Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965504AbeAKSgP (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 11 Jan 2018 13:36:15 -0500
Received: from mail-io0-f182.google.com ([209.85.223.182]:39259 "EHLO
        mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932215AbeAKSgL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Jan 2018 13:36:11 -0500
X-Google-Smtp-Source: ACJfBosOE0X0pZ/aUNz2II9ddWTbZ26qT8W04jk/nhcEUzhUTRIQDS4wcKzIgVOS67Itw9gK6eNK7PQBdRpePnYgdl4=
MIME-Version: 1.0
In-Reply-To: <20180111183207.dah7imbuvuhvrrk6@treble>
References: <20180110082207.GX29822@worktop.programming.kicks-ass.net>
 <20180110091102.GH14066@1wt.eu> <CALCETrXQFL2sJPJe_Z8XLEo11V_tLyZR0y4PTRxJzrhmpdsuJg@mail.gmail.com>
 <CA+55aFwfSKNAYEFWCwCe2vSxejA3X85FnX9t1EdnCRUwC1ou1Q@mail.gmail.com>
 <20180111064259.GC14920@1wt.eu> <0f08d89e-61e1-20e3-5c59-0b2f7b32bf0c@linux.intel.com>
 <20180111154412.GA15296@1wt.eu> <af80ba81-f8bc-156e-a286-0825aa47f134@linux.intel.com>
 <CALCETrUxk83Oys18-VW7HO2+mPx8RzJxpud7BkYVnD9G=-t3ZQ@mail.gmail.com>
 <20180111182147.masunghp5km6igjq@ast-mbp.dhcp.thefacebook.com> <20180111183207.dah7imbuvuhvrrk6@treble>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 11 Jan 2018 10:36:10 -0800
X-Google-Sender-Auth: xtM7cL_jN_m45kVRvcEpZWsXnlE
Message-ID: <CA+55aFz58wU4XXHCKH85o=hkvUa0=usi09_Ox6FKa9BB2iLDpw@mail.gmail.com>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when
 pti_disable is set
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Willy Tarreau <w@1wt.eu>,
        Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Thu, Jan 11, 2018 at 10:32 AM, Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> On Thu, Jan 11, 2018 at 10:21:49AM -0800, Alexei Starovoitov wrote:
>>
>> hmm. Exposing cr3 to user space will make it trivial for user process
>> to know whether kpti is active. Not sure how exploitable such
>> information leak.
>
> It's already trivial to detect PTI from user space.

I agree. I don't think the whole "is PTI on" is all that much of a secret.

But exposing all of %cr3 to user space is completely unacceptable.
That's just about *the* best attack vector information you could give
to somebody, and would make KASLR almost totally uninteresting. If you
have access to the page directory pointer, and some other weakness
that allows you to access it, you're golden. You can do anything.

                Linus