On Fri, 2019-06-07 at 11:29 -0700, Andy Lutomirski wrote: > > On Jun 7, 2019, at 10:59 AM, Dave Hansen <dave.hansen@xxxxxxxxx> wrote: > > > > > On 6/7/19 10:43 AM, Peter Zijlstra wrote: > > > I've no idea what the kernel should do; since you failed to answer the > > > question what happens when you point this to garbage. > > > > > > Does it then fault or what? > > > > Yeah, I think you'll fault with a rather mysterious CR2 value since > > you'll go look at the instruction that faulted and not see any > > references to the CR2 value. > > > > I think this new MSR probably needs to get included in oops output when > > CET is enabled. > > This shouldn’t be able to OOPS because it only happens at CPL 3, right? We > should put it into core dumps, though. > > > > > Why don't we require that a VMA be in place for the entire bitmap? > > Don't we need a "get" prctl function too in case something like a JIT is > > running and needs to find the location of this bitmap to set bits itself? > > > > Or, do we just go whole-hog and have the kernel manage the bitmap > > itself. Our interface here could be: > > > > prctl(PR_MARK_CODE_AS_LEGACY, start, size); > > > > and then have the kernel allocate and set the bitmap for those code > > locations. > > Given that the format depends on the VA size, this might be a good idea. I > bet we can reuse the special mapping infrastructure for this — the VMA could > be a MAP_PRIVATE special mapping named [cet_legacy_bitmap] or similar, and we > can even make special rules to core dump it intelligently if needed. And we > can make mremap() on it work correctly if anyone (CRIU?) cares. > > Hmm. Can we be creative and skip populating it with zeros? The CPU should > only ever touch a page if we miss an ENDBR on it, so, in normal operation, we > don’t need anything to be there. We could try to prevent anyone from > *reading* it outside of ENDBR tracking if we want to avoid people accidentally > wasting lots of memory by forcing it to be fully populated when the read it. > > The one downside is this forces it to be per-mm, but that seems like a > generally reasonable model anyway. > > This also gives us an excellent opportunity to make it read-only as seen from > userspace to prevent exploits from just poking it full of ones before > redirecting execution. GLIBC sets bits only for legacy code, and then makes the bitmap read-only. That avoids most issues: To populate bitmap pages, mprotect() is required. Reading zero bitmap pages would not waste more physical memory, right? Yu-cheng
