From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@redhat.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>, Nadav Amit <nadav.amit@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
linux_dti@icloud.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, akpm@linux-foundation.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
will.deacon@arm.com, ard.biesheuvel@linaro.org,
kristen@linux.intel.com, deneen.t.dock@intel.com,
Nadav Amit <namit@vmware.com>, Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@intel.com>,
Rick Edgecombe <rick.p.edgecombe@intel.com>
Subject: [PATCH v3 05/20] x86/alternative: Initialize temporary mm for patching
Date: Thu, 21 Feb 2019 15:44:36 -0800 [thread overview]
Message-ID: <20190221234451.17632-6-rick.p.edgecombe@intel.com> (raw)
In-Reply-To: <20190221234451.17632-1-rick.p.edgecombe@intel.com>
From: Nadav Amit <namit@vmware.com>
To prevent improper use of the PTEs that are used for text patching, the
next patches will use a temporary mm struct. Initailize it by copying
the init mm.
The address that will be used for patching is taken from the lower area
that is usually used for the task memory. Doing so prevents the need to
frequently synchronize the temporary-mm (e.g., when BPF programs are
installed), since different PGDs are used for the task memory.
Finally, randomize the address of the PTEs to harden against exploits
that use these PTEs.
Cc: Kees Cook <keescook@chromium.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
Suggested-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
arch/x86/include/asm/pgtable.h | 3 +++
arch/x86/include/asm/text-patching.h | 2 ++
arch/x86/kernel/alternative.c | 3 +++
arch/x86/mm/init_64.c | 36 ++++++++++++++++++++++++++++
init/main.c | 3 +++
5 files changed, 47 insertions(+)
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 40616e805292..e8f630d9a2ed 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -1021,6 +1021,9 @@ static inline void __meminit init_trampoline_default(void)
/* Default trampoline pgd value */
trampoline_pgd_entry = init_top_pgt[pgd_index(__PAGE_OFFSET)];
}
+
+void __init poking_init(void);
+
# ifdef CONFIG_RANDOMIZE_MEMORY
void __meminit init_trampoline(void);
# else
diff --git a/arch/x86/include/asm/text-patching.h b/arch/x86/include/asm/text-patching.h
index f8fc8e86cf01..a75eed841eed 100644
--- a/arch/x86/include/asm/text-patching.h
+++ b/arch/x86/include/asm/text-patching.h
@@ -39,5 +39,7 @@ extern void *text_poke_kgdb(void *addr, const void *opcode, size_t len);
extern int poke_int3_handler(struct pt_regs *regs);
extern void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler);
extern int after_bootmem;
+extern __ro_after_init struct mm_struct *poking_mm;
+extern __ro_after_init unsigned long poking_addr;
#endif /* _ASM_X86_TEXT_PATCHING_H */
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 12fddbc8c55b..ae05fbb50171 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -678,6 +678,9 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
return addr;
}
+__ro_after_init struct mm_struct *poking_mm;
+__ro_after_init unsigned long poking_addr;
+
static void *__text_poke(void *addr, const void *opcode, size_t len)
{
unsigned long flags;
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index bccff68e3267..125c8c48aa24 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -53,6 +53,7 @@
#include <asm/init.h>
#include <asm/uv/uv.h>
#include <asm/setup.h>
+#include <asm/text-patching.h>
#include "mm_internal.h"
@@ -1383,6 +1384,41 @@ unsigned long memory_block_size_bytes(void)
return memory_block_size_probed;
}
+/*
+ * Initialize an mm_struct to be used during poking and a pointer to be used
+ * during patching.
+ */
+void __init poking_init(void)
+{
+ spinlock_t *ptl;
+ pte_t *ptep;
+
+ poking_mm = copy_init_mm();
+ BUG_ON(!poking_mm);
+
+ /*
+ * Randomize the poking address, but make sure that the following page
+ * will be mapped at the same PMD. We need 2 pages, so find space for 3,
+ * and adjust the address if the PMD ends after the first one.
+ */
+ poking_addr = TASK_UNMAPPED_BASE;
+ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
+ poking_addr += (kaslr_get_random_long("Poking") & PAGE_MASK) %
+ (TASK_SIZE - TASK_UNMAPPED_BASE - 3 * PAGE_SIZE);
+
+ if (((poking_addr + PAGE_SIZE) & ~PMD_MASK) == 0)
+ poking_addr += PAGE_SIZE;
+
+ /*
+ * We need to trigger the allocation of the page-tables that will be
+ * needed for poking now. Later, poking may be performed in an atomic
+ * section, which might cause allocation to fail.
+ */
+ ptep = get_locked_pte(poking_mm, poking_addr, &ptl);
+ BUG_ON(!ptep);
+ pte_unmap_unlock(ptep, ptl);
+}
+
#ifdef CONFIG_SPARSEMEM_VMEMMAP
/*
* Initialise the sparsemem vmemmap using huge-pages at the PMD level.
diff --git a/init/main.c b/init/main.c
index e2e80ca3165a..f5947ba53bb4 100644
--- a/init/main.c
+++ b/init/main.c
@@ -496,6 +496,8 @@ void __init __weak thread_stack_cache_init(void)
void __init __weak mem_encrypt_init(void) { }
+void __init __weak poking_init(void) { }
+
bool initcall_debug;
core_param(initcall_debug, initcall_debug, bool, 0644);
@@ -730,6 +732,7 @@ asmlinkage __visible void __init start_kernel(void)
taskstats_init_early();
delayacct_init();
+ poking_init();
check_bugs();
acpi_subsystem_init();
--
2.17.1
next prev parent reply other threads:[~2019-02-21 23:51 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-21 23:44 [PATCH v3 00/20] Merge text_poke fixes and executable lockdowns Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 01/20] x86/jump_label: Use text_poke_early() during early init Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 02/20] x86/mm: Introduce temporary mm structs Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 03/20] x86/mm: Save DRs when loading a temporary mm Rick Edgecombe
2019-02-22 0:07 ` Sean Christopherson
2019-02-22 0:17 ` Nadav Amit
2019-02-21 23:44 ` [PATCH v3 04/20] fork: Provide a function for copying init_mm Rick Edgecombe
2019-02-21 23:44 ` Rick Edgecombe [this message]
2019-02-21 23:44 ` [PATCH v3 06/20] x86/alternative: Use temporary mm for text poking Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 07/20] x86/kgdb: Avoid redundant comparison of patched code Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 08/20] x86/ftrace: Set trampoline pages as executable Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 09/20] x86/kprobes: Set instruction page " Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 10/20] x86/module: Avoid breaking W^X while loading modules Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 11/20] x86/jump-label: Remove support for custom poker Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 12/20] x86/alternative: Remove the return value of text_poke_*() Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 13/20] x86/mm/cpa: Add set_direct_map_ functions Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 14/20] mm: Make hibernate handle unmapped pages Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 15/20] vmalloc: Add flag for free of special permsissions Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 16/20] modules: Use vmalloc special flag Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 17/20] bpf: " Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 18/20] x86/ftrace: " Rick Edgecombe
2019-02-22 0:22 ` Steven Rostedt
2019-02-22 0:55 ` Edgecombe, Rick P
2019-02-21 23:44 ` [PATCH v3 19/20] x86/kprobes: " Rick Edgecombe
2019-02-21 23:44 ` [PATCH v3 20/20] x86/alternative: Comment about module removal races Rick Edgecombe
2019-02-22 16:14 ` [PATCH v3 00/20] Merge text_poke fixes and executable lockdowns Borislav Petkov
2019-02-22 18:32 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190221234451.17632-6-rick.p.edgecombe@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=deneen.t.dock@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=namit@vmware.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).