Re: [PATCH 25/43] x86/mm/kaiser: Unmap kernel from userspace page tables (core patch), noexec=off

From: Borislav Petkov
Date: Sun Nov 26 2017 - 17:26:26 EST


On Fri, Nov 24, 2017 at 06:23:53PM +0100, Ingo Molnar wrote:
> + * Take a PGD location (pgdp) and a pgd value that needs
> + * to be set there. Populates the shadow and returns
> + * the resulting PGD that must be set in the kernel copy
> + * of the page tables.
> + */
> +static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
> +{
> +#ifdef CONFIG_KAISER
> + if (pgd_userspace_access(pgd)) {
> + if (pgdp_maps_userspace(pgdp)) {
> + /*
> + * The user/shadow page tables get the full
> + * PGD, accessible from userspace:
> + */
> + kernel_to_shadow_pgdp(pgdp)->pgd = pgd.pgd;
> + /*
> + * For the copy of the pgd that the kernel
> + * uses, make it unusable to userspace. This
> + * ensures if we get out to userspace with the
> + * wrong CR3 value, userspace will crash
> + * instead of running.
> + */
> + pgd.pgd |= _PAGE_NX;

Lemme hold this down here so that we don't forget (and tglx is working on it
already... ):

So we need to handle the case where we boot with "noexec=off" and thus
clear _PAGE_NX from __supported_pte_mask. I'd vouch for a conservative
solution where we warn if _PAGE_NX is not set in __supported_pte_mask
and thus at least tell the user that she shouldn't do noexec kernels and
expect kaiser protection...

--
Regards/Gruss,
Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.