Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4952013imm; Sun, 26 Aug 2018 07:23:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZodFeT8WhJ9GegqJFzUnXlkGuLG4guBlYxcyS8xpcyr+qEbdxQX3i5eCsE9Ri/c326d010 X-Received: by 2002:a63:df4e:: with SMTP id h14-v6mr8856110pgj.300.1535293416930; Sun, 26 Aug 2018 07:23:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535293416; cv=none; d=google.com; s=arc-20160816; b=QM7QG1dw3rmLZokwcA3F0Q7ccpE9HyuWLpqm9/ky5bCdV0WuyeJGz/ze/SZ4fUXHWa 3H8VyzVUOKuaZTDTHsMGDu1BZ4XsScsFM37ZXZNsSKx7MCibOVFcUM9rQFs3TsTdUu1i hUB95DeNq8jwNkMxVIXsC2FJKUQFmBvLdHCaiXXDpcV+ZbhVkcsb3NAj9WTBehVdCaxj U5rqGm8xgIBNc0cts+cQouyILfcFgNXIhS35wUYYANXzQoZBHr6rvNL4iGe6IvXHfqlq 2i5ao5m0iOWWuGIrNntKac3AsfV1gr7CnETNJNxYVzLX1oGK8YLAdaUJlobHiHvHDslW p/Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=j/rFKP9WAPzLpSyqUeYB4g623OQ/3HfTh69D1tWsf80=; b=rjOaeKzbgzCl6rxTWZ8M7cD93GM4GWU6NRi4TjoN0J2xnU+Ns4iw71oedjdwjSPrj1 HNYvOiW1MKMYvgupvTtibYeOSkrkduqktEdYjfr/po6BpGKrpjuD++Pz3GrQGIlcrimH f85bbKslAj+kt/0nVxFkFQqT1lwDRTI3gku2XXeWcfqaG8WEaX8da44OQINxmRctWrAh NJyOm/ExPg5ZZKRIUufwOfxlHn2ob29DuloeKo2bPenm8Ke0ER/7+99AJ+a9omNQk+1a OlMLoalJQ04yL2MXXCTVLOcGC7VPP/S5SksKF2GgQqUYXkLE6MxoCTz85NNfQD+r6D53 KmPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=UdA9blp7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gn24si11803202plb.147.2018.08.26.07.23.21; Sun, 26 Aug 2018 07:23:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=UdA9blp7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726954AbeHZSDN (ORCPT + 99 others); Sun, 26 Aug 2018 14:03:13 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:43419 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726500AbeHZSDN (ORCPT ); Sun, 26 Aug 2018 14:03:13 -0400 Received: by mail-pg1-f193.google.com with SMTP id v66-v6so6239826pgb.10 for ; Sun, 26 Aug 2018 07:20:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=j/rFKP9WAPzLpSyqUeYB4g623OQ/3HfTh69D1tWsf80=; b=UdA9blp7seb5W2U2yznpjvDFjvNmrd1VPlVNpEzpkkHesG+PW3e2gp1JfkXf+B2CiD N0ZXD6Bqc6yIyAJEnrWJH5Ksqz/M7ZXGUbblAf+hWctiIzMcQn2rjufsP9mzVG8oHxpc BLKLqtxQvJUUlWX99XH4fuRh3fDpYsBKY9zkgnYCak5Y8zdH/2gHcroJeFPSWFBTKLgm oDNkB8QU1rqTuwWlCDGEoO8S8e69OCjfIcUscmcaFabqIkj38SwiENfQqdgC73sbRR8T 78cjZPXQhTgYsjAKBpQjoqnG1pwNEEVxhRfG7C+UoeVrIb/Ch/wg+Xxx/kzHGYNpEPqh +xow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=j/rFKP9WAPzLpSyqUeYB4g623OQ/3HfTh69D1tWsf80=; b=O8Vo9qJHzFsK1+WYm0opgeYbiZ2wQiMtp4RDGwsN4aYRbSBMcrhV0VhoALX4bu7mfo VW5l2j0fAWgr+vAq8ue4lQnwAmccFp4k2046I3wj/HdSiruzwA5HqIEK15nYlouKUFlX NvMz7eIP9dWH1ElbU3LH37wde+f53w8CUtt4MoO4klEBiy09BrFK1sIsb7BfSJhju1QL eEcPPvb+ShRpDZtexaBXiM4I4r0OAE4gY+uepiYuR0zjziqkqZZgbUHYVfrdxuv5RNEJ H+bFc4fi0qxioZO9C2zrROLoBbSFQwZzSUdfqFhEpuQeFjxNhMkcihEq/uX3bK4I/dq2 /S+Q== X-Gm-Message-State: APzg51CDD4PQfNbMm7rv3h5ZoStd0qU4j1ji9QOA+beIKb/kta4JY9gU gObnewFDyFNzh/gOi+QSu4Lydg== X-Received: by 2002:a62:3001:: with SMTP id w1-v6mr10229434pfw.19.1535293230713; Sun, 26 Aug 2018 07:20:30 -0700 (PDT) Received: from ?IPv6:2601:646:c200:7429:a803:ac38:1531:22f8? ([2601:646:c200:7429:a803:ac38:1531:22f8]) by smtp.gmail.com with ESMTPSA id k185-v6sm15311173pfc.160.2018.08.26.07.20.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Aug 2018 07:20:29 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: TLB flushes on fixmap changes From: Andy Lutomirski X-Mailer: iPhone Mail (15G77) In-Reply-To: Date: Sun, 26 Aug 2018 07:20:28 -0700 Cc: Andy Lutomirski , Masami Hiramatsu , Nadav Amit , Linus Torvalds , Paolo Bonzini , Jiri Kosina , Peter Zijlstra , Will Deacon , Benjamin Herrenschmidt , Nick Piggin , the arch/x86 maintainers , Borislav Petkov , Rik van Riel , Jann Horn , Adin Scannell , Dave Hansen , Linux Kernel Mailing List , linux-mm , David Miller , Martin Schwidefsky , Michael Ellerman Content-Transfer-Encoding: quoted-printable Message-Id: <952A64F0-90B3-4E2F-B410-7E20BE90D617@amacapital.net> References: <20180822153012.173508681@infradead.org> <20180822154046.823850812@infradead.org> <20180822155527.GF24124@hirez.programming.kicks-ass.net> <20180823134525.5f12b0d3@roar.ozlabs.ibm.com> <776104d4c8e4fc680004d69e3a4c2594b638b6d1.camel@au1.ibm.com> <20180823133958.GA1496@brain-police> <20180824084717.GK24124@hirez.programming.kicks-ass.net> <20180824180438.GS24124@hirez.programming.kicks-ass.net> <56A9902F-44BE-4520-A17C-26650FCC3A11@gmail.com> <9A38D3F4-2F75-401D-8B4D-83A844C9061B@gmail.com> <8E0D8C66-6F21-4890-8984-B6B3082D4CC5@gmail.com> <20180826112341.f77a528763e297cbc36058fa@kernel.org> To: Kees Cook Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Aug 25, 2018, at 9:43 PM, Kees Cook wrote: >=20 >> On Sat, Aug 25, 2018 at 9:21 PM, Andy Lutomirski wrote:= >>> On Sat, Aug 25, 2018 at 7:23 PM, Masami Hiramatsu w= rote: >>> On Fri, 24 Aug 2018 21:23:26 -0700 >>> Andy Lutomirski wrote: >>>> Couldn't text_poke() use kmap_atomic()? Or, even better, just change C= R3? >>>=20 >>> No, since kmap_atomic() is only for x86_32 and highmem support kernel. >>> In x86-64, it seems that returns just a page address. That is not >>> good for text_poke, since it needs to make a writable alias for RO >>> code page. Hmm, maybe, can we mimic copy_oldmem_page(), it uses ioremap_= cache? >>>=20 >>=20 >> I just re-read text_poke(). It's, um, horrible. Not only is the >> implementation overcomplicated and probably buggy, but it's SLOOOOOW. >> It's totally the wrong API -- poking one instruction at a time >> basically can't be efficient on x86. The API should either poke lots >> of instructions at once or should be text_poke_begin(); ...; >> text_poke_end();. >>=20 >> Anyway, the attached patch seems to boot. Linus, Kees, etc: is this >> too scary of an approach? With the patch applied, text_poke() is a >> fantastic exploit target. On the other hand, even without the patch >> applied, text_poke() is every bit as juicy. >=20 > I tried to convince Ingo to use this method for doing "write rarely" > and he soundly rejected it. :) I've always liked this because AFAICT, > it's local to the CPU. I had proposed it in > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=3D= kspp/write-rarely&id=3D9ab0cb2618ebbc51f830ceaa06b7d2182fe1a52d Ingo, can you clarify why you hate it? I personally would rather use CR3, b= ut CR0 seems like a fine first step, at least for text_poke. >=20 > With that, text_poke() mostly becomes: >=20 > rare_write_begin() > memcpy(addr, opcode, len); > rare_write_end() >=20 > As for juiciness, if an attacker already has execution control, they > can do more interesting things than text_poke(). But regardless, yes, > it's always made me uncomfortable. :) >=20 > -Kees >=20 > --=20 > Kees Cook > Pixel Security