• Nadav Amit's avatar
    x86/alternatives: Use temporary mm for text poking · b3fd8e83
    Nadav Amit authored
    text_poke() can potentially compromise security as it sets temporary
    PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
    from other cores accidentally or maliciously, if an attacker gains the
    ability to write onto kernel memory.
    
    Moreover, since remote TLBs are not flushed after the temporary PTEs are
    removed, the time-window in which the code is writable is not limited if
    the fixmap PTEs - maliciously or accidentally - are cached in the TLB.
    To address these potential security hazards, use a temporary mm for
    patching the code.
    
    Finally, text_poke() is also not conservative enough when mapping pages,
    as it always tries to map 2 pages, even when a single one is sufficient.
    So try to be more conservative, and do not map more than needed.
    Signed-off-by: default avatarNadav Amit <namit@vmware.com>
    Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <akpm@linux-foundation.org>
    Cc: <ard.biesheuvel@linaro.org>
    Cc: <deneen.t.dock@intel.com>
    Cc: <kernel-hardening@lists.openwall.com>
    Cc: <kristen@linux.intel.com>
    Cc: <linux_dti@icloud.com>
    Cc: <will.deacon@arm.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Rik van Riel <riel@surriel.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lkml.kernel.org/r/20190426001143.4983-8-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    b3fd8e83
fixmap.h 5.9 KB