@...ux.intel.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Dan Williams <dan.j.williams@...el.com>,
        Fenghua Yu <fenghua.yu@...el.com>,
        Rick Edgecombe <rick.p.edgecombe@...el.com>,
        "Shankar, Ravi V" <ravi.v.shankar@...el.com>,
        linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH V10 14/44] mm/pkeys: Introduce pks_set_readwrite()

On Tue, May 10, 2022 at 02:33:03PM -0700, Ira Weiny wrote:
> On Mon, May 09, 2022 at 02:38:38PM -0700, Kees Cook wrote:
> > [...]
> > Better yet would be:
> > 
> > 	preempt_disable();
> > 	rdmsrl(MSR_IA32_PKRS, pkrs);
> > 	pkrs = pkey_update_pkval(pkrs, pkey, protection);
> > 	pks_write_pkrs(pkrs);
> > 	current->thread.pkrs = pkrs;
> > 	preempt_enable();
> > 
> > Then cross-thread attacks cannot corrupt the _other_ PKS keys (i.e.
> > write the desired changes to target's current->thread.kprs and trigger
> > an update to a different pkey, resulting in flushing the attacker's
> > changes to that CPU's pkey state.
> 
> Unfortunately I don't think this entirely prevents an attack through the
> thread.pkrs value.  thread.pkrs has to be used to set the MSR when a thread is
> scheduled.  Therefore the rdmsrl above will by definition pick up the
> thread.pkrs but from an earlier time.

Ooh, good point, yeah.

> I'm not opposed to doing this as I think it does reduce the time window of such
> an attack but I wanted to mention it.  Especially since I specifically avoided
> ever reading the MSR to improve performance.
> 
> I'm going to run some tests.  Perhaps the MSR read is not that big of a deal
> and I can convince myself that the performance diff is negligible.

Yeah, given "loaded at scheduling" point, there's not much benefit in
read/write pair. I think my first suggestion about only writing to
thread.pkrs after the write, etc, still stands. I'll ponder this a bit
more.

> > While adding these, can you please also add pks_set_nowrite()? This
> > will be needed for protecting writes to memory that should be otherwise
> > readable.
> 
> I have a patch to add pks_set_readonly() but I was advised to not send it
> because this series does not include a use case for it.  (PMEM does not need
> it.)
> 
> Dave, Dan?  Are you ok adding that back?
> 
> Kees would you prefer pks_set_nowrite() as a name?

I think nowrite is the better name (in the sense that "read-only" can
sometimes imply non-executable).

> > 
> > With these changes it should be possible to protect the kernel's page
> > table entries from "stray" writes. :)
> 
> Yes, Rick has done some great work in that area.

Oh! I would _love_ to see this series. I was trying to scope the work
yesterday but gave up after I couldn't figure out the qemu PKS trick. :)

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ