Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9227410imu; Wed, 5 Dec 2018 00:54:44 -0800 (PST) X-Google-Smtp-Source: AFSGD/XmVEWsvbMS6RqQ+HwZn9/+HjtnebYahMBZZBOYXKkUHwqYQe1m/z7fuHoFTDYKQ4LJGfIo X-Received: by 2002:a17:902:4d46:: with SMTP id o6mr22246212plh.302.1544000084263; Wed, 05 Dec 2018 00:54:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544000084; cv=none; d=google.com; s=arc-20160816; b=0+OeB91zUWXs624wuPVMYubbinGJTjPjfl0qr5VHf+pDi+DuQttagrzEJBQNS50N55 fCD7n54TJa4fgbCfs+uvuHrhsW+2cVWDOsAh69CmHGHIjt6GbmMDTtdn1TbSpHkdJc9W 7BgRkVHkhcoRXb9leQrTx0fvZBjdsj+hX9t+0dOQfn/+u99J1y1FcZge5rNjOzJWbkZ7 0nlHboOBYJDCC0g5liFExaC2ZBocYJQYYNqFmaAmCxyliwJEE14R3fT+vS8ZPpJXBo8g rRAXZjUr+0538xT8NmQ8V8HETmUZE628racLtJ8wCqd1VKJIuZ0AFNwdXRmjRWPsbLBR CYZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=AfUZU1h16hMe1VPLA2ZC9dHDAlktIVy5H0PNhkjAFZ4=; b=r3XPC4QbH0MscY1sIfcpzOwopjnGa0z7sfoFh34p8f3otGHwqB3I3U9nUKMuqDIPau ylO6Xi5RxboAujZ7yeUza37XIT3gHVVS3jh0MA8OmnSqN4uInjBWCywBMhYQbQMsYWIz oWGUgQ/fx7YyP9cJKfESMUCwd1hBorc651lzDaMh/BEgMYVaAz9HL3S0NDZYToHWllFu 1+KX523fJbcIlLUzjpdwkHMO2JXJivXzFW7w0Bwlc3nZFXjAZJY17Y6JFYnORngAcEP0 ZRegXDZuN9utzZr4JR4BWGbN1Rx0KVgbvK529hYNyPRXzo3X3dCr5NB7lg7dxk6dl2ut rVTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vmware.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 69si18278799pgc.164.2018.12.05.00.54.29; Wed, 05 Dec 2018 00:54:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vmware.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727257AbeLEIwG (ORCPT + 99 others); Wed, 5 Dec 2018 03:52:06 -0500 Received: from ex13-edg-ou-002.vmware.com ([208.91.0.190]:46460 "EHLO EX13-EDG-OU-002.vmware.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726171AbeLEIwG (ORCPT ); Wed, 5 Dec 2018 03:52:06 -0500 Received: from sc9-mailhost3.vmware.com (10.113.161.73) by EX13-EDG-OU-002.vmware.com (10.113.208.156) with Microsoft SMTP Server id 15.0.1156.6; Wed, 5 Dec 2018 00:52:03 -0800 Received: from sc2-haas01-esx0118.eng.vmware.com (sc2-haas01-esx0118.eng.vmware.com [10.172.44.118]) by sc9-mailhost3.vmware.com (Postfix) with ESMTP id C33B441280; Wed, 5 Dec 2018 00:52:04 -0800 (PST) From: Nadav Amit To: Ingo Molnar CC: , , "H. Peter Anvin" , Thomas Gleixner , Borislav Petkov , Andy Lutomirski , Nadav Amit , Dave Hansen , Peter Zijlstra , , , , Nadav Amit Subject: [PATCH v7 00/14] x86/alternative: text_poke() enhancements Date: Tue, 4 Dec 2018 17:33:54 -0800 Message-ID: <20181205013408.47725-1-namit@vmware.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (EX13-EDG-OU-002.vmware.com: namit@vmware.com does not designate permitted sender hosts) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch-set addresses some issues that might affect the security and the correctness of code patching. It was originally small and mainly intended to remove the text-poking fixmap PTEs, which can cause PTEs cached in the TLB in remote cores for unbounded time. It was then suggested by tglx and Andy that patching of modules can be simpler by making module code non-executable during setup. This opened a can of worms, since it required changes of kprobe and ftrace. Ftrace, it turns out, patches the code using a homegrown mechanism, so it made sense to make it use text_poke_*() instead. And then, module unloading seemed fragile and susceptible for attacks, so it required some attention as well. This whole story is to clarify two points: (a) this patch-set does *not* have a full threat-model in mind. It does harden security a bit by shortening the time-window in which writable executable mappings are set. Since it consolidates kernel code modifications, it may be used as a basis for some a future code integrity mechanism, a-la Microsoft's hypervisor enforced code integrity (HVCI). However, this patch-set does not provide HVCI-like security. Which leads me to (b) - the patch-set is big "enough" IMHO. Indeed, there are open security issues in the kernel when it comes to W^X. But some people would want to use Andy's temporary mm-struct for other uses. So additional security hardening may be left for future patches. v6->v7: - Fix kprobes breakage [Rick Edgecombe] - Fix ftrace breakage [Rick Edgecombe] - Fix module unloading issues (setting X, race with patching) v5->v6: - Panic if anything goes wrong when poking [peterZ] v4->v5: - Fix Xen breakage [Damian Tometzki] - BUG_ON() when poking_mm initialization fails [peterZ] - Better comments on "x86/mm: temporary mm struct" - Cleaner removal of the custom poker v3->v4: - Setting modules as RO when loading [andy, tglx] - Adding text_poke_kgdb() to keep the text_mutex assertion [tglx] - Simpler logic to decide when to use early-poking [peterZ] - More cleanup v2->v3: - Remove the fallback path in text_poke() [peterZ] - poking_init() was broken due to the local variable poking_addr - Preallocate tables for the temporary-mm to avoid sleep-in-atomic - Prevent KASAN from yelling at text_poke() v1->v2: - Partial revert of 9222f606506c added to 1/6 [masami] - Added Masami's reviewed-by tag RFC->v1: - Added handling of error in get_locked_pte() - Remove lockdep assertion, clarify text_mutex use instead [masami] - Comment fix [peterz] - Removed remainders of text_poke return value [masami] - Use __weak for poking_init instead of macros [masami] - Simplify error handling in poking_init [masami] Andy Lutomirski (1): x86/mm: temporary mm struct Nadav Amit (13): Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" x86/jump_label: Use text_poke_early() during early init fork: provide a function for copying init_mm x86/alternative: initializing temporary mm for patching x86/alternative: use temporary mm for text poking x86/kgdb: avoid redundant comparison of patched code x86/ftrace: Use text_poke_*() infrastructure x86/kprobes: Instruction pages initialization enhancements x86: avoid W^X being broken during modules loading x86/jump-label: remove support for custom poker x86/alternative: Remove the return value of text_poke_*() module: Do not set nx for module memory before freeing module: Prevent module removal racing with text_poke() arch/x86/include/asm/fixmap.h | 2 - arch/x86/include/asm/mmu_context.h | 32 +++++ arch/x86/include/asm/pgtable.h | 3 + arch/x86/include/asm/text-patching.h | 7 +- arch/x86/kernel/alternative.c | 197 ++++++++++++++++++++------- arch/x86/kernel/ftrace.c | 74 ++++------ arch/x86/kernel/jump_label.c | 19 ++- arch/x86/kernel/kgdb.c | 25 +--- arch/x86/kernel/kprobes/core.c | 24 +++- arch/x86/kernel/module.c | 2 +- arch/x86/mm/init_64.c | 35 +++++ arch/x86/xen/mmu_pv.c | 2 - include/linux/filter.h | 6 + include/linux/sched/task.h | 1 + init/main.c | 3 + kernel/fork.c | 24 +++- kernel/module.c | 50 +++++-- 17 files changed, 349 insertions(+), 157 deletions(-) -- 2.17.1