Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4561510imm; Sat, 25 Aug 2018 21:25:00 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbwq+ySono+3GBYttIl81DmQy+J3pfGBsN1jEbvR9bv2/6hcb0SxuTFjrU9K/s5W4C+bc9i X-Received: by 2002:a65:658a:: with SMTP id u10-v6mr7615014pgv.391.1535257500926; Sat, 25 Aug 2018 21:25:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535257500; cv=none; d=google.com; s=arc-20160816; b=R3xYf8L6uCGZQnz1Y4pIXqPSkXIPx6MnbabSdPTf8YGV6pA6A6tdWxAOzWBSJjxYfJ dH1umNF87P3Sdp0I79dcPrK+W3vX+gjna7tZbdndLlpNZ1RSalpSfp1o+SLcB1KbR84W VPhtKEldoWeeRGxCRHdxC6+QXGmUZzRjtuZZxIJPY862ggmiduLYsZEoUaNxgjCXFsbQ lfr0s3NgTcSU71gNiOuMEXd+fF2fH8SYprGmkjgqcJENSllXrH6ave1p1VupHkmDNgzf hdB89/fmptwv4e4MtirelSThINdP1O/bdRq1ffZgWiK2E6Tuf/n/ag4uaPq73Z/g/+uH R8nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=YTGo050rfvNLB6LsrJ8KocLmg108OBcskH/8iU2fI7M=; b=XbDE8vVkMBpkBFYH3DUBfPY+lpQd5IKoxw2JVnMRRuHqmpFbX8Y/eTwC+u1Ck0xaaa n4+VtC4FkPJhamnpH5N0nX8RfttzZSs6jyWgUHr2eSvgP7uEQ4SP4lB6vNOaZ2FA6KJl Q/Yi7rCf6iqfyv5qjojxnnAIG8ZVimDTMsUa5Qzqy5VmVkK49fE+eTYbkCiiqfvqy/mr ctyN3N0gs9E8PGAUD4FOXuJyoEtQ6N4uz7mJMwjz5iC9f4em14PO4IQFKeCU/+T5dKDS G0hM44LQ0du/6c65V9Qa4i/lyRkGGgHSrAcm6X8uGBeTG/8JJZ5cC3if9FpgsWy/BYfc nM/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QEvv4rxn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e94-v6si10969498plb.435.2018.08.25.21.24.20; Sat, 25 Aug 2018 21:25:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QEvv4rxn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726409AbeHZIC5 (ORCPT + 99 others); Sun, 26 Aug 2018 04:02:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:48764 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725795AbeHZIC5 (ORCPT ); Sun, 26 Aug 2018 04:02:57 -0400 Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0B3222147E for ; Sun, 26 Aug 2018 04:21:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1535257304; bh=cV1NyIUo5DJq0d8i1KBHx6+lK3xKm4cWAoLN0X9qLUU=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=QEvv4rxnZases3Ur1qo+iaaKZWe+EEQsz4dPbJzXsa70zB+xaWMNXX9YlfvWTd5lW 69+Rd5NmYV4jbFdNxEUEGJ6DS7/9qsWOvAjreF4sBH889oaJjY93pjqnYqT5bpAbTO pK13/TLGdAanp9+FER3GETaptgXBGmeDExF0sWAg= Received: by mail-wm0-f47.google.com with SMTP id n11-v6so5132147wmc.2 for ; Sat, 25 Aug 2018 21:21:44 -0700 (PDT) X-Gm-Message-State: APzg51ApPnDw2WFMHOTbiXZkKw18pdr8kgfjQyLipvPAoG06ncRgymkC 15X3dwNC+8yE4GFyewNxKwsPNTrtmffJPs7NVVa+Fw== X-Received: by 2002:a1c:ef0f:: with SMTP id n15-v6mr2228604wmh.116.1535257302564; Sat, 25 Aug 2018 21:21:42 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:548:0:0:0:0:0 with HTTP; Sat, 25 Aug 2018 21:21:22 -0700 (PDT) In-Reply-To: <20180826112341.f77a528763e297cbc36058fa@kernel.org> References: <20180822153012.173508681@infradead.org> <20180822154046.823850812@infradead.org> <20180822155527.GF24124@hirez.programming.kicks-ass.net> <20180823134525.5f12b0d3@roar.ozlabs.ibm.com> <776104d4c8e4fc680004d69e3a4c2594b638b6d1.camel@au1.ibm.com> <20180823133958.GA1496@brain-police> <20180824084717.GK24124@hirez.programming.kicks-ass.net> <20180824180438.GS24124@hirez.programming.kicks-ass.net> <56A9902F-44BE-4520-A17C-26650FCC3A11@gmail.com> <9A38D3F4-2F75-401D-8B4D-83A844C9061B@gmail.com> <8E0D8C66-6F21-4890-8984-B6B3082D4CC5@gmail.com> <20180826112341.f77a528763e297cbc36058fa@kernel.org> From: Andy Lutomirski Date: Sat, 25 Aug 2018 21:21:22 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: TLB flushes on fixmap changes To: Masami Hiramatsu , Kees Cook Cc: Andy Lutomirski , Nadav Amit , Linus Torvalds , Paolo Bonzini , Jiri Kosina , Peter Zijlstra , Will Deacon , Benjamin Herrenschmidt , Nick Piggin , "the arch/x86 maintainers" , Borislav Petkov , Rik van Riel , Jann Horn , Adin Scannell , Dave Hansen , Linux Kernel Mailing List , linux-mm , David Miller , Martin Schwidefsky , Michael Ellerman Content-Type: multipart/mixed; boundary="00000000000028b5cb05744ef28c" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --00000000000028b5cb05744ef28c Content-Type: text/plain; charset="UTF-8" On Sat, Aug 25, 2018 at 7:23 PM, Masami Hiramatsu wrote: > On Fri, 24 Aug 2018 21:23:26 -0700 > Andy Lutomirski wrote: >> Couldn't text_poke() use kmap_atomic()? Or, even better, just change CR3? > > No, since kmap_atomic() is only for x86_32 and highmem support kernel. > In x86-64, it seems that returns just a page address. That is not > good for text_poke, since it needs to make a writable alias for RO > code page. Hmm, maybe, can we mimic copy_oldmem_page(), it uses ioremap_cache? > I just re-read text_poke(). It's, um, horrible. Not only is the implementation overcomplicated and probably buggy, but it's SLOOOOOW. It's totally the wrong API -- poking one instruction at a time basically can't be efficient on x86. The API should either poke lots of instructions at once or should be text_poke_begin(); ...; text_poke_end();. Anyway, the attached patch seems to boot. Linus, Kees, etc: is this too scary of an approach? With the patch applied, text_poke() is a fantastic exploit target. On the other hand, even without the patch applied, text_poke() is every bit as juicy. --Andy --00000000000028b5cb05744ef28c Content-Type: text/x-patch; charset="US-ASCII"; name="text_poke.patch" Content-Disposition: attachment; filename="text_poke.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_jlacjmnk0 ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9hbHRlcm5hdGl2ZS5jIGIvYXJjaC94ODYva2Vy bmVsL2FsdGVybmF0aXZlLmMKaW5kZXggMDE0ZjIxNGRhNTgxLi44MTFjODczNWIxMjkgMTAwNjQ0 Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9hbHRlcm5hdGl2ZS5jCisrKyBiL2FyY2gveDg2L2tlcm5l bC9hbHRlcm5hdGl2ZS5jCkBAIC02OTAsNDAgKzY5MCwxNSBAQCB2b2lkICpfX2luaXRfb3JfbW9k dWxlIHRleHRfcG9rZV9lYXJseSh2b2lkICphZGRyLCBjb25zdCB2b2lkICpvcGNvZGUsCiB2b2lk ICp0ZXh0X3Bva2Uodm9pZCAqYWRkciwgY29uc3Qgdm9pZCAqb3Bjb2RlLCBzaXplX3QgbGVuKQog ewogCXVuc2lnbmVkIGxvbmcgZmxhZ3M7Ci0JY2hhciAqdmFkZHI7Ci0Jc3RydWN0IHBhZ2UgKnBh Z2VzWzJdOwotCWludCBpOwotCi0JLyoKLQkgKiBXaGlsZSBib290IG1lbW9yeSBhbGxvY2F0b3Ig aXMgcnVubmlnIHdlIGNhbm5vdCB1c2Ugc3RydWN0Ci0JICogcGFnZXMgYXMgdGhleSBhcmUgbm90 IHlldCBpbml0aWFsaXplZC4KLQkgKi8KLQlCVUdfT04oIWFmdGVyX2Jvb3RtZW0pOworCXVuc2ln bmVkIGxvbmcgb2xkX2NyMDsKIAotCWlmICghY29yZV9rZXJuZWxfdGV4dCgodW5zaWduZWQgbG9u ZylhZGRyKSkgewotCQlwYWdlc1swXSA9IHZtYWxsb2NfdG9fcGFnZShhZGRyKTsKLQkJcGFnZXNb MV0gPSB2bWFsbG9jX3RvX3BhZ2UoYWRkciArIFBBR0VfU0laRSk7Ci0JfSBlbHNlIHsKLQkJcGFn ZXNbMF0gPSB2aXJ0X3RvX3BhZ2UoYWRkcik7Ci0JCVdBUk5fT04oIVBhZ2VSZXNlcnZlZChwYWdl c1swXSkpOwotCQlwYWdlc1sxXSA9IHZpcnRfdG9fcGFnZShhZGRyICsgUEFHRV9TSVpFKTsKLQl9 Ci0JQlVHX09OKCFwYWdlc1swXSk7CiAJbG9jYWxfaXJxX3NhdmUoZmxhZ3MpOwotCXNldF9maXht YXAoRklYX1RFWFRfUE9LRTAsIHBhZ2VfdG9fcGh5cyhwYWdlc1swXSkpOwotCWlmIChwYWdlc1sx XSkKLQkJc2V0X2ZpeG1hcChGSVhfVEVYVF9QT0tFMSwgcGFnZV90b19waHlzKHBhZ2VzWzFdKSk7 Ci0JdmFkZHIgPSAoY2hhciAqKWZpeF90b192aXJ0KEZJWF9URVhUX1BPS0UwKTsKLQltZW1jcHko JnZhZGRyWyh1bnNpZ25lZCBsb25nKWFkZHIgJiB+UEFHRV9NQVNLXSwgb3Bjb2RlLCBsZW4pOwot CWNsZWFyX2ZpeG1hcChGSVhfVEVYVF9QT0tFMCk7Ci0JaWYgKHBhZ2VzWzFdKQotCQljbGVhcl9m aXhtYXAoRklYX1RFWFRfUE9LRTEpOwotCWxvY2FsX2ZsdXNoX3RsYigpOwotCXN5bmNfY29yZSgp OwotCS8qIENvdWxkIGFsc28gZG8gYSBDTEZMVVNIIGhlcmUgdG8gc3BlZWQgdXAgQ1BVIHJlY292 ZXJ5OyBidXQKLQkgICB0aGF0IGNhdXNlcyBoYW5ncyBvbiBzb21lIFZJQSBDUFVzLiAqLwotCWZv ciAoaSA9IDA7IGkgPCBsZW47IGkrKykKLQkJQlVHX09OKCgoY2hhciAqKWFkZHIpW2ldICE9ICgo Y2hhciAqKW9wY29kZSlbaV0pOworCW9sZF9jcjAgPSByZWFkX2NyMCgpOworCXdyaXRlX2NyMChv bGRfY3IwICYgflg4Nl9DUjBfV1ApOworCisJbWVtY3B5KGFkZHIsIG9wY29kZSwgbGVuKTsKKwor CXdyaXRlX2NyMChvbGRfY3IwKTsJLyogYWxzbyBzZXJpYWxpemVzICovCiAJbG9jYWxfaXJxX3Jl c3RvcmUoZmxhZ3MpOwogCXJldHVybiBhZGRyOwogfQo= --00000000000028b5cb05744ef28c--