Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp2178067img;
        Wed, 27 Feb 2019 11:45:57 -0800 (PST)
X-Google-Smtp-Source: AHgI3IaUA720SXyUExEIkAFziojJrPRllVhq51T0YHde0FXc2DSnVEnvJebSKIxzCo4fGTrL6Zpf
X-Received: by 2002:a63:e752:: with SMTP id j18mr4506584pgk.313.1551296756994;
        Wed, 27 Feb 2019 11:45:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551296756; cv=none;
        d=google.com; s=arc-20160816;
        b=SFoNJ1GUVHgQOTaBK0z7H58eLcS5F723eQg8DM0UJPYVx2kEGjRU2zRaO9kercHmvr
         KEe4NsNrld18LkrVHeG1OdP670AAqPu8aTfR/E1dlcnng/ax6kGnTTgDXYrIM3Pwr4fK
         wKLzgq0z/fZ1VUpF4xij5FQnhDnUkaxxT+M1f43a80pfH5wPPEhR7E49Lra0j+J7+Z+H
         NWoR9vCmbsRgCENgCCmKy9ArdVVB9y1ei1cbCQAYGUQBtmFkjeUG5Fjk8rrRAN7GqBVJ
         +Ki4qmrEe4CSQ9VQEPwp9KT5H9fVRXAxF0lH7oUdI0K7+babWM2dCSmRUiqnt9sUpFk2
         +M+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=J/I963yzAOICZO0m49NrabGWLqzNwIfBiMpnSzlw1yY=;
        b=Te2g/izs2EQXnx6ZP0rJd7JAfB+OKxXTwbzRc4E5b4sGVWJeko5J4Zc2dh61PjtJge
         nxycMv9FkLOQvG8sw/eMjAW66nnY1NHLgFQ9elri6SMAL8tv/g0H2XEDObAYYP8TQ14v
         4H8jsNz5kF11tXj39clxhR0WyAA31nl2oUb4db91vzP90t504de62wSRPXmYAnZ68+FD
         zvUvcIzfojtPV+TQ4+A53qurZ0k/xxlgWTzPtSRlUm/VsVDnI3H8/1Cf5nRpB3Ld+hXM
         yU/I+Qs+KSiUlGqFIgaidixTLZH0Vj1DsGC7OCfaV6izAIkM0Y2Tw4XThu0p38dr0LQJ
         XZsQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=da0cKwWX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m3si16363802pld.425.2019.02.27.11.45.41;
        Wed, 27 Feb 2019 11:45:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=da0cKwWX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729986AbfB0TpU (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Wed, 27 Feb 2019 14:45:20 -0500
Received: from mail-vk1-f193.google.com ([209.85.221.193]:37888 "EHLO
        mail-vk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728751AbfB0TpU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Feb 2019 14:45:20 -0500
Received: by mail-vk1-f193.google.com with SMTP id x140so4149918vke.5
        for <linux-kernel@vger.kernel.org>; Wed, 27 Feb 2019 11:45:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=J/I963yzAOICZO0m49NrabGWLqzNwIfBiMpnSzlw1yY=;
        b=da0cKwWX8l7yd2DZHszZmYocwlUEn3Kx4H9UjfO4IOVU2w2q3cuX8KglUdeRluO+Q8
         1+pyrpwq3OhnVsk8dYXueikskWJVapM22r+65sWBZIFEEfyY6dF82iDOmQuLxj6vdsrK
         TRokUsOGB2GkdzB3NF2vC7lZ1Xn0D4uCdyJ78=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=J/I963yzAOICZO0m49NrabGWLqzNwIfBiMpnSzlw1yY=;
        b=FrOHFhRnrAPjjeI2YE1OMG4XO4rHzHkc9TDNIwBA5X7LZvql1uy8B1e1Mv0qnr1ngq
         KkCkKmJNeN4p2xxr3d+BAegt9uJzFqJPz2SJxvgF0AV5HPG7x7iYmFXzbF+ogl40artg
         rjDgTb7ktb7GzzIKm/SI5UrUfkoZWScBlEyMC6NOGSpu8MLthNlGR4S8RJfucED8FOi7
         leTNFEZHdIuNLTPL1hXkqYh3ZGkup00HYdintFf6rTbxpGmKkIwZpvHLs24Kyb4ePXVg
         WQWXrsjNJVrG3WOIECUjDseL1F1Z/YqEdOQrfcNo0rXChlAG4WfSQwIsokEFRZbEoi2N
         x2Xw==
X-Gm-Message-State: AHQUAuY0J9fSyn0+OnMg78VfSRNUj4Gf1gonbUK8/zM8Drrnk4xGoxda
        LK4ZJN4NsSBQIXAMKKAz8u3he0gKKPM=
X-Received: by 2002:a1f:d9c5:: with SMTP id q188mr1648498vkg.28.1551296717465;
        Wed, 27 Feb 2019 11:45:17 -0800 (PST)
Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com. [209.85.222.45])
        by smtp.gmail.com with ESMTPSA id c6sm14188022vkf.45.2019.02.27.11.45.15
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 27 Feb 2019 11:45:15 -0800 (PST)
Received: by mail-ua1-f45.google.com with SMTP id j7so1751116uak.8
        for <linux-kernel@vger.kernel.org>; Wed, 27 Feb 2019 11:45:15 -0800 (PST)
X-Received: by 2002:a67:89c9:: with SMTP id l192mr2730926vsd.188.1551296715168;
 Wed, 27 Feb 2019 11:45:15 -0800 (PST)
MIME-Version: 1.0
References: <20190226233647.28547-1-keescook@chromium.org> <20190226233647.28547-2-keescook@chromium.org>
 <20190227104407.GA18804@openwall.com>
In-Reply-To: <20190227104407.GA18804@openwall.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 27 Feb 2019 11:45:03 -0800
X-Gmail-Original-Message-ID: <CAGXu5j+vBURRz2aUafmOY9nJ56Sr-YonvhE8OGJ+6QkOQe5ePQ@mail.gmail.com>
Message-ID: <CAGXu5j+vBURRz2aUafmOY9nJ56Sr-YonvhE8OGJ+6QkOQe5ePQ@mail.gmail.com>
Subject: Re: [PATCH 1/3] x86/asm: Pin sensitive CR0 bits
To:     Solar Designer <solar@openwall.com>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Jann Horn <jannh@google.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 27, 2019 at 2:44 AM Solar Designer <solar@openwall.com> wrote:
>
> On Tue, Feb 26, 2019 at 03:36:45PM -0800, Kees Cook wrote:
> >  static inline void native_write_cr0(unsigned long val)
> >  {
> > -     asm volatile("mov %0,%%cr0": : "r" (val), "m" (__force_order));
> > +     bool warn = false;
> > +
> > +again:
> > +     val |= X86_CR0_WP;
> > +     /*
> > +      * In order to have the compiler not optimize away the check
> > +      * in the WARN_ONCE(), mark "val" as being also an output ("+r")
>
> This comment is now slightly out of date: the check is no longer "in the
> WARN_ONCE()".  Ditto about the comment for CR4.

Ah yes, good point. I will adjust and send a v2 series.

>
> > +      * by this asm() block so it will perform an explicit check, as
> > +      * if it were "volatile".
> > +      */
> > +     asm volatile("mov %0,%%cr0": "+r" (val) : "m" (__force_order) : );
> > +     /*
> > +      * If the MOV above was used directly as a ROP gadget we can
> > +      * notice the lack of pinned bits in "val" and start the function
> > +      * from the beginning to gain the WP bit for sure. And do it
> > +      * without first taking the exception for a WARN().
> > +      */
> > +     if ((val & X86_CR0_WP) != X86_CR0_WP) {
> > +             warn = true;
> > +             goto again;
> > +     }
> > +     WARN_ONCE(warn, "Attempt to unpin X86_CR0_WP, cr0 bypass attack?!\n");
> >  }
>
> Alexander

-- 
Kees Cook