Re: [PATCH -tip] x86/mm/32: Sync only to LDT_BASE_ADDR in vmalloc_sync_all()
From: Borislav Petkov
Date: Tue Nov 26 2019 - 05:19:33 EST
On Tue, Nov 26, 2019 at 11:09:42AM +0100, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@xxxxxxx>
>
> When vmalloc_sync_all() iterates over the address space until
> FIX_ADDR_TOP it will sync the whole kernel address space starting from
> VMALLOC_START.
>
> This is not a problem when the kernel address range is identical in
> all page-tables, but this is no longer the case when PTI is enabled on
> x86-32. In that case the per-process LDT is mapped in the kernel
> address range and vmalloc_sync_all() clears the LDT mapping for all
> processes.
>
> To make LDT working again vmalloc_sync_all() must only iterate over
> the volatile parts of the kernel address range that are identical
> between all processes. This includes the VMALLOC and the PKMAP areas
> on x86-32.
>
> The order of the ranges in the address space is:
>
> VMALLOC -> PKMAP -> LDT -> CPU_ENTRY_AREA -> FIX_ADDR
>
> So the right check in vmalloc_sync_all() is "address < LDT_BASE_ADDR"
> to make sure the VMALLOC and PKMAP areas are synchronized and the LDT
> mapping is not falsely overwritten. the CPU_ENTRY_AREA and
> the FIXMAP area are no longer synced as well, but these
> ranges are synchronized on page-table creation time and do
> not change during runtime.
>
> This change fixes the ldt_gdt selftest in my setup.
>
> Fixes: 7757d607c6b3 ("x86/pti: AllowCONFIG_PAGE_TABLE_ISOLATION for x86_32")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
> ---
> arch/x86/mm/fault.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reported-by: Borislav Petkov <bp@xxxxxxx>
Tested-by: Borislav Petkov <bp@xxxxxxx>
Thx JÃrg!
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette