Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000

From: Andy Lutomirski
Date: Mon Mar 10 2014 - 13:31:49 EST

Next message: H. Peter Anvin: "Re: [PATCHv1] x86: don't schedule when handling #NM exception"
Previous message: Sebastian Reichel: "[PATCHv3 0/9] Convert twl4030-madc to IIO API and add DT support"
In reply to: H. Peter Anvin: "Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000"
Next in thread: H. Peter Anvin: "Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 10, 2014 at 10:24 AM, H. Peter Anvin <hpa@xxxxxxxxxxxxxxx> wrote:
> On 03/10/2014 10:12 AM, Andy Lutomirski wrote:
>> On Mon, Mar 10, 2014 at 8:11 AM, Linus Torvalds
>> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> On Mar 10, 2014 8:01 AM, "H. Peter Anvin" <hpa@xxxxxxxxxxxxxxx> wrote:
>>>>
>>>> I have mentioned in the past wanting to move the fixmap to the low part
>>>> of the kernel space, because the top isn't really fixed...
>>>
>>> How about the high part of the user address space, just above the stack?
>>> Leave a unmapped page in between, or something. The stack is already
>>> randomized, isn't it?
>>
>> For the !compat_vdso case, I don't like it -- this will put the vdso
>> (which is executable) at a constant offset from the stack, which will
>> make it much easier to use the vdso to defeat ASLR.
>>
>> For the compat_vdso case, this only works if the address is *not*
>> random, unless we're going to start giving each process its very own
>> relocated vdso.
>>
>
> I presumed we were talking about compat_vdso, which thus simply turns
> into a "don't randomize the vdso flag." A significant side benefit is
> that this should make the code more similar.

Fair enough. I still don't like having (top of stack - vdso) being
constant, but maybe that's avoidable.

>
>> For 64-bit, this is an entirely different story. The vsyscall page is
>> stuck in the fixmap forever, although I want to add a way for
>> userspace to opt out. The vvar page, hpet, etc could move into vmas,
>> though. I kind of want to do that anyway to allow processes to turn
>> off the ability to read the clock.
>
> Wait... you want to do what?!

This isn't even my idea:

commit 8fb402bccf203ecca8f9e0202b8fd3c937dece6f
Author: Erik Bosman <ebn310@xxxxxxxxx>
Date: Fri Apr 11 18:54:17 2008 +0200

generic, x86: add prctl commands PR_GET_TSC and PR_SET_TSC

This patch adds prctl commands that make it possible
to deny the execution of timestamp counters in userspace.
If this is not implemented on a specific architecture,
prctl will return -EINVAL.

Currently anything that tries to use the vdso will just crash if you
do that, and it fails to turn off direct HPET access. Fixing this
might be nice, but the current vvar implementation makes it
impossible. If you want to stick something in a seccomp sandbox and
make it very difficult for it to exploit timing side channels, then
this is important :)

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: [PATCHv1] x86: don't schedule when handling #NM exception"
Previous message: Sebastian Reichel: "[PATCHv3 0/9] Convert twl4030-madc to IIO API and add DT support"
In reply to: H. Peter Anvin: "Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000"
Next in thread: H. Peter Anvin: "Re: [x86, vdso] BUG: unable to handle kernel paging request at d34bd000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]