Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3085136imu;
        Thu, 29 Nov 2018 15:20:20 -0800 (PST)
X-Google-Smtp-Source: AFSGD/WfF8JL6D2RhW7qOwoeVRCPh/J6sRHHFK08EtUlBbJij1G83QaUd94s7VPSFQAZMks00VNJ
X-Received: by 2002:a17:902:b093:: with SMTP id p19mr3382569plr.135.1543533620732;
        Thu, 29 Nov 2018 15:20:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543533620; cv=none;
        d=google.com; s=arc-20160816;
        b=C1KVKXMeKKosv2BUPZJcpJky+Tbtj+805qYlZwL1xPym+Ge6BRGaomSxI8gYWKOulA
         D57sF9m71e1eNv+4mcfQv0hQU5yHqnD8ilp9ZScD4vZrYRW1obkwldBeHVBFiLgUMG98
         X0FPr+YOph7YYNzXo+MdDHKe9PbVVqTAql7O7Jxne9rhH3fOF7Wi/JjJ13t6kmBNxMdc
         dHmYuJBsZ60/iayGE81T6OuWXgRouhNdj8l3NRz+ykm7aqw4DUIMvAhGmMi/k7B2swQp
         FjeD+6FnY8gOgUmqaIsY+ufTlSOB4Jjwu1Kb3R3HclfTnuiQClbO+zTWsmuLYU3wRYte
         RJhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=Yw40TAJUwh9CJ+29qKVAZlYfenElkyRrzPzZx9yViXg=;
        b=L18KCAYVDE8KNGlUZQOYKzhgbda0ubCb/5Cmt+8mTyTPbNBbo+yOLdsUHFVSOgdFZo
         YdOwIJuGzY6+URz+pHx/PbHLITDCuXrKvW3G9eWw30nx+9lYr6kI0Xfe5qV3pAWhiX0K
         91O7VsyM6RIIkQYsgTC2I4gfdqzNBgVVmiCefB5jmf/0ZBTKglntq9oNvDvFJKKPcr1I
         uvNtc+iheGKXjriK/ncJXP+rUzNQ1BBqeGWmxc8A26iuVCs0ZFLc2JbWHDoEiTUVhKIV
         8ylu8t+tToNaE7cWxis1MgIa1BrWz33L1dnrxwIlLp/2s9xo62TVHYdfmbR3dL/+l5oW
         prqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=G0wZ9qjZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k64si3200271pge.7.2018.11.29.15.20.06;
        Thu, 29 Nov 2018 15:20:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=G0wZ9qjZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727006AbeK3K0c (ORCPT <rfc822;tnerolf.eriarrach@gmail.com>
        + 99 others); Fri, 30 Nov 2018 05:26:32 -0500
Received: from mail.kernel.org ([198.145.29.99]:55104 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726406AbeK3K0b (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Nov 2018 05:26:31 -0500
Received: from devbox (NE2965lan1.rev.em-net.ne.jp [210.141.244.193])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id E427121019;
        Thu, 29 Nov 2018 23:19:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1543533559;
        bh=csSKUpgZONU0nmpFRcE2r6cm1Jjd5vLKitToD311j7g=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=G0wZ9qjZuV0yYSK+4OQpDBmYs4axW2Y7HXSvy/l9/SA0P5E+8YJju6FMAOEQ5+KC7
         zEidhTmNj1xvUPPOJQeCSIxilF62hZwVYPQeR0bI2mCrNdJ+TjuNKwscv2nToxLyiK
         JOs16kBo3rDyz6r9FC3T+TkftNqpBb/wUo3n5kBM=
Date:   Fri, 30 Nov 2018 08:19:13 +0900
From:   Masami Hiramatsu <mhiramat@kernel.org>
To:     "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
Cc:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "daniel@iogearbox.net" <daniel@iogearbox.net>,
        "jeyu@kernel.org" <jeyu@kernel.org>,
        "rostedt@goodmis.org" <rostedt@goodmis.org>,
        "ast@kernel.org" <ast@kernel.org>,
        "ard.biesheuvel@linaro.org" <ard.biesheuvel@linaro.org>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "jannh@google.com" <jannh@google.com>,
        "Dock, Deneen T" <deneen.t.dock@intel.com>,
        "kristen@linux.intel.com" <kristen@linux.intel.com>,
        "akpm@linux-foundation.org" <akpm@linux-foundation.org>,
        "will.deacon@arm.com" <will.deacon@arm.com>,
        "mingo@redhat.com" <mingo@redhat.com>,
        "luto@kernel.org" <luto@kernel.org>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>,
        "Keshavamurthy, Anil S" <anil.s.keshavamurthy@intel.com>,
        "Hansen, Dave" <dave.hansen@intel.com>,
        "naveen.n.rao@linux.vnet.ibm.com" <naveen.n.rao@linux.vnet.ibm.com>,
        "davem@davemloft.net" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH 0/2] =?ISO-2022-JP?B?RG9uGyRCIUcbKEJ0?= leave executable
 TLB entries to freed pages
Message-Id: <20181130081913.916a27c8230b125da4bcf2f7@kernel.org>
In-Reply-To: <4cddc2ba36ba3b6d528556207b8d4592209797ea.camel@intel.com>
References: <20181128000754.18056-1-rick.p.edgecombe@intel.com>
        <20181129230616.f017059a093841dbaa4b82e6@kernel.org>
        <4cddc2ba36ba3b6d528556207b8d4592209797ea.camel@intel.com>
X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 29 Nov 2018 18:49:26 +0000
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com> wrote:

> On Thu, 2018-11-29 at 23:06 +0900, Masami Hiramatsu wrote:
> > On Tue, 27 Nov 2018 16:07:52 -0800
> > Rick Edgecombe <rick.p.edgecombe@intel.com> wrote:
> > 
> > > Sometimes when memory is freed via the module subsystem, an executable
> > > permissioned TLB entry can remain to a freed page. If the page is re-used to
> > > back an address that will receive data from userspace, it can result in user
> > > data being mapped as executable in the kernel. The root of this behavior is
> > > vfree lazily flushing the TLB, but not lazily freeing the underlying pages. 
> > 
> > Good catch!
> > 
> > > 
> > > There are sort of three categories of this which show up across modules,
> > > bpf,
> > > kprobes and ftrace:
> > 
> > For x86-64 kprobe, it sets the page NX and after that RW, and then release
> > via module_memfree. So I'm not sure it really happens on kprobes. (Of course
> > the default memory allocator is simpler so it may happen on other archs) But
> > interesting fixes.
> Yes, I think you are right, it should not leave an executable TLB entry in this
> case. Ftrace actually does this on x86 as well.
> 
> Is there some other reason for calling set_memory_nx that should apply elsewhere
> for module users? Or could it be removed in the case of this patch to centralize
> the behavior?

According to the commit c93f5cf571e7 ("kprobes/x86: Fix to set RWX bits correctly
before releasing trampoline"), if we release readonly page by module_memfree(),
it causes kernel crash. And at this moment, on x86-64 set the trampoline page
readonly becuase it is an exacutable page. Setting NX bit is for security reason
that should be set before making it writable.
So I think if you centralize setting NX bit, it should be done before setting
writable bit.

Thank you,


-- 
Masami Hiramatsu <mhiramat@kernel.org>