Thread (70 messages) 70 messages, 7 authors, 2019-06-15

Re: [PATCH v7 03/14] x86/cet/ibt: Add IBT legacy code bitmap setup function

From: Andy Lutomirski <luto@amacapital.net>
Date: 2019-06-07 20:46:55
Also in: linux-arch, linux-doc, linux-mm, lkml 

On Jun 7, 2019, at 12:49 PM, Yu-cheng Yu [off-list ref] wrote:

On Fri, 2019-06-07 at 11:29 -0700, Andy Lutomirski wrote:
quoted
quoted
On Jun 7, 2019, at 10:59 AM, Dave Hansen [off-list ref] wrote:

quoted
On 6/7/19 10:43 AM, Peter Zijlstra wrote:
I've no idea what the kernel should do; since you failed to answer the
question what happens when you point this to garbage.

Does it then fault or what?
Yeah, I think you'll fault with a rather mysterious CR2 value since
you'll go look at the instruction that faulted and not see any
references to the CR2 value.

I think this new MSR probably needs to get included in oops output when
CET is enabled.
This shouldn’t be able to OOPS because it only happens at CPL 3, right?  We
should put it into core dumps, though.

quoted
Why don't we require that a VMA be in place for the entire bitmap?
Don't we need a "get" prctl function too in case something like a JIT is
running and needs to find the location of this bitmap to set bits itself?

Or, do we just go whole-hog and have the kernel manage the bitmap
itself. Our interface here could be:

  prctl(PR_MARK_CODE_AS_LEGACY, start, size);

and then have the kernel allocate and set the bitmap for those code
locations.
Given that the format depends on the VA size, this might be a good idea.  I
bet we can reuse the special mapping infrastructure for this — the VMA could
be a MAP_PRIVATE special mapping named [cet_legacy_bitmap] or similar, and we
can even make special rules to core dump it intelligently if needed.  And we
can make mremap() on it work correctly if anyone (CRIU?) cares.

Hmm.  Can we be creative and skip populating it with zeros?  The CPU should
only ever touch a page if we miss an ENDBR on it, so, in normal operation, we
don’t need anything to be there.  We could try to prevent anyone from
*reading* it outside of ENDBR tracking if we want to avoid people accidentally
wasting lots of memory by forcing it to be fully populated when the read it.

The one downside is this forces it to be per-mm, but that seems like a
generally reasonable model anyway.

This also gives us an excellent opportunity to make it read-only as seen from
userspace to prevent exploits from just poking it full of ones before
redirecting execution.
GLIBC sets bits only for legacy code, and then makes the bitmap read-only.  That
avoids most issues:
How does glibc know the linear address space size?  We don’t want LA64 to break old binaries because the address calculation changed.
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help