Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1253360imm;
        Wed, 8 Aug 2018 13:34:47 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPydpWX7Gm5FMqkdLv+tShlLJ+qFkdOV6n3jc3leii+0jPerRW3fmaqXjZDYeajY4mZa9D7s
X-Received: by 2002:a63:2106:: with SMTP id h6-v6mr3912802pgh.161.1533760487342;
        Wed, 08 Aug 2018 13:34:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533760487; cv=none;
        d=google.com; s=arc-20160816;
        b=cCBqe7AT9i8AFI58/w3x1mcxupHyjrnK9Xs1dLinHuMqag94Ksh18ZPUWCy6rkE0Aa
         nasNW1vG0W8zYOxonzKP17x/mewtAwM5o16RI3b+URbTTlHADw29KKAlnlahxyqtxSdY
         jqTAFaFQUSVbv/NL7KpBLXf0RN1OiS7wG43Q+SlacJG7NHMiwEA0EeqzhVaS/J9NWxc4
         nO6K70DrWKRCjOBz00EbYYFSQJZV5XPyCxRvYHPCr7EBfACH5990OWchwJ09XucATMnd
         Q2DZpKjn/WsOtzh67cgyPlX9IVdn8bka4qHbCTqQ8iaFq1iD7MJT2O/TDRHfW9hSe9mE
         ZpSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=42tBd4zeomd3c7Yh54htW6IrZr3FrXTnYZPQu0HwDpc=;
        b=tG+31ngKe/60HwP2Q5ZwCaaCt6iuIzeNl3J9yKlsvcWm11YPC0YVDSRjoxyEME8qz0
         1Y+yj5XNj6mWcqKo0bmXPCAZPSRhUAdJb7kBJaBJvgeStUGqapmSYPs9yc7IvvgJeuNf
         PWL1sjKVoBeI/437COUe+YdSsUTku8PlzCXFtT5MuhPNUQn/MY7/4svt7qP4kxzpuZvj
         vOh2Ul98/Xg0kt44ZC8BropMWXjNLUjBvhaDSKk+1F8GuirIfIcSixU/4Z0yqFXAMJ0P
         3pFeMMmWDW0Egv3NV71H8eEz4C3yCa8nZ73C9qWkZDMk6ecpra+2wCFFzLTvEJlfKQdR
         kEgg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=gQxwC2CJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t21-v6si5152051pgb.553.2018.08.08.13.34.32;
        Wed, 08 Aug 2018 13:34:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=gQxwC2CJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731239AbeHHWyW (ORCPT <rfc822;marvinzhang.kernel@gmail.com>
        + 99 others); Wed, 8 Aug 2018 18:54:22 -0400
Received: from mail-yw1-f66.google.com ([209.85.161.66]:41801 "EHLO
        mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727530AbeHHWyW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 8 Aug 2018 18:54:22 -0400
Received: by mail-yw1-f66.google.com with SMTP id q129-v6so2566047ywg.8
        for <linux-kernel@vger.kernel.org>; Wed, 08 Aug 2018 13:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=42tBd4zeomd3c7Yh54htW6IrZr3FrXTnYZPQu0HwDpc=;
        b=gQxwC2CJgLE/5MmmBc1dHo05XFsVSPapnrTvD4vGyCfMbFATBDq64ost0fWU9FA60I
         FRI5p+2bEYh5qpxX5ZEahwL8YVRTnUR/3Qig/E7nnux1WOGRgFxoFMV2w92wrCfB7rsz
         ceLo/0nTrbhSpA70QYq2YalZvSYaEEEfV9JIAiu2KfTrIsaUbrsidsW8+57rbUTIAVVr
         skec6i43ss1iEH/aW1RuNAJcqEu621Aa9KhNZhu97FDgGD79yGKP8496Z1sCnR75peWa
         wxRk9uiMEYXZZ06P3w0bC2le/Itq+lg2sXjrLya4EeyziCTTacaJsXA2WQaNf2/OCYx/
         Nw8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=42tBd4zeomd3c7Yh54htW6IrZr3FrXTnYZPQu0HwDpc=;
        b=dRBnaN9WrynXHizImGngQV3/HPgN/Jz34vLwKG6Tpml46H/JOo+c+0UW7oTzdbZlli
         ko0z+c6TiOfDOxPjnwsyIntAmaoRBS18SzfS2Dnay/IQsWoDNDuVNo2ooHXz7i5CJvlk
         5rCv8DCX9mNpSC7wCoro56wSJlJfuYBx6PCwLexZf/8j5GwsdKBN2vlwhxQqXJibP4um
         JdAQdMSbAyqnN1LfIPJXmUahq+YzS3UIVOQacAbmSsucUQ46EtL0ZQq/x8rYigIsprhV
         gHVKYBYABYsNgNvnGH3TyrqgBYy+P+YDNM02E2Q+PaxYRsqfOfl0DqgECKQL0QWit1AT
         kGCg==
X-Gm-Message-State: AOUpUlELVGOIr1h9OIG7li5KUEzm+LtpiKDfwDf4Z/8pyoC+z0A0LGka
        hoFnAAuwSIzRtchOIFFxGvG96/1Wg7uXYaRov0pLYQ==
X-Received: by 2002:a81:2706:: with SMTP id n6-v6mr2285868ywn.88.1533760381770;
 Wed, 08 Aug 2018 13:33:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:7450:0:0:0:0:0 with HTTP; Wed, 8 Aug 2018 13:33:01 -0700 (PDT)
In-Reply-To: <1533727000-9172-1-git-send-email-joro@8bytes.org>
References: <1533727000-9172-1-git-send-email-joro@8bytes.org>
From:   Kees Cook <keescook@google.com>
Date:   Wed, 8 Aug 2018 13:33:01 -0700
Message-ID: <CAGXu5jK-wd=wbXcqoaogThVF1gHvH+UXgvVtsFuV2efjo8K46g@mail.gmail.com>
Subject: Re: [PATCH] x86/mm/pti: Move user W+X check into pti_finalize()
To:     Joerg Roedel <joro@8bytes.org>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>,
        "H . Peter Anvin" <hpa@zytor.com>, X86 ML <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@intel.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Juergen Gross <jgross@suse.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Brian Gerst <brgerst@gmail.com>,
        David Laight <David.Laight@aculab.com>,
        Denys Vlasenko <dvlasenk@redhat.com>,
        Eduardo Valentin <eduval@amazon.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        Will Deacon <will.deacon@arm.com>,
        Anthony Liguori <aliguori@amazon.com>,
        Daniel Gruss <daniel.gruss@iaik.tugraz.at>,
        Hugh Dickins <hughd@google.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Waiman Long <llong@redhat.com>, Pavel Machek <pavel@ucw.cz>,
        "David H . Gutteridge" <dhgutteridge@sympatico.ca>,
        Joerg Roedel <jroedel@suse.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Aug 8, 2018 at 4:16 AM, Joerg Roedel <joro@8bytes.org> wrote:
> From: Joerg Roedel <jroedel@suse.de>
>
> The user page-table gets the updated kernel mappings in
> pti_finalize(), which runs after the RO+X permissions got
> applied to the kernel page-table in mark_readonly().
>
> But with CONFIG_DEBUG_WX enabled, the user page-table is
> already checked in mark_readonly() for insecure mappings.
> This causes false-positive warnings, because the user
> page-table did not get the updated mappings yet.
>
> Move the W+X check for the user page-table into
> pti_finalize() after it updated all required mappings.
>
> Signed-off-by: Joerg Roedel <jroedel@suse.de>
> ---
>  arch/x86/include/asm/pgtable.h | 7 +++++--
>  arch/x86/mm/dump_pagetables.c  | 3 +--
>  arch/x86/mm/pti.c              | 2 ++
>  3 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
> index e39088cb..a1cb333 100644
> --- a/arch/x86/include/asm/pgtable.h
> +++ b/arch/x86/include/asm/pgtable.h
> @@ -30,11 +30,14 @@ int __init __early_make_pgtable(unsigned long address, pmdval_t pmd);
>  void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd);
>  void ptdump_walk_pgd_level_debugfs(struct seq_file *m, pgd_t *pgd, bool user);
>  void ptdump_walk_pgd_level_checkwx(void);
> +void ptdump_walk_user_pgd_level_checkwx(void);
>
>  #ifdef CONFIG_DEBUG_WX
> -#define debug_checkwx() ptdump_walk_pgd_level_checkwx()
> +#define debug_checkwx()                ptdump_walk_pgd_level_checkwx()
> +#define debug_checkwx_user()   ptdump_walk_user_pgd_level_checkwx()
>  #else
> -#define debug_checkwx() do { } while (0)
> +#define debug_checkwx()                do { } while (0)
> +#define debug_checkwx_user()   do { } while (0)
>  #endif
>
>  /*
> diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
> index ccd92c4..b8ab901 100644
> --- a/arch/x86/mm/dump_pagetables.c
> +++ b/arch/x86/mm/dump_pagetables.c
> @@ -569,7 +569,7 @@ void ptdump_walk_pgd_level_debugfs(struct seq_file *m, pgd_t *pgd, bool user)
>  }
>  EXPORT_SYMBOL_GPL(ptdump_walk_pgd_level_debugfs);
>
> -static void ptdump_walk_user_pgd_level_checkwx(void)
> +void ptdump_walk_user_pgd_level_checkwx(void)
>  {
>  #ifdef CONFIG_PAGE_TABLE_ISOLATION
>         pgd_t *pgd = INIT_PGD;
> @@ -586,7 +586,6 @@ static void ptdump_walk_user_pgd_level_checkwx(void)
>  void ptdump_walk_pgd_level_checkwx(void)
>  {
>         ptdump_walk_pgd_level_core(NULL, NULL, true, false);
> -       ptdump_walk_user_pgd_level_checkwx();
>  }
>
>  static int __init pt_dump_init(void)
> diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
> index 69a9d60..026a89a 100644
> --- a/arch/x86/mm/pti.c
> +++ b/arch/x86/mm/pti.c
> @@ -628,4 +628,6 @@ void pti_finalize(void)
>          */
>         pti_clone_entry_text();
>         pti_clone_kernel_text();
> +
> +       debug_checkwx_user();
>  }

I'm slightly nervous about complicating this and splitting up the
check. I have a mild preference that all the checks get moved later,
so that all architectures have the checks happening at the same time
during boot. Splitting this up could give us some weird differences
between architectures, etc.

-Kees

-- 
Kees Cook
Pixel Security