Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking

[PATCH 00/17] Merge text_poke fixes and executable lockdowns · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 13/17] Add set_alias_ function and x86 implementation · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 15/17] vmalloc: New flags for safe vfree on special perms · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 05/17] x86/alternative: initializing temporary mm for patching · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 12/17] x86/alternative: Remove the return value of text_poke_*() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 17/17] module: Prevent module removal racing with text_poke() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · Masami Hiramatsu <mhiramat@kernel.org> · 2019-01-17
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · Nadav Amit <hidden> · 2019-01-17
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · "H. Peter Anvin" <hpa@zytor.com> · 2019-01-17
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · Masami Hiramatsu <mhiramat@kernel.org> · 2019-01-18
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · "H. Peter Anvin" <hpa@zytor.com> · 2019-01-17
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · Nadav Amit <hidden> · 2019-01-18
Re: [PATCH 17/17] module: Prevent module removal racing with text_poke() · Masami Hiramatsu <mhiramat@kernel.org> · 2019-01-18
[PATCH 06/17] x86/alternative: use temporary mm for text poking · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking · Andy Lutomirski <luto@kernel.org> · 2019-01-17
Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking · Andy Lutomirski <luto@kernel.org> · 2019-01-17
Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking · Nadav Amit <hidden> · 2019-01-17
Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking · Nadav Amit <hidden> · 2019-01-17
Re: [PATCH 06/17] x86/alternative: use temporary mm for text poking · hpa@zytor.com · 2019-01-17
[PATCH 14/17] mm: Make hibernate handle unmapped pages · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 14/17] mm: Make hibernate handle unmapped pages · Pavel Machek <hidden> · 2019-01-17
Re: [PATCH 14/17] mm: Make hibernate handle unmapped pages · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 14/17] mm: Make hibernate handle unmapped pages · Pavel Machek <hidden> · 2019-01-17
Re: [PATCH 14/17] mm: Make hibernate handle unmapped pages · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 14/17] mm: Make hibernate handle unmapped pages · Pavel Machek <hidden> · 2019-01-18
[PATCH 16/17] Plug in new special vfree flag · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 16/17] Plug in new special vfree flag · Steven Rostedt <rostedt@goodmis.org> · 2019-02-06
Re: [PATCH 16/17] Plug in new special vfree flag · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-07
Re: [PATCH 16/17] Plug in new special vfree flag · Steven Rostedt <rostedt@goodmis.org> · 2019-02-07
Re: [PATCH 16/17] Plug in new special vfree flag · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-07
[PATCH 10/17] x86: avoid W^X being broken during modules loading · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 09/17] x86/kprobes: Instruction pages initialization enhancements · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 09/17] x86/kprobes: Instruction pages initialization enhancements · Masami Hiramatsu <mhiramat@kernel.org> · 2019-01-17
[PATCH 08/17] x86/ftrace: set trampoline pages as executable · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 08/17] x86/ftrace: set trampoline pages as executable · Steven Rostedt <rostedt@goodmis.org> · 2019-02-06
Re: [PATCH 08/17] x86/ftrace: set trampoline pages as executable · Nadav Amit <hidden> · 2019-02-06
Re: [PATCH 08/17] x86/ftrace: set trampoline pages as executable · Steven Rostedt <rostedt@goodmis.org> · 2019-02-06
[PATCH 07/17] x86/kgdb: avoid redundant comparison of patched code · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 04/17] fork: provide a function for copying init_mm · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Masami Hiramatsu <mhiramat@kernel.org> · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · hpa@zytor.com · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Nadav Amit <hidden> · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · hpa@zytor.com · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Nadav Amit <hidden> · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · "H. Peter Anvin" <hpa@zytor.com> · 2019-01-17
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Nadav Amit <hidden> · 2019-01-18
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Borislav Petkov <bp@alien8.de> · 2019-01-25
Re: [PATCH 01/17] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Nadav Amit <hidden> · 2019-01-25
[PATCH 11/17] x86/jump-label: remove support for custom poker · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 03/17] x86/mm: temporary mm struct · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
[PATCH 02/17] x86/jump_label: Use text_poke_early() during early init · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-17
Re: [PATCH 00/17] Merge text_poke fixes and executable lockdowns · Peter Zijlstra <peterz@infradead.org> · 2019-01-17

From: Nadav Amit <hidden>
Date: 2019-01-17 21:44:01
Also in: linux-integrity, linux-mm, lkml

On Jan 17, 2019, at 12:47 PM, Andy Lutomirski [off-list ref] wrote:

On Thu, Jan 17, 2019 at 12:27 PM Andy Lutomirski [off-list ref] wrote:

quoted

On Wed, Jan 16, 2019 at 4:33 PM Rick Edgecombe
[off-list ref] wrote:

quoted

From: Nadav Amit <redacted>

text_poke() can potentially compromise the security as it sets temporary
PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
from other cores accidentally or maliciously, if an attacker gains the
ability to write onto kernel memory.

i think this may be sufficient, but barely.

quoted

+       pte_clear(poking_mm, poking_addr, ptep);
+
+       /*
+        * __flush_tlb_one_user() performs a redundant TLB flush when PTI is on,
+        * as it also flushes the corresponding "user" address spaces, which
+        * does not exist.
+        *
+        * Poking, however, is already very inefficient since it does not try to
+        * batch updates, so we ignore this problem for the time being.
+        *
+        * Since the PTEs do not exist in other kernel address-spaces, we do
+        * not use __flush_tlb_one_kernel(), which when PTI is on would cause
+        * more unwarranted TLB flushes.
+        *
+        * There is a slight anomaly here: the PTE is a supervisor-only and
+        * (potentially) global and we use __flush_tlb_one_user() but this
+        * should be fine.
+        */
+       __flush_tlb_one_user(poking_addr);
+       if (cross_page_boundary) {
+               pte_clear(poking_mm, poking_addr + PAGE_SIZE, ptep + 1);
+               __flush_tlb_one_user(poking_addr + PAGE_SIZE);
+       }

In principle, another CPU could still have the old translation.  Your
mutex probably makes this impossible, but it makes me nervous.
Ideally you'd use flush_tlb_mm_range(), but I guess you can't do that
with IRQs off.  Hmm.  I think you should add an inc_mm_tlb_gen() here.
Arguably, if you did that, you could omit the flushes, but maybe
that's silly.

If we start getting new users of use_temporary_mm(), we should give
some serious thought to the SMP semantics.

Also, you're using PAGE_KERNEL.  Please tell me that the global bit
isn't set in there.

Much better solution: do unuse_temporary_mm() and *then*
flush_tlb_mm_range().  This is entirely non-sketchy and should be just
about optimal, too.

This solution sounds nice and clean. The fact the global-bit was set didn’t
matter before (since __flush_tlb_one_user would get rid of it no matter
what), but would matter now, so I’ll change it too.

Thanks!

Nadav

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help