| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <453fb432-ac13-4819-8395-95561bca948b@www.fastmail.com>
Date: Sat, 13 Aug 2022 09:03:13 -0700
From: "Andy Lutomirski" <luto@...nel.org>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Cc: "Borislav Petkov" <bp@...en8.de>,
"Sean Christopherson" <seanjc@...gle.com>,
"Andrew Morton" <akpm@...ux-foundation.org>,
"Joerg Roedel" <jroedel@...e.de>,
"Ard Biesheuvel" <ardb@...nel.org>,
"Andi Kleen" <ak@...ux.intel.com>,
"Sathyanarayanan Kuppuswamy"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"David Rientjes" <rientjes@...gle.com>,
"Vlastimil Babka" <vbabka@...e.cz>,
"Tom Lendacky" <thomas.lendacky@....com>,
"Thomas Gleixner" <tglx@...utronix.de>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
"Paolo Bonzini" <pbonzini@...hat.com>,
"Ingo Molnar" <mingo@...hat.com>,
"Varad Gautam" <varad.gautam@...e.com>,
"Dario Faggioli" <dfaggioli@...e.com>,
"Dave Hansen" <dave.hansen@...el.com>,
"Mike Rapoport" <rppt@...nel.org>,
"David Hildenbrand" <david@...hat.com>,
"Marcelo Henrique Cerri" <marcelo.cerri@...onical.com>,
tim.gardner@...onical.com, khalid.elmously@...onical.com,
philip.cox@...onical.com,
"the arch/x86 maintainers" <x86@...nel.org>, linux-mm@...ck.org,
linux-coco@...ts.linux.dev, linux-efi@...r.kernel.org,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCHv7 10/14] x86/mm: Avoid load_unaligned_zeropad() stepping into
unaccepted memory
On Tue, Aug 9, 2022, at 4:38 AM, Kirill A. Shutemov wrote:
> On Tue, Jul 26, 2022 at 01:17:13PM -0700, Andy Lutomirski wrote:
>>
>>
>> On Tue, Jun 14, 2022, at 5:02 AM, Kirill A. Shutemov wrote:
>> > load_unaligned_zeropad() can lead to unwanted loads across page boundaries.
>> > The unwanted loads are typically harmless. But, they might be made to
>> > totally unrelated or even unmapped memory. load_unaligned_zeropad()
>> > relies on exception fixup (#PF, #GP and now #VE) to recover from these
>> > unwanted loads.
>> >
>> > But, this approach does not work for unaccepted memory. For TDX, a load
>> > from unaccepted memory will not lead to a recoverable exception within
>> > the guest. The guest will exit to the VMM where the only recourse is to
>> > terminate the guest.
>>
>> Why is unaccepted memory marked present in the direct map in the first place?
>>
>> Having kernel code assume that every valid address is followed by
>> several bytes of memory that may be read without side effects other than
>> #PF also seems like a mistake, but I probably won’t win that fight. But
>> sticking guard pages in front of definitely-not-logically present pages
>> seems silly to me. Let’s just not map it.
>
> It would mean no 1G pages in direct mapping for TDX as we accept 2M a
> time.
>
>> (What if MMIO memory is mapped next to regular memory? Doing random
>> unaligned reads that cross into MMIO seems unwise.)
>
> MMIO is shared, not unaccpted private. We already handle the situation.
> See 1e7769653b06 ("x86/tdx: Handle load_unaligned_zeropad() page-cross to
> a shared page").
>
I don’t mean in a confidential guest — I mean generally. This whole model of “overrun the buffer — no big deal” is just fragile.
> --
> Kiryl Shutsemau / Kirill A. Shutemov
Powered by blists - more mailing lists