From patchwork Wed Feb 27 20:01:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10832281 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 589F2922 for ; Wed, 27 Feb 2019 20:02:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 490AE2E7EB for ; Wed, 27 Feb 2019 20:02:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 474DC2E85E; Wed, 27 Feb 2019 20:02:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 771172E85B for ; Wed, 27 Feb 2019 20:02:04 +0000 (UTC) Received: (qmail 3572 invoked by uid 550); 27 Feb 2019 20:01:53 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 3480 invoked from network); 27 Feb 2019 20:01:52 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xH132//de+yu6qTUcGSCNrTMI70q0Q584KNYfmrdhFA=; b=iz3GvEBp9BU1O0JNjEaqgMzN+pR7UXZGZPAIAk2Yg2YR1SoycZvpMO7W2Q8CpN7K7s 9dDf/WhDmYB2ktHkKPXB5CT11ryFS/o8iHXO5/tyUN4dCi3d8wBllFqD5k9gQ5+SnBIC 50AW0+QGwCKj6icLruGO5U5ZoBF5INcoMMi0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xH132//de+yu6qTUcGSCNrTMI70q0Q584KNYfmrdhFA=; b=kWd3tWf9QKxdKjosXtTHineikkhNSY5gh3MXu+RNSgMdF6wopHj6gr+bZMzYautSVa 03GqaW9OWJW+QUlj8l+dcFUFNNF8jUbSm+nhVebX88rtz0tyG6bIUnVzcg5QEj/BzgUq vuCyY81QO+h/evlrNUks92wMfJmTieL8FAqORUG5/+/KiRO3qabYkZdBMh99IxKLM4jE r2XzS90fCM3m3wYGo9ccm/uxaYahTV2D7AUqseODHTjBqu0uGC+2YqnRZ17JYqKO4QHF ItQYNJ2d00G+6pCenqTYKubdjp6U77xAflnn+SFYnGT3HHfRWnSLcXkZnwfsVPDJziRo 5txg== X-Gm-Message-State: AHQUAuaJEOKtwsVcy+vfsx/CWNPoh50xr+Md+57Xf+TqrnmvJFfT7wya S6An+jGYBw1XSAWpJKkXJhGeQg== X-Google-Smtp-Source: AHgI3IYQIEFhf8kOBuMM2neu5iHszJ3l52qceUNgvO3eG0awOBVYOimg3In++a3r51eK2ekS9eF/NA== X-Received: by 2002:a63:9149:: with SMTP id l70mr4627938pge.65.1551297700046; Wed, 27 Feb 2019 12:01:40 -0800 (PST) From: Kees Cook To: Thomas Gleixner Cc: Kees Cook , Peter Zijlstra , Solar Designer , Greg KH , Jann Horn , Sean Christopherson , Dominik Brodowski , linux-kernel@vger.kernel.org, Kernel Hardening Subject: [PATCH v2 2/3] x86/asm: Avoid taking an exception before cr4 restore Date: Wed, 27 Feb 2019 12:01:31 -0800 Message-Id: <20190227200132.24707-3-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190227200132.24707-1-keescook@chromium.org> References: <20190227200132.24707-1-keescook@chromium.org> X-Virus-Scanned: ClamAV using ClamSMTP Instead of taking a full WARN() exception before restoring a potentially missed CR4 bit, this retains the missing bit for later reporting. This matches the logic done for the CR0 pinning. Additionally updates the comments to note the required use of "volatile". Suggested-by: Solar Designer Signed-off-by: Kees Cook --- arch/x86/include/asm/special_insns.h | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h index 1f01dc3f6c64..6020cb1de66e 100644 --- a/arch/x86/include/asm/special_insns.h +++ b/arch/x86/include/asm/special_insns.h @@ -97,18 +97,24 @@ extern volatile unsigned long cr4_pin; static inline void native_write_cr4(unsigned long val) { + unsigned long warn = 0; + again: val |= cr4_pin; asm volatile("mov %0,%%cr4": : "r" (val), "m" (__force_order)); /* * If the MOV above was used directly as a ROP gadget we can * notice the lack of pinned bits in "val" and start the function - * from the beginning to gain the cr4_pin bits for sure. + * from the beginning to gain the cr4_pin bits for sure. Note + * that "val" must be volatile to keep the compiler from + * optimizing away this check. */ - if (WARN_ONCE((val & cr4_pin) != cr4_pin, - "Attempt to unpin cr4 bits: %lx, cr4 bypass attack?!", - ~val & cr4_pin)) + if ((val & cr4_pin) != cr4_pin) { + warn = ~val & cr4_pin; goto again; + } + WARN_ONCE(warn, "Attempt to unpin cr4 bits: %lx; bypass attack?!\n", + warn); } #ifdef CONFIG_X86_64