From patchwork Wed Feb 27 20:01:31 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10832281
Return-Path: 
 <kernel-hardening-return-15421-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 589F2922
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed, 27 Feb 2019 20:02:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 490AE2E7EB
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed, 27 Feb 2019 20:02:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 474DC2E85E; Wed, 27 Feb 2019 20:02:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham
	version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 771172E85B
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Wed, 27 Feb 2019 20:02:04 +0000 (UTC)
Received: (qmail 3572 invoked by uid 550); 27 Feb 2019 20:01:53 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 3480 invoked from network); 27 Feb 2019 20:01:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=xH132//de+yu6qTUcGSCNrTMI70q0Q584KNYfmrdhFA=;
        b=iz3GvEBp9BU1O0JNjEaqgMzN+pR7UXZGZPAIAk2Yg2YR1SoycZvpMO7W2Q8CpN7K7s
         9dDf/WhDmYB2ktHkKPXB5CT11ryFS/o8iHXO5/tyUN4dCi3d8wBllFqD5k9gQ5+SnBIC
         50AW0+QGwCKj6icLruGO5U5ZoBF5INcoMMi0M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=xH132//de+yu6qTUcGSCNrTMI70q0Q584KNYfmrdhFA=;
        b=kWd3tWf9QKxdKjosXtTHineikkhNSY5gh3MXu+RNSgMdF6wopHj6gr+bZMzYautSVa
         03GqaW9OWJW+QUlj8l+dcFUFNNF8jUbSm+nhVebX88rtz0tyG6bIUnVzcg5QEj/BzgUq
         vuCyY81QO+h/evlrNUks92wMfJmTieL8FAqORUG5/+/KiRO3qabYkZdBMh99IxKLM4jE
         r2XzS90fCM3m3wYGo9ccm/uxaYahTV2D7AUqseODHTjBqu0uGC+2YqnRZ17JYqKO4QHF
         ItQYNJ2d00G+6pCenqTYKubdjp6U77xAflnn+SFYnGT3HHfRWnSLcXkZnwfsVPDJziRo
         5txg==
X-Gm-Message-State: AHQUAuaJEOKtwsVcy+vfsx/CWNPoh50xr+Md+57Xf+TqrnmvJFfT7wya
	S6An+jGYBw1XSAWpJKkXJhGeQg==
X-Google-Smtp-Source: 
 AHgI3IYQIEFhf8kOBuMM2neu5iHszJ3l52qceUNgvO3eG0awOBVYOimg3In++a3r51eK2ekS9eF/NA==
X-Received: by 2002:a63:9149:: with SMTP id l70mr4627938pge.65.1551297700046;
        Wed, 27 Feb 2019 12:01:40 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Solar Designer <solar@openwall.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Jann Horn <jannh@google.com>,
	Sean Christopherson <sean.j.christopherson@intel.com>,
	Dominik Brodowski <linux@dominikbrodowski.net>,
	linux-kernel@vger.kernel.org,
	Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: [PATCH v2 2/3] x86/asm: Avoid taking an exception before cr4 restore
Date: Wed, 27 Feb 2019 12:01:31 -0800
Message-Id: <20190227200132.24707-3-keescook@chromium.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190227200132.24707-1-keescook@chromium.org>
References: <20190227200132.24707-1-keescook@chromium.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Instead of taking a full WARN() exception before restoring a potentially
missed CR4 bit, this retains the missing bit for later reporting. This
matches the logic done for the CR0 pinning. Additionally updates the
comments to note the required use of "volatile".

Suggested-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/include/asm/special_insns.h | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h
index 1f01dc3f6c64..6020cb1de66e 100644
--- a/arch/x86/include/asm/special_insns.h
+++ b/arch/x86/include/asm/special_insns.h
@@ -97,18 +97,24 @@ extern volatile unsigned long cr4_pin;
 
 static inline void native_write_cr4(unsigned long val)
 {
+	unsigned long warn = 0;
+
 again:
 	val |= cr4_pin;
 	asm volatile("mov %0,%%cr4": : "r" (val), "m" (__force_order));
 	/*
 	 * If the MOV above was used directly as a ROP gadget we can
 	 * notice the lack of pinned bits in "val" and start the function
-	 * from the beginning to gain the cr4_pin bits for sure.
+	 * from the beginning to gain the cr4_pin bits for sure. Note
+	 * that "val" must be volatile to keep the compiler from
+	 * optimizing away this check.
 	 */
-	if (WARN_ONCE((val & cr4_pin) != cr4_pin,
-		      "Attempt to unpin cr4 bits: %lx, cr4 bypass attack?!",
-		      ~val & cr4_pin))
+	if ((val & cr4_pin) != cr4_pin) {
+		warn = ~val & cr4_pin;
 		goto again;
+	}
+	WARN_ONCE(warn, "Attempt to unpin cr4 bits: %lx; bypass attack?!\n",
+		  warn);
 }
 
 #ifdef CONFIG_X86_64