From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@ACULAB.COM>
Cc: 'Peter Zijlstra' <peterz@infradead.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"hch@infradead.org" <hch@infradead.org>,
"sean.j.christopherson@intel.com"
<sean.j.christopherson@intel.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"bp@alien8.de" <bp@alien8.de>, "hpa@zytor.com" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
"kenny@panix.com" <kenny@panix.com>,
"jeyu@kernel.org" <jeyu@kernel.org>,
"rasmus.villemoes@prevas.dk" <rasmus.villemoes@prevas.dk>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"fenghua.yu@intel.com" <fenghua.yu@intel.com>,
"xiaoyao.li@intel.com" <xiaoyao.li@intel.com>,
"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
"thellstrom@vmware.com" <thellstrom@vmware.com>,
"tony.luck@intel.com" <tony.luck@intel.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"jannh@google.com" <jannh@google.com>,
"dcovelli@vmware.com" <dcovelli@vmware.com>,
"mhiramat@kernel.org" <mhiramat@kernel.org>
Subject: Re: [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts
Date: Tue, 7 Apr 2020 16:15:12 -0700 [thread overview]
Message-ID: <202004071611.233B0045@keescook> (raw)
In-Reply-To: <23787a63b28744b1906c4d4b6209b6af@AcuMS.aculab.com>
On Tue, Apr 07, 2020 at 09:25:56PM +0000, David Laight wrote:
> From: Peter Zijlstra
> > Sent: 07 April 2020 12:03
> >
> > It turns out that with Split-Lock-Detect enabled (default) any VMX
> > hypervisor needs at least a little modification in order to not blindly
> > inject the #AC into the guest without the guest being ready for it.
> >
> > Since there is no telling which module implements a hypervisor, scan
> > all out-of-tree modules' text and look for VMX instructions and refuse
> > to load it when SLD is enabled (default) and the module isn't marked
> > 'sld_safe'.
> ...
> > + while (text < text_end) {
> > + kernel_insn_init(&insn, text, text_end - text);
> > + insn_get_length(&insn);
> > +
> > + if (WARN_ON_ONCE(!insn_complete(&insn))) {
> > + pr_err("Module text malformed: %s\n", mod->name);
> > + return -ENOEXEC;
> > + }
> > +
> > + if (!allow_vmx && insn_is_vmx(&insn)) {
> > + pr_err("Module has VMX instructions and is not marked 'sld_safe', boot with:
> > 'split_lock_detect=off': %s\n", mod->name);
> > + return -ENOEXEC;
> > + }
> > +
> > + text += insn.length;
> > + }
>
> There is a slight flaw in the above.
> A malicious module can hide the required instruction by jumping into the
> middle of a long instruction.
>
> Even checking branch targets hit instruction barriers isn't enough,
> an indirect jump could be used.
If I understand the goals here, it's to provide feedback for good actors
doing things that they don't realize aren't safe. Trying to stop a
malicious module from doing malicious things is basically impossible:
it can just load a data blob and self-modify, etc. :)
Though, Peter, this does get me thinking: if this is meant to be helpful
for module authors tripping over things they shouldn't be touching,
perhaps every test needs to include explicit recommendations? It's
_kind_ of doing this already. Maybe the above should be:
pr_err("%s: contains VMX instructions but is not marked 'sld_safe'. Please see <url> or boot with: 'split_lock_detect=off' to ignore.\n", mod->name);
?
--
Kees Cook
next prev parent reply other threads:[~2020-04-07 23:15 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 11:02 [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize Peter Zijlstra
2020-04-07 11:02 ` [PATCH 1/4] module: Expose load_info to arch module loader code Peter Zijlstra
2020-04-07 16:52 ` Kees Cook
2020-04-07 11:02 ` [PATCH 2/4] module: Convert module_finalize() to load_info Peter Zijlstra
2020-04-07 16:53 ` Kees Cook
2020-04-07 11:02 ` [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts Peter Zijlstra
2020-04-07 14:35 ` Greg KH
2020-04-07 14:44 ` Paolo Bonzini
2020-04-07 14:55 ` Greg KH
2020-04-07 14:49 ` Steven Rostedt
2020-04-07 15:24 ` Peter Zijlstra
2020-04-07 15:28 ` Paolo Bonzini
2020-04-07 15:44 ` Greg KH
2020-04-07 16:51 ` Masami Hiramatsu
2020-04-07 17:16 ` Andrew Cooper
2020-04-07 23:59 ` Masami Hiramatsu
2020-04-08 7:25 ` Masami Hiramatsu
2020-04-07 18:26 ` kbuild test robot
2020-04-07 18:26 ` kbuild test robot
2020-04-07 21:25 ` David Laight
2020-04-07 23:15 ` Kees Cook [this message]
2020-04-08 2:10 ` Xiaoyao Li
2020-04-08 8:09 ` Masami Hiramatsu
2020-04-08 9:56 ` Peter Zijlstra
2020-04-08 10:15 ` Andrew Cooper
2020-04-10 11:25 ` Masami Hiramatsu
2020-04-07 11:02 ` [PATCH 4/4] x86,module: Detect CRn and DRn manipulation Peter Zijlstra
2020-04-07 17:01 ` Kees Cook
2020-04-07 18:13 ` Peter Zijlstra
2020-04-07 18:49 ` Kees Cook
2020-04-07 18:55 ` Nadav Amit
2020-04-07 19:38 ` Peter Zijlstra
2020-04-07 20:27 ` Nadav Amit
2020-04-07 20:50 ` Peter Zijlstra
2020-04-07 21:22 ` Nadav Amit
2020-04-07 21:27 ` Peter Zijlstra
2020-04-07 22:12 ` Paolo Bonzini
2020-04-07 23:51 ` Nadav Amit
2020-04-08 8:45 ` Peter Zijlstra
2020-04-08 5:18 ` Christoph Hellwig
2020-04-07 23:15 ` Andrew Cooper
2020-04-08 0:22 ` Paolo Bonzini
2020-04-08 8:37 ` Peter Zijlstra
2020-04-08 9:52 ` Andrew Cooper
2020-04-07 21:48 ` Steven Rostedt
2020-04-08 5:58 ` Jan Kiszka
2020-04-08 8:03 ` Paolo Bonzini
2020-04-08 8:58 ` Jan Kiszka
2020-04-08 9:04 ` Paolo Bonzini
2020-04-08 10:45 ` Jan Kiszka
2020-04-08 8:51 ` Peter Zijlstra
2020-04-08 8:59 ` Jan Kiszka
2020-04-08 9:25 ` David Laight
2020-04-08 11:13 ` Jan Kiszka
2020-04-08 11:17 ` David Laight
2020-04-08 9:13 ` Peter Zijlstra
2020-04-08 10:50 ` Jan Kiszka
2020-04-08 13:27 ` Steven Rostedt
2020-04-08 15:44 ` Peter Zijlstra
2020-04-08 15:46 ` Christoph Hellwig
2020-04-08 16:02 ` Sean Christopherson
2020-04-08 16:15 ` Paolo Bonzini
2020-04-09 8:56 ` Peter Zijlstra
2020-04-09 10:13 ` Nadav Amit
2020-04-09 21:13 ` Thomas Gleixner
2020-04-09 22:18 ` Steven Rostedt
2020-04-10 5:37 ` Nadav Amit
2020-04-08 15:54 ` Jessica Yu
2020-04-07 17:23 ` [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize Andrew Cooper
2020-04-07 19:41 ` Peter Zijlstra
2020-04-07 20:11 ` Andrew Cooper
2020-04-07 20:45 ` Peter Zijlstra
2020-04-07 21:21 ` Andrew Cooper
2020-04-07 20:21 ` Andrew Cooper
2020-04-07 20:48 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202004071611.233B0045@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=bp@alien8.de \
--cc=dcovelli@vmware.com \
--cc=fenghua.yu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jeyu@kernel.org \
--cc=kenny@panix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rasmus.villemoes@prevas.dk \
--cc=rostedt@goodmis.org \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=thellstrom@vmware.com \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.