On Mon, Aug 27, 2018 at 10:13 AM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: > > On Mon, Aug 27, 2018 at 12:03:05PM +0900, Masami Hiramatsu wrote: > > On Sun, 26 Aug 2018 11:09:58 +0200 > > Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote: > > > > FWIW, before text_poke_bp(), text_poke() would only be used from > > > stop_machine, so all the other CPUs would be stuck busy-waiting with > > > IRQs disabled. These days, yeah, that's lots more dodgy, but yes > > > text_mutex should be serializing all that. > > > > I'm still not sure that speculative page-table walk can be done > > over the mutex. Also, if the fixmap area is for aliasing > > pages (which always mapped to memory), what kind of > > security issue can happen? > > So suppose CPU-A is doing the text_poke (let's say through text_poke_bp, > such that other CPUs get to continue with whatever they're doing). > > While at that point, CPU-B gets an interrupt, and the CPU's > branch-trace-buffer for the IRET points to / near our fixmap. Then the > CPU could do a speculative TLB fill based on the BTB value, either > directly or indirectly (through speculative driven fault-ahead) of > whatever is in te fixmap at the time. Worse: The way academics have been defeating KASLR for a while is based on TLB fills for kernel addresses, triggered from userspace. Quoting https://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf : | Additionally, even if a permission error occurs, this still allows to | launch address translations and, hence, generate valid TLB entries | by accessing privileged kernel space memory from user mode. This was actually part of the original motivation for KAISER/KPTI. Quoting https://gruss.cc/files/kaiser.pdf : | Modern operating system kernels employ address space layout | randomization (ASLR) to prevent control-flow hijacking attacks and | code-injection attacks. While kernel security relies fundamentally on preventing | access to address information, recent attacks have shown that the | hardware directly leaks this information. I believe that PTI probably prevents this way of directly triggering TLB fills for now (under the assumption that hyperthreads with equal CR3 don't share TLB entries), but I would still assume that an attacker can probably trigger TLB fills for arbitrary addresses anytime. And at some point in the future, I believe people would probably like to be able to disable PTI again? > Then CPU-A completes the text_poke and only does a local TLB invalidate > on CPU-A, leaving CPU-B with an active translation. > > *FAIL*
