x86/alternatives: Use temporary mm for text poking

text_poke() can potentially compromise security as it sets temporary
PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
from other cores accidentally or maliciously, if an attacker gains the
ability to write onto kernel memory.

Moreover, since remote TLBs are not flushed after the temporary PTEs are
removed, the time-window in which the code is writable is not limited if
the fixmap PTEs - maliciously or accidentally - are cached in the TLB.
To address these potential security hazards, use a temporary mm for
patching the code.

Finally, text_poke() is also not conservative enough when mapping pages,
as it always tries to map 2 pages, even when a single one is sufficient.
So try to be more conservative, and do not map more than needed.

Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <akpm@linux-foundation.org>
Cc: <ard.biesheuvel@linaro.org>
Cc: <deneen.t.dock@intel.com>
Cc: <kernel-hardening@lists.openwall.com>
Cc: <kristen@linux.intel.com>
Cc: <linux_dti@icloud.com>
Cc: <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190426001143.4983-8-namit@vmware.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>

3 files changed, 86 insertions, 26 deletions

diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
index 50ba74a34a37..9da8cccdf3fb 100644
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -103,8 +103,6 @@ enum fixed_addresses {
 #ifdef CONFIG_PARAVIRT
         FIX_PARAVIRT_BOOTMAP,
 #endif
-        FIX_TEXT_POKE1, /* reserve 2 pages for text_poke() */
-        FIX_TEXT_POKE0, /* first page is last, because allocation is backward */
 #ifdef  CONFIG_X86_INTEL_MID
         FIX_LNW_VRTC,
 #endif
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 11d5c710a94f..599203876c32 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -12,6 +12,7 @@
 #include <linux/slab.h>
 #include <linux/kdebug.h>
 #include <linux/kprobes.h>
+#include <linux/mmu_context.h>
 #include <asm/text-patching.h>
 #include <asm/alternative.h>
 #include <asm/sections.h>
@@ -684,41 +685,104 @@ __ro_after_init unsigned long poking_addr;
 
 static void *__text_poke(void *addr, const void *opcode, size_t len)
 {
+        bool cross_page_boundary = offset_in_page(addr) + len > PAGE_SIZE;
+        struct page *pages[2] = {NULL};
+        temp_mm_state_t prev;
         unsigned long flags;
-        char *vaddr;
-        struct page *pages[2];
-        int i;
+        pte_t pte, *ptep;
+        spinlock_t *ptl;
+        pgprot_t pgprot;
 
         /*
-         * While boot memory allocator is runnig we cannot use struct
-         * pages as they are not yet initialized.
+         * While boot memory allocator is running we cannot use struct pages as
+         * they are not yet initialized. There is no way to recover.
          */
         BUG_ON(!after_bootmem);
 
         if (!core_kernel_text((unsigned long)addr)) {
                 pages[0] = vmalloc_to_page(addr);
-                pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
+                if (cross_page_boundary)
+                        pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
         } else {
                 pages[0] = virt_to_page(addr);
                 WARN_ON(!PageReserved(pages[0]));
-                pages[1] = virt_to_page(addr + PAGE_SIZE);
+                if (cross_page_boundary)
+                        pages[1] = virt_to_page(addr + PAGE_SIZE);
         }
-        BUG_ON(!pages[0]);
+        /*
+         * If something went wrong, crash and burn since recovery paths are not
+         * implemented.
+         */
+        BUG_ON(!pages[0] || (cross_page_boundary && !pages[1]));
+
         local_irq_save(flags);
-        set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
-        if (pages[1])
-                set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
-        vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
-        memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
-        clear_fixmap(FIX_TEXT_POKE0);
-        if (pages[1])
-                clear_fixmap(FIX_TEXT_POKE1);
-        local_flush_tlb();
-        sync_core();
-        /* Could also do a CLFLUSH here to speed up CPU recovery; but
-           that causes hangs on some VIA CPUs. */
-        for (i = 0; i < len; i++)
-                BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
+
+        /*
+         * Map the page without the global bit, as TLB flushing is done with
+         * flush_tlb_mm_range(), which is intended for non-global PTEs.
+         */
+        pgprot = __pgprot(pgprot_val(PAGE_KERNEL) & ~_PAGE_GLOBAL);
+
+        /*
+         * The lock is not really needed, but this allows to avoid open-coding.
+         */
+        ptep = get_locked_pte(poking_mm, poking_addr, &ptl);
+
+        /*
+         * This must not fail; preallocated in poking_init().
+         */
+        VM_BUG_ON(!ptep);
+
+        pte = mk_pte(pages[0], pgprot);
+        set_pte_at(poking_mm, poking_addr, ptep, pte);
+
+        if (cross_page_boundary) {
+                pte = mk_pte(pages[1], pgprot);
+                set_pte_at(poking_mm, poking_addr + PAGE_SIZE, ptep + 1, pte);
+        }
+
+        /*
+         * Loading the temporary mm behaves as a compiler barrier, which
+         * guarantees that the PTE will be set at the time memcpy() is done.
+         */
+        prev = use_temporary_mm(poking_mm);
+
+        kasan_disable_current();
+        memcpy((u8 *)poking_addr + offset_in_page(addr), opcode, len);
+        kasan_enable_current();
+
+        /*
+         * Ensure that the PTE is only cleared after the instructions of memcpy
+         * were issued by using a compiler barrier.
+         */
+        barrier();
+
+        pte_clear(poking_mm, poking_addr, ptep);
+        if (cross_page_boundary)
+                pte_clear(poking_mm, poking_addr + PAGE_SIZE, ptep + 1);
+
+        /*
+         * Loading the previous page-table hierarchy requires a serializing
+         * instruction that already allows the core to see the updated version.
+         * Xen-PV is assumed to serialize execution in a similar manner.
+         */
+        unuse_temporary_mm(prev);
+
+        /*
+         * Flushing the TLB might involve IPIs, which would require enabled
+         * IRQs, but not if the mm is not used, as it is in this point.
+         */
+        flush_tlb_mm_range(poking_mm, poking_addr, poking_addr +
+                           (cross_page_boundary ? 2 : 1) * PAGE_SIZE,
+                           PAGE_SHIFT, false);
+
+        /*
+         * If the text does not match what we just wrote then something is
+         * fundamentally screwy; there's nothing we can really do about that.
+         */
+        BUG_ON(memcmp(addr, opcode, len));
+
+        pte_unmap_unlock(ptep, ptl);
         local_irq_restore(flags);
         return addr;
 }
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index a21e1734fc1f..beb44e22afdf 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -2318,8 +2318,6 @@ static void xen_set_fixmap(unsigned idx, phys_addr_t phys, pgprot_t prot)
 #elif defined(CONFIG_X86_VSYSCALL_EMULATION)
         case VSYSCALL_PAGE:
 #endif
-        case FIX_TEXT_POKE0:
-        case FIX_TEXT_POKE1:
                 /* All local page mappings */
                 pte = pfn_pte(phys, prot);
                 break;