Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752884AbdLHLbh (ORCPT <rfc822;w@1wt.eu>);
        Fri, 8 Dec 2017 06:31:37 -0500
Received: from mail-wr0-f193.google.com ([209.85.128.193]:44943 "EHLO
        mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750879AbdLHLbc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Dec 2017 06:31:32 -0500
X-Google-Smtp-Source: AGs4zMbOCz0A9dgXExKDFqgZJuNOFBaDWXnvrydzayK9Kqdc7234OCjaXmmU1pE7XSqD3F+3Axmftw==
Date: Fri, 8 Dec 2017 12:31:28 +0100
From: Ingo Molnar <mingo@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
        X86 ML <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Brian Gerst <brgerst@gmail.com>,
        David Laight <David.Laight@aculab.com>,
        Kees Cook <keescook@chromium.org>,
        Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH] LDT improvements
Message-ID: <20171208113128.hdpeznolztrdzjpf@gmail.com>
References: <48fe5cf1382d6a95c7b1837415882edcc81a9781.1512631324.git.luto@kernel.org>
 <20171207124347.p7kdj7q4qqs3ivri@pd.tnic>
 <CALCETrVrQRUn6PoBBGSD8+-wRrWp3mQtKY1sYnCRFyDBte5usA@mail.gmail.com>
 <alpine.DEB.2.20.1712071814200.1835@nanos>
 <665F1CA8-D012-4465-B5F7-E81E088847DB@amacapital.net>
 <20171208073454.dicyefwncsihq7sm@gmail.com>
 <alpine.DEB.2.20.1712081033040.1840@nanos>
 <20171208094400.wqnezwukq5yx4mgq@gmail.com>
 <alpine.DEB.2.20.1712081051060.1840@nanos>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.1712081051060.1840@nanos>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1750
Lines: 43


* Thomas Gleixner <tglx@linutronix.de> wrote:

> On Fri, 8 Dec 2017, Ingo Molnar wrote:
> > * Thomas Gleixner <tglx@linutronix.de> wrote:
> > 
> > > On Fri, 8 Dec 2017, Ingo Molnar wrote:
> > > > * Andy Lutomirski <luto@amacapital.net> wrote:
> > > > > I don't love mucking with user address space.  I'm also quite nervous about 
> > > > > putting it in our near anything that could pass an access_ok check, since we're 
> > > > > totally screwed if the bad guys can figure out how to write to it.
> > > > 
> > > > Hm, robustness of the LDT address wrt. access_ok() is a valid concern.
> > > > 
> > > > Can we have vmas with high addresses, in the vmalloc space for example?
> > > > IIRC the GPU code has precedents in that area.
> > > > 
> > > > Since this is x86-64, limitation of the vmalloc() space is not an issue.
> > > > 
> > > > I like Thomas's solution:
> > > > 
> > > >  - have the LDT in a regular mmap space vma (hence per process ASLR randomized), 
> > > >    but with the system bit set.
> > > > 
> > > >  - That would be an advantage even for non-PTI kernels, because mmap() is probably 
> > > >    more randomized than kmalloc().
> > > 
> > > Randomization is pointless as long as you can get the LDT address in user
> > > space, i.e. w/o UMIP.
> > 
> > But with UMIP unprivileged user-space won't be able to get the linear address of 
> > the LDT. Now it's written out in /proc/self/maps.
> 
> We can expose it nameless like other VMAs, but then it's 128k sized so it
> can be figured out. But when it's RO then it's not really a problem, even
> the kernel can't write to it.

Yeah, ok. I don't think we should hide it - if it's in the vma space it should be 
listed in the 'maps' file, and with a descriptive name.

Thanks,

	Ingo