> On Jun 7, 2019, at 12:49 PM, Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> wrote: > > On Fri, 2019-06-07 at 11:29 -0700, Andy Lutomirski wrote: >>> On Jun 7, 2019, at 10:59 AM, Dave Hansen <dave.hansen@xxxxxxxxx> wrote: >>> >>>> On 6/7/19 10:43 AM, Peter Zijlstra wrote: >>>> I've no idea what the kernel should do; since you failed to answer the >>>> question what happens when you point this to garbage. >>>> >>>> Does it then fault or what? >>> >>> Yeah, I think you'll fault with a rather mysterious CR2 value since >>> you'll go look at the instruction that faulted and not see any >>> references to the CR2 value. >>> >>> I think this new MSR probably needs to get included in oops output when >>> CET is enabled. >> >> This shouldn’t be able to OOPS because it only happens at CPL 3, right? We >> should put it into core dumps, though. >> >>> >>> Why don't we require that a VMA be in place for the entire bitmap? >>> Don't we need a "get" prctl function too in case something like a JIT is >>> running and needs to find the location of this bitmap to set bits itself? >>> >>> Or, do we just go whole-hog and have the kernel manage the bitmap >>> itself. Our interface here could be: >>> >>> prctl(PR_MARK_CODE_AS_LEGACY, start, size); >>> >>> and then have the kernel allocate and set the bitmap for those code >>> locations. >> >> Given that the format depends on the VA size, this might be a good idea. I >> bet we can reuse the special mapping infrastructure for this — the VMA could >> be a MAP_PRIVATE special mapping named [cet_legacy_bitmap] or similar, and we >> can even make special rules to core dump it intelligently if needed. And we >> can make mremap() on it work correctly if anyone (CRIU?) cares. >> >> Hmm. Can we be creative and skip populating it with zeros? The CPU should >> only ever touch a page if we miss an ENDBR on it, so, in normal operation, we >> don’t need anything to be there. We could try to prevent anyone from >> *reading* it outside of ENDBR tracking if we want to avoid people accidentally >> wasting lots of memory by forcing it to be fully populated when the read it. >> >> The one downside is this forces it to be per-mm, but that seems like a >> generally reasonable model anyway. >> >> This also gives us an excellent opportunity to make it read-only as seen from >> userspace to prevent exploits from just poking it full of ones before >> redirecting execution. > > GLIBC sets bits only for legacy code, and then makes the bitmap read-only. That > avoids most issues: How does glibc know the linear address space size? We don’t want LA64 to break old binaries because the address calculation changed.
