From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753904AbbG2WLw (ORCPT ); Wed, 29 Jul 2015 18:11:52 -0400 Received: from ppsw-50.csi.cam.ac.uk ([131.111.8.150]:50456 "EHLO ppsw-50.csi.cam.ac.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752544AbbG2WLu (ORCPT ); Wed, 29 Jul 2015 18:11:50 -0400 X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Subject: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option To: Andy Lutomirski References: <55B659EC.5030009@oracle.com> <55B75993.90909@citrix.com> <55B7AE39.7000101@citrix.com> <55B7B791.2050208@oracle.com> <55B822B8.3090608@citrix.com> <55B841FF.2000102@oracle.com> <55B8E16C.2050406@citrix.com> <55B8E68B.2030305@oracle.com> <55B9236B.9090507@citrix.com> <55B94451.8040600@oracle.com> <55B947AF.7020404@citrix.com> Cc: Boris Ostrovsky , "security@kernel.org" , Peter Zijlstra , X86 ML , "linux-kernel@vger.kernel.org" , Steven Rostedt , xen-devel , Borislav Petkov , Jan Beulich , Sasha Levin , David Vrabel , Konrad Wilk From: Andrew Cooper Message-ID: <55B94F9D.3000405@citrix.com> Date: Wed, 29 Jul 2015 23:11:41 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/07/2015 23:05, Andy Lutomirski wrote: > On Wed, Jul 29, 2015 at 2:37 PM, Andrew Cooper > wrote: >> On 29/07/2015 22:26, Andy Lutomirski wrote: >>> On Wed, Jul 29, 2015 at 2:23 PM, Boris Ostrovsky >>> wrote: >>>> On 07/29/2015 03:03 PM, Andrew Cooper wrote: >>>>> On 29/07/15 15:43, Boris Ostrovsky wrote: >>>>>> FYI, I have got a repro now and am investigating. >>>>> Good and bad news. This bug has nothing to do with LDTs themselves. >>>>> >>>>> I have worked out what is going on, but this: >>>>> >>>>> diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c >>>>> index 5abeaac..7e1a82e 100644 >>>>> --- a/arch/x86/xen/enlighten.c >>>>> +++ b/arch/x86/xen/enlighten.c >>>>> @@ -493,6 +493,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) >>>>> pte = pfn_pte(pfn, prot); >>>>> + (void)*(volatile int*)v; >>>>> if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) { >>>>> pr_err("set_aliased_prot va update failed w/ lazy mode >>>>> %u\n", paravirt_get_lazy_mode()); >>>>> BUG(); >>>>> >>>>> Is perhaps not the fix we are looking for, and every use of >>>>> HYPERVISOR_update_va_mapping() is susceptible to the same problem. >>>> I think in most cases we know that page is mapped so hopefully this is the >>>> only site that we need to be careful about. >>> Is there any chance we can get some kind of quick-and-dirty fix that >>> can go to x86/urgent in the next few days even if a clean fix isn't >>> available yet? >> Quick and dirty? >> >> Reading from v is the most obvious and quick way, for areas where we are >> certain v exists, is kernel memory and is expected to have a backing >> page. I don't know offhand how many of current >> HYPERVISOR_update_va_mapping() callsites this applies to. > __get_user((char *)v, tmp), perhaps, unless there's something better > in the wings. Keep in mind that we need this for -stable, and it's > likely to get backported quite quickly due to CVE-2015-5157. Hmm - something like that tucked inside HYPERVISOR_update_va_mapping() would probably work, and certainly be minimal hassle for -stable. Altering the hypercall used is certainly not something to backport, nor are we sure it is a viable fix at this time. ~Andrew