From patchwork Tue Feb 26 23:36:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10830929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2137C1390 for ; Tue, 26 Feb 2019 23:37:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B0412D734 for ; Tue, 26 Feb 2019 23:37:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F0D272D73A; Tue, 26 Feb 2019 23:37:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 226952D734 for ; Tue, 26 Feb 2019 23:37:11 +0000 (UTC) Received: (qmail 32160 invoked by uid 550); 26 Feb 2019 23:37:08 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 32128 invoked from network); 26 Feb 2019 23:37:07 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=n8q94zZi+D1uUg0/ig6itn9R3+pd02EnClmqjqkWQnE=; b=NypsjIdAYo6L/jO9AlpSyMSePo6ucvRN086mH6ChxMb4IzrRtC1Rmpd7Gl2IFsckZs J/IfhGgKHIpkfUnCygIdg1LywbCmwjEPfh3LcMisruZIWFgr6TdkMMDekTwfK2m/3vSv 2StdOd6S7lZlK0FmAu216d7jRKw4Tr73Uk6hE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=n8q94zZi+D1uUg0/ig6itn9R3+pd02EnClmqjqkWQnE=; b=NQ3+R3TIb1c6HXkiD/BPm1gZrWw6NqSKfl0SnFhJ6+uPFsHSfj8XXWjJN+PsKiqKmk 8FByAxMZgEeDeGv32msz+W9L4pBxIJPngPXL6xVObWdWuSKCL4HJKXMwEw10sCS5XCXM OR1ZZjDxqS3GQWEg0Ey+410wy0SsXlNyI1BNUmInUCGEQNDa/keeTcbUiFJ6qa28GtDL +8CXqfW3uMXx66vXIUhbXNecz/fQewZQTq/bxVH0w843hfBLDrls5tBfeF3YsWM4LydA if6sT/XWQ6sAWzLZG7CxavzGmnmNjefCcWSmt9Bye6wUWOHXyyo3FNluOVah5sDyqk4O bKNw== X-Gm-Message-State: AHQUAuZQG8Fy/z3K602NkQ+LJs0ruzMGws08V2cS6vcSJI7AsD0iTET3 nrXG73CXTT43IKEhw491ZpTjhA== X-Google-Smtp-Source: AHgI3Ib2l1hkm7hH/c6XoCvlp1mVj1TCSiXDcE3ddiMYT2YtlPeGf+P8zA7Ep0xQHFXD2Rr63h3VXA== X-Received: by 2002:a62:5789:: with SMTP id i9mr28023400pfj.75.1551224215766; Tue, 26 Feb 2019 15:36:55 -0800 (PST) From: Kees Cook To: Thomas Gleixner Cc: Kees Cook , Peter Zijlstra , Jann Horn , Sean Christopherson , Dominik Brodowski , Kernel Hardening , linux-kernel@vger.kernel.org Subject: [PATCH 1/3] x86/asm: Pin sensitive CR0 bits Date: Tue, 26 Feb 2019 15:36:45 -0800 Message-Id: <20190226233647.28547-2-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190226233647.28547-1-keescook@chromium.org> References: <20190226233647.28547-1-keescook@chromium.org> X-Virus-Scanned: ClamAV using ClamSMTP With sensitive CR4 bits pinned now, it's possible that the WP bit for CR0 might become a target as well. Following the same reasoning for the CR4 pinning, this pins CR0's WP bit (but this can be done with a static value). As before, to convince the compiler to not optimize away the check for the WP bit after the set, this marks "val" as an output from the asm() block. This protects against just jumping into the function past where the masking happens; we must check that the mask was applied after we do the set). Due to how this function can be built by the compiler (especially due to the removal of frame pointers), jumping into the middle of the function frequently doesn't require stack manipulation to construct a stack frame (there may only a retq without pops, which is sufficient for use with exploits like timer overwrites). Additionally, this avoids WARN()ing before resetting the bit, just to minimize any race conditions with leaving the bit unset. Suggested-by: Peter Zijlstra Signed-off-by: Kees Cook --- arch/x86/include/asm/special_insns.h | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h index fabda1400137..8416d6b31084 100644 --- a/arch/x86/include/asm/special_insns.h +++ b/arch/x86/include/asm/special_insns.h @@ -25,7 +25,28 @@ static inline unsigned long native_read_cr0(void) static inline void native_write_cr0(unsigned long val) { - asm volatile("mov %0,%%cr0": : "r" (val), "m" (__force_order)); + bool warn = false; + +again: + val |= X86_CR0_WP; + /* + * In order to have the compiler not optimize away the check + * in the WARN_ONCE(), mark "val" as being also an output ("+r") + * by this asm() block so it will perform an explicit check, as + * if it were "volatile". + */ + asm volatile("mov %0,%%cr0": "+r" (val) : "m" (__force_order) : ); + /* + * If the MOV above was used directly as a ROP gadget we can + * notice the lack of pinned bits in "val" and start the function + * from the beginning to gain the WP bit for sure. And do it + * without first taking the exception for a WARN(). + */ + if ((val & X86_CR0_WP) != X86_CR0_WP) { + warn = true; + goto again; + } + WARN_ONCE(warn, "Attempt to unpin X86_CR0_WP, cr0 bypass attack?!\n"); } static inline unsigned long native_read_cr2(void)