Re: [patch 23/60] x86/entry/64: Make cpu_entry_area.tss read-only

From: Borislav Petkov
Date: Mon Dec 04 2017 - 15:26:10 EST

Next message: Jann Horn: "Re: BPF: bug without effect in BPF_RSH case of adjust_scalar_min_max_vals()"
Previous message: Stephen Rothwell: "linux-next: remove the tile tree?"
In reply to: Thomas Gleixner: "[patch 23/60] x86/entry/64: Make cpu_entry_area.tss read-only"
Next in thread: Thomas Gleixner: "[patch 20/60] x86/entry/64: Move the IST stacks into struct cpu_entry_area"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 04, 2017 at 03:07:29PM +0100, Thomas Gleixner wrote:
> From: Andy Lutomirski <luto@xxxxxxxxxx>
>
> The TSS is a fairly juicy target for exploits, and, now that the TSS
> is in the cpu_entry_area, it's no longer protected by kASLR. Make it
> read-only on x86_64.
>
> On x86_32, it can't be RO because it's written by the CPU during task
> switches, and we use a task gate for double faults. I'd also be
> nervous about errata if we tried to make it RO even on configurations
> without double fault handling.
>
> [ tglx: AMD confirmed that there is no problem on 64bit with TSS RO. So
> it's probably safe to assume that it's a non issue, though Intel
> might have been creative in that area. Still waiting for
> confirmation. ]
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Brian Gerst <brgerst@xxxxxxxxx>
> Cc: David Laight <David.Laight@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxxxx>
> Link: https://lkml.kernel.org/r/7d2f65f86a46e3489ba996932554485c3d345632.1512109321.git.luto@xxxxxxxxxx
>
> ---
> arch/x86/entry/entry_32.S | 4 ++--
> arch/x86/entry/entry_64.S | 8 ++++----
> arch/x86/include/asm/fixmap.h | 13 +++++++++----
> arch/x86/include/asm/processor.h | 17 ++++++++---------
> arch/x86/include/asm/switch_to.h | 4 ++--
> arch/x86/include/asm/thread_info.h | 2 +-
> arch/x86/kernel/asm-offsets.c | 5 ++---
> arch/x86/kernel/asm-offsets_32.c | 4 ++--
> arch/x86/kernel/cpu/common.c | 29 +++++++++++++++++++----------
> arch/x86/kernel/ioport.c | 2 +-
> arch/x86/kernel/process.c | 6 +++---
> arch/x86/kernel/process_32.c | 2 +-
> arch/x86/kernel/process_64.c | 2 +-
> arch/x86/kernel/traps.c | 4 ++--
> arch/x86/lib/delay.c | 4 ++--
> arch/x86/xen/enlighten_pv.c | 2 +-
> 16 files changed, 60 insertions(+), 48 deletions(-)

Reviewed-by: Borislav Petkov <bp@xxxxxxx>

--
Regards/Gruss,
Boris.

SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--

Next message: Jann Horn: "Re: BPF: bug without effect in BPF_RSH case of adjust_scalar_min_max_vals()"
Previous message: Stephen Rothwell: "linux-next: remove the tile tree?"
In reply to: Thomas Gleixner: "[patch 23/60] x86/entry/64: Make cpu_entry_area.tss read-only"
Next in thread: Thomas Gleixner: "[patch 20/60] x86/entry/64: Move the IST stacks into struct cpu_entry_area"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]