[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata


  • To: Andrew Cooper <amc96@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 6 Dec 2021 16:21:04 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A8yGCbuRfPLdHuumi0i8w7IofLM0p4XnO4lBTRfXeZQ=; b=b2o5dMwfX5UoDwFU6pHVYmmTu5PDNP3gz+X5VM6eB+DMvcCha4G4W4DhkhWojei12sBz6oZWC6IuPvLNstgICFmoukoBrjfeoDYq30LmcUqBsaCUTIhT+OS7nijwDEP6RgL65FgwYfLmSm1eBc/+DSdmqzcvsch8l3imTQGZ5ROgoPzUwXp8CV5VEPhklbIdUIWdcONgGmxc6Gl04SFdffVrJeBLm4cmek2VENFCcRFLWGwN3IoKgQZ7uN3u7xEGTnI9+u832/2/meA2KB49oh9sHui9HcX6loSu91z0Rg3EObpnSkoTX3xIjHXgrJNoOjxnLckuB0xOAC1Z0vWHrA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hmtz5PN13TySJ9KDyuzzveVriKxOuf9ZXw39FzhnlmnFgppoQF4vwKXUUtiuJasRIcWl6w9ghUlyTbslzwcVx/WIAJD3EfuzeTdQ4qG7Mi2XmzFo1nD/3unF7TT3Vg1CJUBkkLxSal+jn2TEMwnPk4uGExJMbM0JBkosZ7fIF3MAMFKJqIdjA2O9z28quMDkusAEIFPF22DsC1Vnn9umnTgqscQWQ3XWHIbTs8B2pA1PWV9Sp2uyR/aTP3pYcyLk9cPDI6uvBpRICmRVUYXPZ7WIQSfezxUQOclomvMCfNgF/a05XlgjzWZP5fzPiXVZ1eHLoArnK1wjbmAgP5rnJA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 06 Dec 2021 15:21:26 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06.12.2021 16:11, Andrew Cooper wrote:
> On 06/12/2021 13:58, Jan Beulich wrote:
>> On 06.12.2021 14:08, Andrew Cooper wrote:
>>> While we've been diligent to ensure that the main text/data/rodata mappings
>>> have suitable restrictions, their aliases via the directmap were left fully
>>> RW.  Worse, we even had pieces of code making use of this as a feature.
>>>
>>> Restrict the permissions, as we have no legitimate need for writeability of
>>> these areas via the directmap alias.
>> Where do we end up reading .text and/or .rodata through the directmap? Can't
>> we zap the mappings altogether?
> 
> I felt it was safer to keep readability via the directmap.
> 
> I'm not aware of any logic we have which reads the directmap in order,
> but it ought to be possible.

Could you add a sentence to this effect to this description, please?

>> As to superpage shattering - I understand this is not deemed to be an issue
>> in the common case since, with Xen moved as high up below 4G as possible,
>> it wouldn't normally live inside a 1G mapping anyway? This may want calling
>> out here. Plus, in non-EFI, non-XEN_ALIGN_2M builds isn't this going to
>> shatter a 2M page at the tail of .rodata?
> 
> cpu0_stack has already shattered down to 4k, which is likely in the same
> superpage as rodata in a non-2M build.
> 
> But at the end of the day, it is a security/performance tradeoff.
> 
> memcpy(__va(__pa(divide_error)), "\x0f\x0b", 2);
> asm ("div %ecx" :: "c" (0));
> 
> is an especially low barrier for an attacker who has a partial write gadget.
> 
> The security benefits are substantial, and the perf downsides are a
> handful of extra pagetables, and a handful of pagewalks taking extra
> steps, in non-fast paths (i.e. distinctly marginal).

How do you easily know what paths there are accessing data on the same
(potential) superpage? However, thinking about it, with the directmap
mapping presumably not getting used at all, how the mapping is arranged
doesn't really matter (except for the extra memory needed, but as you
say that's probably marginal).

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.