Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation

From: Christoph Hellwig
Date: Wed Apr 08 2020 - 11:46:11 EST


On Wed, Apr 08, 2020 at 05:44:19PM +0200, Peter Zijlstra wrote:
> On Wed, Apr 08, 2020 at 09:27:26AM -0400, Steven Rostedt wrote:
> > On Tue, 07 Apr 2020 13:02:40 +0200
> > Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>
> > > + if (insn_is_mov_CRn(&insn) || insn_is_mov_DRn(&insn)) {
> > > + pr_err("Module writes to CRn or DRn, please use the proper accessors: %s\n", mod->name);
> > > + return -ENOEXEC;
> > > + }
> > > +
> >
> > Something like this should be done for all modules, not just out of tree
> > modules.
>
> I'm all for it; but people were worried scanning all modules was too
> expensive (I don't really believe it is, module loading just can't be a
> hot-path). Also, in-tree modules are audited a lot more than out of tree
> magic voodoo crap.

Scanning all modules seems safer. While we're at it - can be move the
kvm bits using VMX to be always in the core kernel and just forbid
modules from using those instructions entirely?