From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754294AbbG2XIu (ORCPT ); Wed, 29 Jul 2015 19:08:50 -0400 Received: from queue01c.mail.zen.net.uk ([212.23.3.237]:37888 "EHLO queue01c.mail.zen.net.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753264AbbG2XIt (ORCPT ); Wed, 29 Jul 2015 19:08:49 -0400 X-Greylist: delayed 1275 seconds by postgrey-1.27 at vger.kernel.org; Wed, 29 Jul 2015 19:08:49 EDT Message-ID: <55B957DE.60405@cantab.net> Date: Wed, 29 Jul 2015 23:46:54 +0100 From: David Vrabel User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Andrew Cooper , Andy Lutomirski CC: "security@kernel.org" , Peter Zijlstra , X86 ML , "linux-kernel@vger.kernel.org" , Steven Rostedt , xen-devel , Borislav Petkov , David Vrabel , Jan Beulich , Sasha Levin , Boris Ostrovsky References: <55B659EC.5030009@oracle.com> <55B75993.90909@citrix.com> <55B7AE39.7000101@citrix.com> <55B7B791.2050208@oracle.com> <55B822B8.3090608@citrix.com> <55B841FF.2000102@oracle.com> <55B8E16C.2050406@citrix.com> <55B8E68B.2030305@oracle.com> <55B9236B.9090507@citrix.com> <55B94451.8040600@oracle.com> <55B947AF.7020404@citrix.com> <55B94F9D.3000405@citrix.com> In-Reply-To: <55B94F9D.3000405@citrix.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 82.70.146.43 X-SA-Exim-Mail-From: dvrabel@cantab.net Subject: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on pear.davidvrabel.org.uk) X-Originating-smarthost01c-IP: [82.70.146.41] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/07/2015 23:11, Andrew Cooper wrote: > On 29/07/2015 23:05, Andy Lutomirski wrote: >> On Wed, Jul 29, 2015 at 2:37 PM, Andrew Cooper >> wrote: >>> On 29/07/2015 22:26, Andy Lutomirski wrote: >>>> On Wed, Jul 29, 2015 at 2:23 PM, Boris Ostrovsky >>>> wrote: >>>>> On 07/29/2015 03:03 PM, Andrew Cooper wrote: >>>>>> On 29/07/15 15:43, Boris Ostrovsky wrote: >>>>>>> FYI, I have got a repro now and am investigating. >>>>>> Good and bad news. This bug has nothing to do with LDTs themselves. >>>>>> >>>>>> I have worked out what is going on, but this: >>>>>> >>>>>> diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c >>>>>> index 5abeaac..7e1a82e 100644 >>>>>> --- a/arch/x86/xen/enlighten.c >>>>>> +++ b/arch/x86/xen/enlighten.c >>>>>> @@ -493,6 +493,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) >>>>>> pte = pfn_pte(pfn, prot); >>>>>> + (void)*(volatile int*)v; >>>>>> if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) { >>>>>> pr_err("set_aliased_prot va update failed w/ lazy mode >>>>>> %u\n", paravirt_get_lazy_mode()); >>>>>> BUG(); >>>>>> >>>>>> Is perhaps not the fix we are looking for, and every use of >>>>>> HYPERVISOR_update_va_mapping() is susceptible to the same problem. >>>>> I think in most cases we know that page is mapped so hopefully this is the >>>>> only site that we need to be careful about. >>>> Is there any chance we can get some kind of quick-and-dirty fix that >>>> can go to x86/urgent in the next few days even if a clean fix isn't >>>> available yet? >>> Quick and dirty? >>> >>> Reading from v is the most obvious and quick way, for areas where we are >>> certain v exists, is kernel memory and is expected to have a backing >>> page. I don't know offhand how many of current >>> HYPERVISOR_update_va_mapping() callsites this applies to. >> __get_user((char *)v, tmp), perhaps, unless there's something better >> in the wings. Keep in mind that we need this for -stable, and it's >> likely to get backported quite quickly due to CVE-2015-5157. > > Hmm - something like that tucked inside HYPERVISOR_update_va_mapping() > would probably work, and certainly be minimal hassle for -stable. > > Altering the hypercall used is certainly not something to backport, nor > are we sure it is a viable fix at this time. Changing this one use of update_va_mapping to use mmu_update_normal_pt is the correct fix to unblock this LDT series. I see no reason why this cannot be backported. We can address any other potential update_va_mapping calls at a later date (if they are shown to be problematic). David From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Vrabel Subject: Re: [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option Date: Wed, 29 Jul 2015 23:46:54 +0100 Message-ID: <55B957DE.60405@cantab.net> References: <55B659EC.5030009@oracle.com> <55B75993.90909@citrix.com> <55B7AE39.7000101@citrix.com> <55B7B791.2050208@oracle.com> <55B822B8.3090608@citrix.com> <55B841FF.2000102@oracle.com> <55B8E16C.2050406@citrix.com> <55B8E68B.2030305@oracle.com> <55B9236B.9090507@citrix.com> <55B94451.8040600@oracle.com> <55B947AF.7020404@citrix.com> <55B94F9D.3000405@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <55B94F9D.3000405@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper , Andy Lutomirski Cc: "security@kernel.org" , Peter Zijlstra , X86 ML , "linux-kernel@vger.kernel.org" , Steven Rostedt , xen-devel , Borislav Petkov , David Vrabel , Jan Beulich , Sasha Levin , Boris Ostrovsky List-Id: xen-devel@lists.xenproject.org On 29/07/2015 23:11, Andrew Cooper wrote: > On 29/07/2015 23:05, Andy Lutomirski wrote: >> On Wed, Jul 29, 2015 at 2:37 PM, Andrew Cooper >> wrote: >>> On 29/07/2015 22:26, Andy Lutomirski wrote: >>>> On Wed, Jul 29, 2015 at 2:23 PM, Boris Ostrovsky >>>> wrote: >>>>> On 07/29/2015 03:03 PM, Andrew Cooper wrote: >>>>>> On 29/07/15 15:43, Boris Ostrovsky wrote: >>>>>>> FYI, I have got a repro now and am investigating. >>>>>> Good and bad news. This bug has nothing to do with LDTs themselves. >>>>>> >>>>>> I have worked out what is going on, but this: >>>>>> >>>>>> diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c >>>>>> index 5abeaac..7e1a82e 100644 >>>>>> --- a/arch/x86/xen/enlighten.c >>>>>> +++ b/arch/x86/xen/enlighten.c >>>>>> @@ -493,6 +493,7 @@ static void set_aliased_prot(void *v, pgprot_t prot) >>>>>> pte = pfn_pte(pfn, prot); >>>>>> + (void)*(volatile int*)v; >>>>>> if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0)) { >>>>>> pr_err("set_aliased_prot va update failed w/ lazy mode >>>>>> %u\n", paravirt_get_lazy_mode()); >>>>>> BUG(); >>>>>> >>>>>> Is perhaps not the fix we are looking for, and every use of >>>>>> HYPERVISOR_update_va_mapping() is susceptible to the same problem. >>>>> I think in most cases we know that page is mapped so hopefully this is the >>>>> only site that we need to be careful about. >>>> Is there any chance we can get some kind of quick-and-dirty fix that >>>> can go to x86/urgent in the next few days even if a clean fix isn't >>>> available yet? >>> Quick and dirty? >>> >>> Reading from v is the most obvious and quick way, for areas where we are >>> certain v exists, is kernel memory and is expected to have a backing >>> page. I don't know offhand how many of current >>> HYPERVISOR_update_va_mapping() callsites this applies to. >> __get_user((char *)v, tmp), perhaps, unless there's something better >> in the wings. Keep in mind that we need this for -stable, and it's >> likely to get backported quite quickly due to CVE-2015-5157. > > Hmm - something like that tucked inside HYPERVISOR_update_va_mapping() > would probably work, and certainly be minimal hassle for -stable. > > Altering the hypercall used is certainly not something to backport, nor > are we sure it is a viable fix at this time. Changing this one use of update_va_mapping to use mmu_update_normal_pt is the correct fix to unblock this LDT series. I see no reason why this cannot be backported. We can address any other potential update_va_mapping calls at a later date (if they are shown to be problematic). David