ACK/CMNT: [SRU][Bionic][PULL] Fix for CVE-2017-5754 (i386)
Tyler Hicks
tyhicks at canonical.com
Thu Mar 28 06:28:58 UTC 2019
That was a lot to review. I only spotted one missing commit (mentioned
below). I am relying a lot on your testing and the time that these
changes have had to bake upstream.
On 2019-03-11 11:39:22, Juerg Haefliger wrote:
> This pull request contains fix(es) for the following CVE(s):
> CVE-2017-5754 (i386)
>
> This is a pull request to add support for page table isolation for i386.
>
> The following patches are the orignal patchset that introduced PTI for i386:
> * x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32
> * x86/ldt: Enable LDT user-mapping for PAE
> * x86/ldt: Split out sanity check in map_ldt_struct()
> * x86/ldt: Define LDT_END_ADDR
> * x86/ldt: Reserve address-space range on 32 bit for the LDT
> * x86/pgtable/pae: Use separate kernel PMDs for user page-table
> * x86/mm/dump_pagetables: Define INIT_PGD
> * x86/mm/pti: Clone entry-text again in pti_finalize()
> * x86/mm/pti: Introduce pti_finalize()
> * x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
> * x86/mm/pti: Make pti_clone_kernel_text() compile on 32 bit
> * x86/mm/pti: Clone CPU_ENTRY_AREA on PMD level on x86_32
> * x86/mm/pti: Define X86_CR3_PTI_PCID_USER_BIT on x86_32
> * x86/mm/pti: Add an overflow check to pti_clone_pmds()
> * x86/mm/legacy: Populate the user page-table with user pgd's
> * x86/mm/pae: Populate the user page-table with user pgd's
> * x86/mm/pae: Populate valid user PGD entries
> * x86/pgtable: Move two more functions from pgtable_64.h to pgtable.h
> * x86/pgtable: Move pti_set_user_pgtbl() to pgtable.h
> * x86/pgtable: Move pgdp kernel/user conversion functions to pgtable.h
> * x86/pgtable/32: Allocate 8k page-tables when PTI is enabled
> * x86/pgtable/pae: Unshare kernel PMDs when PTI is enabled
> * x86/pgtable: Rename pti_set_user_pgd() to pti_set_user_pgtbl()
> * x86/entry: Rename update_sp0 to update_task_stack
> * x86/entry/32: Add PTI CR3 switches to NMI handler code
> * x86/entry/32: Add PTI cr3 switch to non-NMI entry/exit points
> * x86/entry/32: Simplify debug entry point
> * x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack
> * x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI
> * x86/entry/32: Leave the kernel via trampoline stack
> * x86/entry/32: Enter the kernel via trampoline stack
> * x86/entry/32: Split off return-to-kernel path
> * x86/entry/32: Unshare NMI return path
> * x86/entry/32: Put ESPFIX code into a macro
> * x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler
> * x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack
> * x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c
>
> The following are prerequisites for the above:
> * x86/entry/32: Add explicit 'l' instruction suffix
> * x86/pti: Leave kernel text global for !PCID
> * x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
> * x86/pti: Enable global pages for shared areas
>
> The following are follow-up enhancements and cleanups of 32-bit PTI:
> * x86/mm/doc: Enhance the x86-64 virtual memory layout descriptions
> * x86/mm/doc: Clean up the x86-64 virtual memory layout descriptions
> * x86/mm/pti: Move user W+X check into pti_finalize()
> * x86/mm/pti: Clone kernel-image on PTE level for 32 bit
> * x86/mm/pti: Don't clear permissions in pti_clone_pmd()
> * x86/mm/init: Add helper for freeing kernel image pages
> * x86/mm/init: Pass unconverted symbol addresses to free_init_pages()
> * mm: Allow non-direct-map arguments to free_reserved_area()
> * x86/kexec: Allocate 8k PGDs for PTI
> * x86/mm: Remove in_nmi() warning from vmalloc_fault()
> * x86/entry/32: Check for VM86 mode in slow-path check
> * x86/pti: Check the return value of pti_user_pagetable_walk_pmd()
> * x86/pti: Check the return value of pti_user_pagetable_walk_p4d()
> * x86/entry/32: Add debug code to check entry/exit CR3
> * x86/mm/pti: Add Warning when booting on a PCID capable CPU
>
> Lastly, the following are follow-up fixes for some of the above:
> * x86/dump_pagetables: Fix LDT remap address marker
> * x86/mm: Fix guard hole handling
> * x86/ldt: Remove unused variable in map_ldt_struct()
> * x86/ldt: Unmap PTEs for the slot before freeing LDT pages
> * x86/mm: Move LDT remap out of KASLR region on 5-level paging
> * x86/entry/32: Clear the CS high bits
> * x86/efi: Load fixmap GDT in efi_call_phys_epilog() before setting %cr3
> * x86/efi: Load fixmap GDT in efi_call_phys_epilog()
> * x86/relocs: Add __end_rodata_aligned to S_REL
> * x86/mm/pti: Fix 32 bit PCID check
> * x86/mm/init: Remove freed kernel image areas from alias mapping
> * x86/mm/pti: Clear Global bit more aggressively
> * perf/core: Make sure the ring-buffer is mapped in all page-tables
I think that you should include commit 0e664eee6533 ("Revert "perf/core:
Make sure the ring-buffer is mapped in all page-tables"") thanks to the
fact that you included commit 6863ea0cda87 ("x86/mm: Remove in_nmi()
warning from vmalloc_fault()")
I don't think that this is critical but it would be good to include.
Either way,
Acked-by: Tyler Hicks <tyhicks at canonical.com>
Tyler
> * x86/pti: Disallow global kernel text with RANDSTRUCT
> * x86/pti: Reduce amount of kernel text allowed to be Global
> * x86/pti: Fix boot warning from Global-bit setting
> * x86/pti: Fix boot problems from Global-bit setting
> * x86/mm: Fix documentation of module mapping range with 4-level paging
>
> Compile-tested all architectures. Ran the PTI test (x86 selftests in
> combination with perf NMI tests) for 24 hours, no issues found. Ran the
> release regression tests, no issues found.
>
> Signed-off-by: Juerg Haefliger <juergh at canonical.com>
> ---
>
> The following changes since commit 76db66f794c4389354ddb35f1f551e54eb67d9ab:
>
> tun: implement carrier change (2019-03-08 09:23:12 +0100)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~juergh/+git/bionic-linux pti-32bit
>
> for you to fetch changes up to 4cb324be3f1cef481bf04f51ac16ccff3ba677a6:
>
> x86/dump_pagetables: Fix LDT remap address marker (2019-03-08 17:39:20 +0100)
>
> ----------------------------------------------------------------
> Baoquan He (1):
> x86/mm/doc: Clean up the x86-64 virtual memory layout descriptions
>
> Dave Hansen (12):
> x86/pti: Enable global pages for shared areas
> x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
> x86/pti: Leave kernel text global for !PCID
> x86/pti: Fix boot problems from Global-bit setting
> x86/pti: Fix boot warning from Global-bit setting
> x86/pti: Reduce amount of kernel text allowed to be Global
> x86/pti: Disallow global kernel text with RANDSTRUCT
> x86/mm/pti: Clear Global bit more aggressively
> mm: Allow non-direct-map arguments to free_reserved_area()
> x86/mm/init: Pass unconverted symbol addresses to free_init_pages()
> x86/mm/init: Add helper for freeing kernel image pages
> x86/mm/init: Remove freed kernel image areas from alias mapping
>
> Guenter Roeck (1):
> x86/efi: Load fixmap GDT in efi_call_phys_epilog() before setting %cr3
>
> Ingo Molnar (1):
> x86/mm/doc: Enhance the x86-64 virtual memory layout descriptions
>
> Jan Beulich (1):
> x86/entry/32: Add explicit 'l' instruction suffix
>
> Jan Kiszka (1):
> x86/entry/32: Clear the CS high bits
>
> Jiang Biao (2):
> x86/pti: Check the return value of pti_user_pagetable_walk_p4d()
> x86/pti: Check the return value of pti_user_pagetable_walk_pmd()
>
> Joerg Roedel (48):
> x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c
> x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack
> x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler
> x86/entry/32: Put ESPFIX code into a macro
> x86/entry/32: Unshare NMI return path
> x86/entry/32: Split off return-to-kernel path
> x86/entry/32: Enter the kernel via trampoline stack
> x86/entry/32: Leave the kernel via trampoline stack
> x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI
> x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack
> x86/entry/32: Simplify debug entry point
> x86/entry/32: Add PTI cr3 switch to non-NMI entry/exit points
> x86/entry/32: Add PTI CR3 switches to NMI handler code
> x86/entry: Rename update_sp0 to update_task_stack
> x86/pgtable: Rename pti_set_user_pgd() to pti_set_user_pgtbl()
> x86/pgtable/pae: Unshare kernel PMDs when PTI is enabled
> x86/pgtable/32: Allocate 8k page-tables when PTI is enabled
> x86/pgtable: Move pgdp kernel/user conversion functions to pgtable.h
> x86/pgtable: Move pti_set_user_pgtbl() to pgtable.h
> x86/pgtable: Move two more functions from pgtable_64.h to pgtable.h
> x86/mm/pae: Populate valid user PGD entries
> x86/mm/pae: Populate the user page-table with user pgd's
> x86/mm/pti: Add an overflow check to pti_clone_pmds()
> x86/mm/pti: Define X86_CR3_PTI_PCID_USER_BIT on x86_32
> x86/mm/pti: Clone CPU_ENTRY_AREA on PMD level on x86_32
> x86/mm/pti: Make pti_clone_kernel_text() compile on 32 bit
> x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
> x86/mm/pti: Introduce pti_finalize()
> x86/mm/pti: Clone entry-text again in pti_finalize()
> x86/mm/dump_pagetables: Define INIT_PGD
> x86/pgtable/pae: Use separate kernel PMDs for user page-table
> x86/ldt: Reserve address-space range on 32 bit for the LDT
> x86/ldt: Define LDT_END_ADDR
> x86/ldt: Split out sanity check in map_ldt_struct()
> x86/ldt: Enable LDT user-mapping for PAE
> x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32
> x86/mm/pti: Add Warning when booting on a PCID capable CPU
> x86/entry/32: Add debug code to check entry/exit CR3
> perf/core: Make sure the ring-buffer is mapped in all page-tables
> x86/entry/32: Check for VM86 mode in slow-path check
> x86/mm: Remove in_nmi() warning from vmalloc_fault()
> x86/kexec: Allocate 8k PGDs for PTI
> x86/mm/pti: Fix 32 bit PCID check
> x86/mm/pti: Don't clear permissions in pti_clone_pmd()
> x86/mm/pti: Clone kernel-image on PTE level for 32 bit
> x86/relocs: Add __end_rodata_aligned to S_REL
> x86/mm/pti: Move user W+X check into pti_finalize()
> x86/efi: Load fixmap GDT in efi_call_phys_epilog()
>
> Juerg Haefliger (1):
> UBUNTU: [Config] Update PAGE_TABLE_ISOLATION annotations
>
> Kirill A. Shutemov (6):
> x86/mm: Fix documentation of module mapping range with 4-level paging
> x86/mm: Move LDT remap out of KASLR region on 5-level paging
> x86/ldt: Unmap PTEs for the slot before freeing LDT pages
> x86/ldt: Remove unused variable in map_ldt_struct()
> x86/mm: Fix guard hole handling
> x86/dump_pagetables: Fix LDT remap address marker
>
> Documentation/x86/x86_64/mm.txt | 173 +++++---
> arch/x86/entry/entry_32.S | 635 +++++++++++++++++++++++-----
> arch/x86/include/asm/mmu_context.h | 5 -
> arch/x86/include/asm/page_64_types.h | 12 +-
> arch/x86/include/asm/pgtable-2level_types.h | 3 +
> arch/x86/include/asm/pgtable-3level.h | 7 +
> arch/x86/include/asm/pgtable-3level_types.h | 6 +-
> arch/x86/include/asm/pgtable.h | 95 ++++-
> arch/x86/include/asm/pgtable_32_types.h | 9 +-
> arch/x86/include/asm/pgtable_64.h | 89 +---
> arch/x86/include/asm/pgtable_64_types.h | 13 +-
> arch/x86/include/asm/pgtable_types.h | 28 +-
> arch/x86/include/asm/processor-flags.h | 8 +-
> arch/x86/include/asm/processor.h | 1 +
> arch/x86/include/asm/pti.h | 1 +
> arch/x86/include/asm/sections.h | 1 +
> arch/x86/include/asm/set_memory.h | 1 +
> arch/x86/include/asm/switch_to.h | 16 +-
> arch/x86/kernel/asm-offsets.c | 5 +
> arch/x86/kernel/asm-offsets_32.c | 10 +-
> arch/x86/kernel/asm-offsets_64.c | 2 -
> arch/x86/kernel/cpu/common.c | 5 +-
> arch/x86/kernel/head_32.S | 20 +-
> arch/x86/kernel/ldt.c | 192 +++++++--
> arch/x86/kernel/machine_kexec_32.c | 5 +-
> arch/x86/kernel/process.c | 2 -
> arch/x86/kernel/process_32.c | 2 +-
> arch/x86/kernel/process_64.c | 2 +-
> arch/x86/kernel/vm86_32.c | 4 +-
> arch/x86/kernel/vmlinux.lds.S | 17 +-
> arch/x86/mm/cpu_entry_area.c | 14 +-
> arch/x86/mm/dump_pagetables.c | 42 +-
> arch/x86/mm/fault.c | 2 -
> arch/x86/mm/init.c | 45 +-
> arch/x86/mm/init_64.c | 8 +-
> arch/x86/mm/pageattr.c | 75 +++-
> arch/x86/mm/pgtable.c | 105 ++++-
> arch/x86/mm/pti.c | 341 +++++++++++++--
> arch/x86/platform/efi/efi_32.c | 7 +-
> arch/x86/tools/relocs.c | 1 +
> arch/x86/xen/mmu_pv.c | 17 +-
> debian.master/config/annotations | 2 +-
> include/linux/pti.h | 1 +
> init/main.c | 7 +
> kernel/events/ring_buffer.c | 16 +
> mm/page_alloc.c | 16 +-
> security/Kconfig | 2 +-
> 47 files changed, 1604 insertions(+), 466 deletions(-)
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list