Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation

From: Kees Cook
Date: Tue Apr 07 2020 - 13:01:10 EST


On Tue, Apr 07, 2020 at 01:02:40PM +0200, Peter Zijlstra wrote:
> Since we now have infrastructure to analyze module text, disallow
> modules that write to CRn and DRn registers.
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> ---
> arch/x86/kernel/module.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> --- a/arch/x86/kernel/module.c
> +++ b/arch/x86/kernel/module.c
> @@ -266,6 +266,22 @@ static bool insn_is_vmx(struct insn *ins
> return false;
> }
>
> +static bool insn_is_mov_CRn(struct insn *insn)
> +{
> + if (insn->opcode.bytes[0] == 0x0f && insn->opcode.bytes[1] == 0x22)
> + return true;

I always cringe at numeric literals. Would it be overkill to add defines
for these (and the others that have comments next to them in 3/4)? It
makes stuff easier to grep, etc. (e.g. we have register names in
arch/x86/include/asm/asm.h, do we need instruction names somewhere else?
I assume objtool has a bunch of this too...)

-Kees

> +
> + return false;
> +}
> +
> +static bool insn_is_mov_DRn(struct insn *insn)
> +{
> + if (insn->opcode.bytes[0] == 0x0f && insn->opcode.bytes[1] == 0x23)
> + return true;
> +
> + return false;
> +}
> +
> static int decode_module(struct module *mod, void *text, void *text_end, bool sld_safe)
> {
> bool allow_vmx = sld_safe || !split_lock_enabled();
> @@ -285,6 +301,11 @@ static int decode_module(struct module *
> return -ENOEXEC;
> }
>
> + if (insn_is_mov_CRn(&insn) || insn_is_mov_DRn(&insn)) {
> + pr_err("Module writes to CRn or DRn, please use the proper accessors: %s\n", mod->name);
> + return -ENOEXEC;
> + }
> +
> text += insn.length;
> }
>
>
>

--
Kees Cook