lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <044f0048-95bb-4822-978e-a23528f3891f@suse.com>
Date: Wed, 28 May 2025 15:19:24 +0200
From: Jürgen Groß <jgross@...e.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org, xin@...or.com,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
 "H. Peter Anvin" <hpa@...or.com>, stable@...r.kernel.org
Subject: Re: [PATCH 3/3] x86/alternative: make kernel ITS thunks read-only

On 28.05.25 15:10, Peter Zijlstra wrote:
> On Wed, May 28, 2025 at 02:35:57PM +0200, Juergen Gross wrote:
>> When allocating memory pages for kernel ITS thunks, make them read-only
>> after having written the last thunk.
>>
>> This will be needed when X86_FEATURE_PSE isn't available, as the thunk
>> memory will have PAGE_KERNEL_EXEC protection, which is including the
>> write permission.
>>
>> Cc: <stable@...r.kernel.org>
>> Fixes: 5185e7f9f3bd ("x86/module: enable ROX caches for module text on 64 bit")
>> Signed-off-by: Juergen Gross <jgross@...e.com>
>> ---
>>   arch/x86/kernel/alternative.c | 16 ++++++++++++++++
>>   1 file changed, 16 insertions(+)
>>
>> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
>> index ecfe7b497cad..bd974a0ac88a 100644
>> --- a/arch/x86/kernel/alternative.c
>> +++ b/arch/x86/kernel/alternative.c
>> @@ -217,6 +217,15 @@ static void *its_alloc(void)
>>   	return no_free_ptr(page);
>>   }
>>   
>> +static void its_set_kernel_ro(void *addr)
>> +{
>> +#ifdef CONFIG_MODULES
>> +	if (its_mod)
>> +		return;
>> +#endif
>> +	execmem_restore_rox(addr, PAGE_SIZE);
>> +}
>> +
>>   static void *its_allocate_thunk(int reg)
>>   {
>>   	int size = 3 + (reg / 8);
>> @@ -234,6 +243,8 @@ static void *its_allocate_thunk(int reg)
>>   #endif
>>   
>>   	if (!its_page || (its_offset + size - 1) >= PAGE_SIZE) {
>> +		if (its_page)
>> +			its_set_kernel_ro(its_page);
>>   		its_page = its_alloc();
>>   		if (!its_page) {
>>   			pr_err("ITS page allocation failed\n");
>> @@ -2338,6 +2349,11 @@ void __init alternative_instructions(void)
>>   	apply_retpolines(__retpoline_sites, __retpoline_sites_end);
>>   	apply_returns(__return_sites, __return_sites_end);
>>   
>> +	/* Make potential last thunk page read-only. */
>> +	if (its_page)
>> +		its_set_kernel_ro(its_page);
>> +	its_page = NULL;
>> +
>>   	/*
>>   	 * Adjust all CALL instructions to point to func()-10, including
>>   	 * those in .altinstr_replacement.
> 
> No, this is all sorts of wrong. Execmem API should ensure this.

You are aware that this patch is basically mirroring the work which is
already done for modules in alternative.c?


Juergen

Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ