Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1301274ybt; Thu, 25 Jun 2020 02:46:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMLcyhdQy4TIaLivKqTJ6GVt1pB23pFxg1Fc55bXRaM42exxGzBss+aRqmOov2gHP08Nkb X-Received: by 2002:a17:906:35d2:: with SMTP id p18mr6685745ejb.393.1593078407466; Thu, 25 Jun 2020 02:46:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593078407; cv=none; d=google.com; s=arc-20160816; b=wY0csQhzY5GrNsDiOjKza6Bq+MkKPT7EeAGBqxvgpXUi80Jj6vxRfdAItDlvCUhHeZ dahR6asdVqxEljhzcApWcU8NF3Pzb30kApPydhJj4WvX5TZ78F9KqaSCLLw0+A1byvG7 sblfGauoE5hJNF4ASUcdnBrwPaZj7VVD6FktY6knPsNs6OFDxUkYaZMRF4k04Ll4SZgF UVjnmsdNj6eAG7G1lLzzsDWJgLT5BPuEJfRez+/cA9eAidvuL1HR00RI0fMsk7VygWbh K5kbUHnj9oz8SwQRioYxgIbTFdyX27rzPDutsid/VOpWGAnjb1n7sWMgcdqYmbM9hg7C 4rxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :robot-unsubscribe:robot-id:message-id:mime-version:references :in-reply-to:cc:subject:to:reply-to:from:date; bh=ioGf826TmKJdvDmMK2loeVVoJ/gEUPQIwbeOTmpYg00=; b=NRbzYc4GoHBHH6RH17EBXqWNISQVAWTg2c9tmOHT4q6xZITZsWHIXTE8fieczmba0y bm8rfln0cwudj2P8G/4zPrnXFf+1W26gMqaaUzQ+sPSl5TrCBSSud7tR0FTDF44rVdJt ERk4DyAeB7VBkmRL2bAKqa8icnjWvrL5G5nYK/spAU9QOtXgORFPicgdBZ4UXnpgEOAl X3HJEJLz/Jph7FpNleoe0mya0VjAHCM/UKkgC4s7N1H1h5Y/uR8itPPB+cpFXDCvmVTV fNQhjF9Y+TS9XMzH6iWFL2QQLtpwH54W0ocjLXenv5VfRQjtnHM2xaW8fefQTTh0K6lQ UDQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e26si2241380edv.66.2020.06.25.02.46.24; Thu, 25 Jun 2020 02:46:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403781AbgFYIpp (ORCPT + 99 others); Thu, 25 Jun 2020 04:45:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390025AbgFYIpo (ORCPT ); Thu, 25 Jun 2020 04:45:44 -0400 Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73913C061573; Thu, 25 Jun 2020 01:45:44 -0700 (PDT) Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1joNVr-0002of-OW; Thu, 25 Jun 2020 10:45:39 +0200 Received: from [127.0.1.1] (localhost [IPv6:::1]) by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id 360551C0092; Thu, 25 Jun 2020 10:45:39 +0200 (CEST) Date: Thu, 25 Jun 2020 08:45:38 -0000 From: "tip-bot2 for Borislav Petkov" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/misc] x86/msr: Filter MSR writes Cc: kernel test robot , Borislav Petkov , Sean Christopherson , x86 , LKML In-Reply-To: <20200612105026.GA22660@zn.tnic> References: <20200612105026.GA22660@zn.tnic> MIME-Version: 1.0 Message-ID: <159307473887.16989.17345471306220440079.tip-bot2@tip-bot2> X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/misc branch of tip: Commit-ID: a7e1f67ed29f0c339e2aa7483d13b085127566ab Gitweb: https://git.kernel.org/tip/a7e1f67ed29f0c339e2aa7483d13b085127566ab Author: Borislav Petkov AuthorDate: Wed, 10 Jun 2020 21:37:49 +02:00 Committer: Borislav Petkov CommitterDate: Thu, 25 Jun 2020 10:39:02 +02:00 x86/msr: Filter MSR writes Add functionality to disable writing to MSRs from userspace. Writes can still be allowed by supplying the allow_writes=on module parameter. The kernel will be tainted so that it shows in oopses. Having unfettered access to all MSRs on a system is and has always been a disaster waiting to happen. Think performance counter MSRs, MSRs with sticky or locked bits, MSRs making major system changes like loading microcode, MTRRs, PAT configuration, TSC counter, security mitigations MSRs, you name it. This also destroys all the kernel's caching of MSR values for performance, as the recent case with MSR_AMD64_LS_CFG showed. Another example is writing MSRs by mistake by simply typing the wrong MSR address. System freezes have been experienced that way. In general, poking at MSRs under the kernel's feet is a bad bad idea. So log writing to MSRs by default. Longer term, such writes will be disabled by default. If userspace still wants to do that, then proper interfaces should be defined which are under the kernel's control and accesses to those MSRs can be synchronized and sanitized properly. [ Fix sparse warnings. ] Reported-by: kernel test robot Signed-off-by: Borislav Petkov Tested-by: Sean Christopherson Link: https://lkml.kernel.org/r/20200612105026.GA22660@zn.tnic --- arch/x86/kernel/msr.c | 69 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 1547be3..49dcfb8 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -42,6 +42,14 @@ static struct class *msr_class; static enum cpuhp_state cpuhp_msr_state; +enum allow_write_msrs { + MSR_WRITES_ON, + MSR_WRITES_OFF, + MSR_WRITES_DEFAULT, +}; + +static enum allow_write_msrs allow_writes = MSR_WRITES_DEFAULT; + static ssize_t msr_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { @@ -70,6 +78,24 @@ static ssize_t msr_read(struct file *file, char __user *buf, return bytes ? bytes : err; } +static int filter_write(u32 reg) +{ + switch (allow_writes) { + case MSR_WRITES_ON: return 0; + case MSR_WRITES_OFF: return -EPERM; + default: break; + } + + if (reg == MSR_IA32_ENERGY_PERF_BIAS) + return 0; + + pr_err_ratelimited("Write to unrecognized MSR 0x%x by %s\n" + "Please report to x86@kernel.org\n", + reg, current->comm); + + return 0; +} + static ssize_t msr_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { @@ -84,6 +110,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, if (err) return err; + err = filter_write(reg); + if (err) + return err; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -92,9 +122,13 @@ static ssize_t msr_write(struct file *file, const char __user *buf, err = -EFAULT; break; } + + add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); + err = wrmsr_safe_on_cpu(cpu, reg, data[0], data[1]); if (err) break; + tmp += 2; bytes += 8; } @@ -242,6 +276,41 @@ static void __exit msr_exit(void) } module_exit(msr_exit) +static int set_allow_writes(const char *val, const struct kernel_param *cp) +{ + /* val is NUL-terminated, see kernfs_fop_write() */ + char *s = strstrip((char *)val); + + if (!strcmp(s, "on")) + allow_writes = MSR_WRITES_ON; + else if (!strcmp(s, "off")) + allow_writes = MSR_WRITES_OFF; + else + allow_writes = MSR_WRITES_DEFAULT; + + return 0; +} + +static int get_allow_writes(char *buf, const struct kernel_param *kp) +{ + const char *res; + + switch (allow_writes) { + case MSR_WRITES_ON: res = "on"; break; + case MSR_WRITES_OFF: res = "off"; break; + default: res = "default"; break; + } + + return sprintf(buf, "%s\n", res); +} + +static const struct kernel_param_ops allow_writes_ops = { + .set = set_allow_writes, + .get = get_allow_writes +}; + +module_param_cb(allow_writes, &allow_writes_ops, NULL, 0600); + MODULE_AUTHOR("H. Peter Anvin "); MODULE_DESCRIPTION("x86 generic MSR driver"); MODULE_LICENSE("GPL");