lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250527-x86-overbroad-invlpgb-v1-1-64ca98aa2a3a@google.com>
Date: Tue, 27 May 2025 23:56:42 +0200
From: Jann Horn <jannh@...gle.com>
To: Rik van Riel <riel@...riel.com>, Borislav Petkov <bp@...en8.de>, 
 Ingo Molnar <mingo@...nel.org>, Dave Hansen <dave.hansen@...ux.intel.com>, 
 Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>
Cc: linux-kernel@...r.kernel.org, Jann Horn <jannh@...gle.com>
Subject: [PATCH] x86/mm: Limit INVLPGB to VA in invlpgb_flush_addr_nosync()

The intent of invlpgb_flush_addr_nosync() is to flush a specific virtual
address range, but INVLPGB_FLAG_VA is not set.
If I understand AMD's documentation correctly, this means this will flush
the entire TLB (except entries for guest ASIDs).
That's safe, but seems like an unintentionally broad flush.
Fix it by setting INVLPGB_FLAG_VA.

Fixes: b7aa05cbdc52 ("x86/mm: Add INVLPGB support code")
Signed-off-by: Jann Horn <jannh@...gle.com>
---
I am not entirely sure about this; Rik, can you confirm if this was an
oversight, or if there's actually a reason for not passing
INVLPGB_FLAG_VA here?
I feel a bit uncomfortable touching TLB flushing and narrowing a flush
there...
---
 arch/x86/include/asm/tlb.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/tlb.h b/arch/x86/include/asm/tlb.h
index 866ea78ba156..e257201a141a 100644
--- a/arch/x86/include/asm/tlb.h
+++ b/arch/x86/include/asm/tlb.h
@@ -153,7 +153,8 @@ static inline void invlpgb_flush_all(void)
 /* Flush addr, including globals, for all PCIDs. */
 static inline void invlpgb_flush_addr_nosync(unsigned long addr, u16 nr)
 {
-	__invlpgb(0, 0, addr, nr, PTE_STRIDE, INVLPGB_FLAG_INCLUDE_GLOBAL);
+	__invlpgb(0, 0, addr, nr, PTE_STRIDE,
+			INVLPGB_FLAG_VA | INVLPGB_FLAG_INCLUDE_GLOBAL);
 }
 
 /* Flush all mappings for all PCIDs except globals. */

---
base-commit: b1456f6dc167f7f101746e495bede2bac3d0e19f
change-id: 20250527-x86-overbroad-invlpgb-34f903c9e2b3

-- 
Jann Horn <jannh@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ