From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@ACULAB.COM>
Cc: 'Peter Zijlstra' <peterz@infradead.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"hch@infradead.org" <hch@infradead.org>,
"sean.j.christopherson@intel.com"
<sean.j.christopherson@intel.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"bp@alien8.de" <bp@alien8.de>, "hpa@zytor.com" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
"kenny@panix.com" <kenny@panix.com>,
"jeyu@kernel.org" <jeyu@kernel.org>,
"rasmus.villemoes@prevas.dk" <rasmus.villemoes@prevas.dk>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"fenghua.yu@intel.com" <fenghua.yu@intel.com>,
"xiaoyao.li@intel.com" <xiaoyao.li@intel.com>,
"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
"thellstrom@vmware.com" <thellstrom@vmware.com>,
"tony.luck@intel.com" <tony.luck@intel.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"jannh@google.com" <jannh@google.com>,
"dcovelli@vmware.com" <dcovelli@vmware.com>,
"mhiramat@kernel.org" <mhiramat@kernel.org>
Subject: Re: [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts
Date: Tue, 7 Apr 2020 16:15:12 -0700 [thread overview]
Message-ID: <202004071611.233B0045@keescook> (raw)
In-Reply-To: <23787a63b28744b1906c4d4b6209b6af@AcuMS.aculab.com>
On Tue, Apr 07, 2020 at 09:25:56PM +0000, David Laight wrote:
> From: Peter Zijlstra
> > Sent: 07 April 2020 12:03
> >
> > It turns out that with Split-Lock-Detect enabled (default) any VMX
> > hypervisor needs at least a little modification in order to not blindly
> > inject the #AC into the guest without the guest being ready for it.
> >
> > Since there is no telling which module implements a hypervisor, scan
> > all out-of-tree modules' text and look for VMX instructions and refuse
> > to load it when SLD is enabled (default) and the module isn't marked
> > 'sld_safe'.
> ...
> > + while (text < text_end) {
> > + kernel_insn_init(&insn, text, text_end - text);
> > + insn_get_length(&insn);
> > +
> > + if (WARN_ON_ONCE(!insn_complete(&insn))) {
> > + pr_err("Module text malformed: %s\n", mod->name);
> > + return -ENOEXEC;
> > + }
> > +
> > + if (!allow_vmx && insn_is_vmx(&insn)) {
> > + pr_err("Module has VMX instructions and is not marked 'sld_safe', boot with:
> > 'split_lock_detect=off': %s\n", mod->name);
> > + return -ENOEXEC;
> > + }
> > +
> > + text += insn.length;
> > + }
>
> There is a slight flaw in the above.
> A malicious module can hide the required instruction by jumping into the
> middle of a long instruction.
>
> Even checking branch targets hit instruction barriers isn't enough,
> an indirect jump could be used.
If I understand the goals here, it's to provide feedback for good actors
doing things that they don't realize aren't safe. Trying to stop a
malicious module from doing malicious things is basically impossible:
it can just load a data blob and self-modify, etc. :)
Though, Peter, this does get me thinking: if this is meant to be helpful
for module authors tripping over things they shouldn't be touching,
perhaps every test needs to include explicit recommendations? It's
_kind_ of doing this already. Maybe the above should be:
pr_err("%s: contains VMX instructions but is not marked 'sld_safe'. Please see <url> or boot with: 'split_lock_detect=off' to ignore.\n", mod->name);
?
--
Kees Cook
next prev parent reply other threads:[~2020-04-07 23:15 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 11:02 [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize Peter Zijlstra
2020-04-07 11:02 ` [PATCH 1/4] module: Expose load_info to arch module loader code Peter Zijlstra
2020-04-07 16:52 ` Kees Cook
2020-04-07 11:02 ` [PATCH 2/4] module: Convert module_finalize() to load_info Peter Zijlstra
2020-04-07 16:53 ` Kees Cook
2020-04-07 11:02 ` [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts Peter Zijlstra
2020-04-07 14:35 ` Greg KH
2020-04-07 14:44 ` Paolo Bonzini
2020-04-07 14:55 ` Greg KH
2020-04-07 14:49 ` Steven Rostedt
2020-04-07 15:24 ` Peter Zijlstra
2020-04-07 15:28 ` Paolo Bonzini
2020-04-07 15:44 ` Greg KH
2020-04-07 16:51 ` Masami Hiramatsu
2020-04-07 17:16 ` Andrew Cooper
2020-04-07 23:59 ` Masami Hiramatsu
2020-04-08 7:25 ` Masami Hiramatsu
2020-04-07 18:26 ` kbuild test robot
2020-04-07 21:25 ` David Laight
2020-04-07 23:15 ` Kees Cook [this message]
2020-04-08 2:10 ` Xiaoyao Li
2020-04-08 8:09 ` Masami Hiramatsu
2020-04-08 9:56 ` Peter Zijlstra
2020-04-08 10:15 ` Andrew Cooper
2020-04-10 11:25 ` Masami Hiramatsu
2020-04-07 11:02 ` [PATCH 4/4] x86,module: Detect CRn and DRn manipulation Peter Zijlstra
2020-04-07 17:01 ` Kees Cook
2020-04-07 18:13 ` Peter Zijlstra
2020-04-07 18:49 ` Kees Cook
2020-04-07 18:55 ` Nadav Amit
2020-04-07 19:38 ` Peter Zijlstra
2020-04-07 20:27 ` Nadav Amit
2020-04-07 20:50 ` Peter Zijlstra
2020-04-07 21:22 ` Nadav Amit
2020-04-07 21:27 ` Peter Zijlstra
2020-04-07 22:12 ` Paolo Bonzini
2020-04-07 23:51 ` Nadav Amit
2020-04-08 8:45 ` Peter Zijlstra
2020-04-08 5:18 ` Christoph Hellwig
2020-04-07 23:15 ` Andrew Cooper
2020-04-08 0:22 ` Paolo Bonzini
2020-04-08 8:37 ` Peter Zijlstra
2020-04-08 9:52 ` Andrew Cooper
2020-04-07 21:48 ` Steven Rostedt
2020-04-08 5:58 ` Jan Kiszka
2020-04-08 8:03 ` Paolo Bonzini
2020-04-08 8:58 ` Jan Kiszka
2020-04-08 9:04 ` Paolo Bonzini
2020-04-08 10:45 ` Jan Kiszka
2020-04-08 8:51 ` Peter Zijlstra
2020-04-08 8:59 ` Jan Kiszka
2020-04-08 9:25 ` David Laight
2020-04-08 11:13 ` Jan Kiszka
2020-04-08 11:17 ` David Laight
2020-04-08 9:13 ` Peter Zijlstra
2020-04-08 10:50 ` Jan Kiszka
2020-04-08 13:27 ` Steven Rostedt
2020-04-08 15:44 ` Peter Zijlstra
2020-04-08 15:46 ` Christoph Hellwig
2020-04-08 16:02 ` Sean Christopherson
2020-04-08 16:15 ` Paolo Bonzini
2020-04-09 8:56 ` Peter Zijlstra
2020-04-09 10:13 ` Nadav Amit
2020-04-09 21:13 ` Thomas Gleixner
2020-04-09 22:18 ` Steven Rostedt
2020-04-10 5:37 ` Nadav Amit
2020-04-08 15:54 ` Jessica Yu
2020-04-07 17:23 ` [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize Andrew Cooper
2020-04-07 19:41 ` Peter Zijlstra
2020-04-07 20:11 ` Andrew Cooper
2020-04-07 20:45 ` Peter Zijlstra
2020-04-07 21:21 ` Andrew Cooper
2020-04-07 20:21 ` Andrew Cooper
2020-04-07 20:48 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202004071611.233B0045@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=bp@alien8.de \
--cc=dcovelli@vmware.com \
--cc=fenghua.yu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jeyu@kernel.org \
--cc=kenny@panix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rasmus.villemoes@prevas.dk \
--cc=rostedt@goodmis.org \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=thellstrom@vmware.com \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox