| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZQtYFAA9vD7gJM1t@google.com>
Date: Wed, 20 Sep 2023 13:37:40 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Adam Dunlap <acdunlap@...gle.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Kim Phillips <kim.phillips@....com>,
Juergen Gross <jgross@...e.com>,
Ashok Raj <ashok.raj@...el.com>,
Joerg Roedel <jroedel@...e.de>,
Tom Lendacky <thomas.lendacky@....com>,
David Hildenbrand <david@...hat.com>,
Mike Rapoport <rppt@...nel.org>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Nikunj A Dadhania <nikunj@....com>,
Dionna Glaze <dionnaglaze@...gle.com>,
Peter Gonda <pgonda@...gle.com>,
David Rientjes <rientjes@...gle.com>,
Khalid ElMously <khalid.elmously@...onical.com>,
Jacob Xu <jacobhxu@...gle.com>
Subject: Re: [PATCH v2 1/2] x86/sev-es: Allow copy_from_kernel_nofault in
earlier boot
On Mon, Sep 11, 2023, Adam Dunlap wrote:
> Previously, if copy_from_kernel_nofault was called before
> boot_cpu_data.x86_virt_bits was set up, then it would trigger undefined
> behavior due to a shift by 64. This ended up causing boot failures in
> the latest version of ubuntu2204 in the gcp project when using SEV-SNP.
> Specifically, this function is called during an early #VC handler which
> is triggered by a cpuid to check if nx is implemented.
Why not stuff boot_cpu_data.x86_virt_bits to a "default" value that is guaranteed
to be accurate (or at least safe) for the purposes of the early boot code. I.e.
set it to 48 for 64-bit kernels.
That'd avoid the extra conditional, and would avoid laying whack-a-mole with
anything else that consumes x86_virt_bits.
> Fixes: 1aa9aa8ee517 ("x86/sev-es: Setup GHCB-based boot #VC handler")
> Suggested-by: Dave Hansen <dave.hansen@...ux.intel.com>
> Signed-off-by: Adam Dunlap <acdunlap@...gle.com>
> ---
> arch/x86/mm/maccess.c | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c
> index 5a53c2cc169c..6993f026adec 100644
> --- a/arch/x86/mm/maccess.c
> +++ b/arch/x86/mm/maccess.c
> @@ -9,12 +9,21 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
> unsigned long vaddr = (unsigned long)unsafe_src;
>
> /*
> - * Range covering the highest possible canonical userspace address
> - * as well as non-canonical address range. For the canonical range
> - * we also need to include the userspace guard page.
> + * Do not allow userspace addresses. This disallows
> + * normal userspace and the userspace guard page:
> */
> - return vaddr >= TASK_SIZE_MAX + PAGE_SIZE &&
> - __is_canonical_address(vaddr, boot_cpu_data.x86_virt_bits);
> + if (vaddr < TASK_SIZE_MAX + PAGE_SIZE)
> + return false;
> +
> + /*
> + * Allow everything during early boot before 'x86_virt_bits'
> + * is initialized. Needed for instruction decoding in early
> + * exception handlers.
> + */
> + if (!boot_cpu_data.x86_virt_bits)
> + return true;
> +
> + return __is_canonical_address(vaddr, boot_cpu_data.x86_virt_bits);
> }
> #else
> bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
> --
> 2.42.0.283.g2d96d420d3-goog
>
Powered by blists - more mailing lists