From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B897EB64D8 for ; Wed, 14 Jun 2023 17:48:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 38CAA6B0074; Wed, 14 Jun 2023 13:48:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 312966B0075; Wed, 14 Jun 2023 13:48:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 18D566B0078; Wed, 14 Jun 2023 13:48:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 01D116B0074 for ; Wed, 14 Jun 2023 13:48:25 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id BDC8A1A0785 for ; Wed, 14 Jun 2023 17:48:25 +0000 (UTC) X-FDA: 80902087770.01.1CDA62C Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by imf29.hostedemail.com (Postfix) with ESMTP id D0FB1120014 for ; Wed, 14 Jun 2023 17:48:23 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=unYfcwog; spf=pass (imf29.hostedemail.com: domain of ndesaulniers@google.com designates 209.85.214.173 as permitted sender) smtp.mailfrom=ndesaulniers@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686764903; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=oAncbRxIINmHWj7OTH0lyMuX/I0YbKK+iTtLrxb1MJA=; b=mBoLQOv59t+CdMceOmVVgyP7/8udf+i+Yha1GcbtHW1VGmzTh3ptKk/m6MqPIBKs4Lv+GM vt83nQn1m6OUoan3Ljpz3kV26/udX7eNCrll1rXJnzsU8Cx2OL3jRJQvOR0LcUoEFfLs3y 5QNcax2OctaMAbERJkewiZNaI05OjR0= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686764903; a=rsa-sha256; cv=none; b=k09VTKzRghkLCiYkmPJNJswkTWfiKRLPlErMSgwBrqn6HsU3heIbCr4FjV7B0saf+r5ebp tKKvNgBcvYmQ6TFROC5M6GoNeGHI2BApzeEnlawiOwyv+uo4B3jafA55m+aTvL+nt+T78S n6o1zyCanReEBdW+ifYbmBVQwnz/ZcA= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=unYfcwog; spf=pass (imf29.hostedemail.com: domain of ndesaulniers@google.com designates 209.85.214.173 as permitted sender) smtp.mailfrom=ndesaulniers@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1b3a6fc8067so30130115ad.3 for ; Wed, 14 Jun 2023 10:48:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686764902; x=1689356902; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=oAncbRxIINmHWj7OTH0lyMuX/I0YbKK+iTtLrxb1MJA=; b=unYfcwogVhaX8d5U/ZbjTjsyBK+mPbzxD32KqlBogLQH0oZa4JUq4lZ+weQT3wycBO YkteECZ8IGi8r85lV5Ui6MN4QZtJnF1KZP4t8E/Yyt+HCD0PaNZahdYv0uZiy3X62Xsq DRVQRDkv3xt67vS/ziBGRAFOWvQQ3rtYilNcEKEVoqVb2mWVvj8aZESqG+Kwic7htQeF Ssh5RGDemytzPaFSzon9QYWXdYxAh9kM2AoOCVYl7gRETYRZjuAhmaOK8ziZBgzTTA+m sGAmINF+OQBsyc3f3LJvKV7Hdo1/qnXj7e/PTy7FACFWnbL/zhisEhAGMDEswZoQ3J6g NJDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686764902; x=1689356902; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oAncbRxIINmHWj7OTH0lyMuX/I0YbKK+iTtLrxb1MJA=; b=d7/YYexKtfUpbvXwzFh2oHk5rpA8DpIw6nQD9/4yWuYo9ce1WCxhCQxwLmodlI6hPw lzP2y+ppBoqFsnbghwEgvS/EMOGI78bfFaDSsuTt73Mk5E3k9EHrHLdsOpXbD7aibEkE TKvzSfwY+NiXgEpVV3hNpZiTw/Q56mqjv5moFmLbI5VeOOAU4fckAYLXtLSg+736HIdW hD1n9vNoWmOTMm6PZrKP3USHvtx0BfN3sMan6CSU94HgbwMpFugncq1+eJ7a0ubDd/OB lO3i/muEG1XiInxE1pnc9ZJDWHLsOyhyV1O2PDFqzDCzL1zkMIIkLdA6fuYtp+acfK6q nY6A== X-Gm-Message-State: AC+VfDxt9SdMN8D8DWjhnYkGvJXwgcCD3f+8Wj5rHUP6cFGpA/9IJ4Om zMyIO8iKy9Le29KP7GDJ/PBt4Q== X-Google-Smtp-Source: ACHHUZ7z/bryBojOKuiOXgsSM/VwrU7wojZF+iBTo0R6Nwj/ub7xwW3LRVkCG28t9iwDLsxdXPN7Qw== X-Received: by 2002:a17:90b:1e4c:b0:259:5c6:39bc with SMTP id pi12-20020a17090b1e4c00b0025905c639bcmr1812050pjb.33.1686764902184; Wed, 14 Jun 2023 10:48:22 -0700 (PDT) Received: from google.com ([2620:15c:2d1:203:52fa:d6e7:fbc2:e917]) by smtp.gmail.com with ESMTPSA id fs5-20020a17090af28500b002591f7ff90csm11406739pjb.43.2023.06.14.10.48.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jun 2023 10:48:21 -0700 (PDT) Date: Wed, 14 Jun 2023 10:48:16 -0700 From: Nick Desaulniers To: Lee Jones Cc: dave.hansen@linux.intel.com, luto@kernel.org, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/1] x86/mm/KASLR: Store pud_page_tramp into entry rather than page Message-ID: References: <20230614163859.924309-1-lee@kernel.org> <20230614163859.924309-2-lee@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230614163859.924309-2-lee@kernel.org> X-Rspamd-Queue-Id: D0FB1120014 X-Rspam-User: X-Stat-Signature: 8fy15ypqxe87r9owmfz44bcbpr87zsrq X-Rspamd-Server: rspam03 X-HE-Tag: 1686764903-100163 X-HE-Meta: U2FsdGVkX1+vqf4ybp2jHXsWUsDX+o4gwBLmYn0vq57irNNEmVk4SlyLSbGKpCaV5ekE+3KVsh82KSwHDVyZ6yqYJ2OaqsCeQ9pl1RyvOuUE8FGC9BxugLWnJcMu1JJNTts4LSTB7df6Srlo2wA07F/y/KYH/MFyJGbKgO89PleoagVZekPO8gljRhTJ3w4OHXq7mH7kVvi5khCj0GiIcOIhMNoiOzphV1do49MBkDDvzmvCCO7IVyMMcFzPIOLEgqVT1qzgjDG8WzNOKUMQK8MRtOkhNdL+PzgNFdREM+DP4dKKEDz76iITWCKjXgmdahGjaVCK+ie444PNrCR2/4JpXcoG+Gt/LxMqUKncCcB1dcduRf/GK75PVU0+NSwOICnNDS5/gvwyP6jMpcpk47gSdnVK1QKrerKDIWEuh+8FXuDFwqtox1tLQin7b3pNPtRxm6jnwFeYI8jwcBoFiZWGz+DElpibH18T3Bh4OrUYtCDyBeRVcWvAckuAKw6g5DRjwX4IDtZ8JFp6lOHVKZUSP1hpqvzlbJlcJnB0yunsx6lOK9MOISJ/oAnAAGUDXqZDlbYFpMCzF7Myo8vwDjg0zs5Fwy/SFvN3yeVZ2Gq1HbeBjrhF1HxF8vMY/hlFnIA/qNlFCtTOZ5X5OpYvS6R/QGo5Hk7q+EJVyVkC6omppIdioNsH4WwyJtIw7EdHyRJZ+kZc2frSVXbzlSNyhKuebkxkjM2t84mK1Ry1LVl585Z5BalmEeSBA2d7ciHHSUrZPg10xyV5q9duOPnRG8iGl7uFi7rPOVSeaN6R2t7xlpktY9Uddgg6ycLAmKMbDcXCDq4alkyC1YGAGRdoiLT3LsWH5JWijMn094opLRBdFtwui69h8EBn1Qlj2KfpFogxknD7d1pRdtscdw2y23ucSMtmNdvjGBZg92rLcixIeACmfIQ4KZSOTTrItg50ab/EPpZyCPxu472bkt/ u2ICjDqa 6ClC+yOriz7g094v0lNC+ZzrD4FckVVHdB1EEF5QvlhILhCex6DzGXccLsG8TUc6LgXDGi37Ssocab5C0l/R4jnGPq++EgUDrla3XgZQwf8SyWSuv0lpJmAPjRum3Jzv41AsvUeyW+evLcz/mL5PjjILIMnwc8zEsvrRFHy7ZFYvG519Bf3+EARHAVjLN+x7Wegj/v1FEEw1tAc0AYT04vj8v7Fh/3fnpp8oJUpss5bgUWZ7lXSjOkBB/6UItjgcHE0BzwCNz5N3OvTpmufLuxAUzcCBW+irGzzoGbnwVtPk2IwDILfidEEJAhZ7BMcfzP7tO1o25rLNnsIMKVtNbqVrQnbg8cnkUbQbm5wnOTzxWn1WavDwqAxPa1hwofX4+FsLf6tNsensIaQmvfdBkTBZDaByL5K5FGtQNlg+jLxj6s2g/mFRb4i27cKu99g0PTEwXjQ4DNzywvX31q2C+wafkzBmrYAzU2gHbjuBYXImZCOeIu0LVRMhlzg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jun 14, 2023 at 05:38:54PM +0100, Lee Jones wrote: > set_pgd() expects to be passed whole pages to operate on, whereas > trampoline_pgd_entry is, as the name suggests, an entry. The > ramifications for using set_pgd() here are that the following thread of > execution will not only place the suggested value into the > trampoline_pgd_entry (8-Byte globally stored [.bss]) variable, PTI will > also attempt to replicate that value into the non-existent neighboring > user page (located +4k away), leading to the corruption of other global > [.bss] stored variables. > > Suggested-by: Dave Hansen > Signed-off-by: Lee Jones Nice work tracking this one down! Fixes: 0925dda5962e ("x86/mm/KASLR: Use only one PUD entry for real mode trampoline") Cc: > --- > arch/x86/mm/kaslr.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c > index 557f0fe25dff4..37db264866b64 100644 > --- a/arch/x86/mm/kaslr.c > +++ b/arch/x86/mm/kaslr.c > @@ -172,10 +172,10 @@ void __meminit init_trampoline_kaslr(void) > set_p4d(p4d_tramp, > __p4d(_KERNPG_TABLE | __pa(pud_page_tramp))); > > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)); > } else { > - set_pgd(&trampoline_pgd_entry, > - __pgd(_KERNPG_TABLE | __pa(pud_page_tramp))); > + trampoline_pgd_entry = > + __pgd(_KERNPG_TABLE | __pa(pud_page_tramp)); > } > } > -- > 2.41.0.162.gfafddb0af9-goog >