Re: Avoid speculative indirect calls in kernel

From: Dave Hansen
Date: Tue Jan 09 2018 - 20:11:50 EST

Next message: Andy Lutomirski: "Re: x86/clearregs: Register sanitizing at kernel entry for speculation hygiene"
Previous message: Eric W. Biederman: "Re: RFC(V3): Audit Kernel Container IDs"
In reply to: Thomas Gleixner: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Thomas Gleixner: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/09/2018 04:45 PM, Thomas Gleixner wrote:
> On Mon, 8 Jan 2018, Andrea Arcangeli wrote:
>> On Mon, Jan 08, 2018 at 09:53:02PM +0100, Thomas Gleixner wrote:
>> Did my best to do the cleanest patch for tip, but I now figured Dave's
>> original comment was spot on: a _PAGE_NX clear then becomes necessary
>> also after pud_alloc not only after p4d_alloc.
>>
>> pmd_alloc would run into the same with x86 32bit non-PAE too.

non-PAE doesn't have an NX bit. :)

But we #define _PAGE_NX down to 0 there so it's harmless.

>> So there are two choices, either going back to one single _PAGE_NX
>> clear from the original Dave's original patch as below, or to add
>> multiple clear after each level which was my objective and is more
>> robust, but it may be overkill in this case. As long as it was one
>> line it looked a clear improvement.
>>
>> Considering the caller in both cases is going to abort I guess we can
>> use the one liner approach as Dave and Jiri did originally.
>
> Dave ?

I agree with Andrea. The patch in -tip potentially misses the pgd
clearing if pud_alloc() sets a PGD. It would also be nice to have that
comment back.

Note that the -tip commit probably works in *practice* because for two
adjacent calls to map_tboot_page() that share a PGD entry, the first
will clear NX, *then* allocate and set the PGD (without NX clear). The
second call will *not* allocate but will clear the NX bit.

The patch I think we want is attached.

From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>

This is another case similar to what EFI does: create a new set of
page tables, map some code at a low address, and jump to it. PTI
mistakes this low address for userspace and mistakenly marks it
non-executable in an effort to make it unusable for userspace. Undo
the poison to allow execution.

Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: Ning Sun <ning.sun@xxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: x86@xxxxxxxxxx
Cc: tboot-devel@xxxxxxxxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
---

b/arch/x86/kernel/tboot.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
--- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-05 21:50:55.755554960 -0800
+++ b/arch/x86/kernel/tboot.c 2018-01-05 23:51:41.368536890 -0800
@@ -138,6 +138,17 @@ static int map_tboot_page(unsigned long
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}

_

Next message: Andy Lutomirski: "Re: x86/clearregs: Register sanitizing at kernel entry for speculation hygiene"
Previous message: Eric W. Biederman: "Re: RFC(V3): Audit Kernel Container IDs"
In reply to: Thomas Gleixner: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Thomas Gleixner: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]