| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <34dd023d-3ed5-4655-88be-14a7a300b91e@intel.com> Date: Tue, 29 Oct 2024 15:52:56 -0700 From: Dave Hansen <dave.hansen@...el.com> To: "Luck, Tony" <tony.luck@...el.com>, "Mehta, Sohil" <sohil.mehta@...el.com>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Andy Lutomirski <luto@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "x86@...nel.org" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Peter Zijlstra <peterz@...radead.org>, Ard Biesheuvel <ardb@...nel.org>, "Paul E. McKenney" <paulmck@...nel.org>, Josh Poimboeuf <jpoimboe@...nel.org>, Xiongwei Song <xiongwei.song@...driver.com>, "Li, Xin3" <xin3.li@...el.com>, "Mike Rapoport (IBM)" <rppt@...nel.org>, Brijesh Singh <brijesh.singh@....com>, Michael Roth <michael.roth@....com>, "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>, Alexey Kardashevskiy <aik@....com> Cc: Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>, Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Daniel Sneddon <daniel.sneddon@...ux.intel.com>, "Huang, Kai" <kai.huang@...el.com>, Sandipan Das <sandipan.das@....com>, Breno Leitao <leitao@...ian.org>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>, Alexei Starovoitov <ast@...nel.org>, Hou Tao <houtao1@...wei.com>, Juergen Gross <jgross@...e.com>, Vegard Nossum <vegard.nossum@...cle.com>, Kees Cook <kees@...nel.org>, Eric Biggers <ebiggers@...gle.com>, Jason Gunthorpe <jgg@...pe.ca>, "Masami Hiramatsu (Google)" <mhiramat@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, Luis Chamberlain <mcgrof@...nel.org>, Yuntao Wang <ytcoode@...il.com>, Rasmus Villemoes <linux@...musvillemoes.dk>, Christophe Leroy <christophe.leroy@...roup.eu>, Tejun Heo <tj@...nel.org>, Changbin Du <changbin.du@...wei.com>, Huang Shijie <shijie@...amperecomputing.com>, Geert Uytterhoeven <geert+renesas@...der.be>, Namhyung Kim <namhyung@...nel.org>, Arnaldo Carvalho de Melo <acme@...hat.com>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org> Subject: Re: [PATCH v5 05/16] x86/cpu: Defer CR pinning setup until after EFI initialization On 10/29/24 15:26, Luck, Tony wrote: >> /* >> * This needs to follow the FPU initializtion, since EFI depends on it. >> + * It also needs to precede the CR pinning setup, because we need to be >> + * able to temporarily clear the CR4.LASS bit in order to execute the >> + * set_virtual_address_map call, which resides in lower addresses and >> + * would trip LASS if enabled. >> */ > > Why are the temporary mappings used to patch kernel code in the lower half > of the virtual address space? I was just asking myself the same thing. The upper half is always mapped uniformly. When you create an MM you copy the 256->511th pgd entries verbatim from the init_mm's pgd. If you map something the <=255th pgd entry, it isn't (by default) visible to other mm's. That's why a new mm also tends to get you a new process. > But couldn't we map into upper half and do some/all of: > > 1) Trust that there aren't stupid bugs that dereference random pointers into the > temporary mapping? > 2) Make a "this CPU only" mapping > 3) Avoid preemption while patching so there is no need for TLB shootdown > by other CPUs when the temporary mapping is torn down, just flush local TLB. It's about enforcing R^X semantics. We should limit the time and scope where mappings have some data both writeable and executable. If we poke text in the upper half of the address space, any kernel thread might be exploited to write to what will soon be executable. If we do it in the lower half in its own mm, you have to compromise the thread doing the text poking after the mapping is created but before it is invalidated. With LASS you *ALSO* need to do it in the STAC/CLAC window which is smaller than the window when the TLB is valid. *IF* we switched things to do text poking in the upper half of the address space, we'd probably want to find a completely unused PGD entry. I'm not sure off the top of my head if we have a good one for that or if it's worth the trouble.
Powered by blists - more mailing lists