Commit 5bc8b0f5 authored by Juergen Gross's avatar Juergen Gross Committed by Ingo Molnar

x86/pat: Fix W^X violation false-positives when running as Xen PV guest

When running as Xen PV guest in some cases W^X violation WARN()s have
been observed. Those WARN()s are produced by verify_rwx(), which looks
into the PTE to verify that writable kernel pages have the NX bit set
in order to avoid code modifications of the kernel by rogue code.

As the NX bits of all levels of translation entries are or-ed and the
RW bits of all levels are and-ed, looking just into the PTE isn't enough
for the decision that a writable page is executable, too.

When running as a Xen PV guest, the direct map PMDs and kernel high
map PMDs share the same set of PTEs. Xen kernel initialization will set
the NX bit in the direct map PMD entries, and not the shared PTEs.

Fixes: 652c5bf3 ("x86/mm: Refuse W^X violations")
Reported-by: default avatarJason Andryuk <jandryuk@gmail.com>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20240412151258.9171-5-jgross@suse.com
parent 02eac06b
...@@ -619,7 +619,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start, ...@@ -619,7 +619,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start,
* Validate strict W^X semantics. * Validate strict W^X semantics.
*/ */
static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long start, static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long start,
unsigned long pfn, unsigned long npg) unsigned long pfn, unsigned long npg,
bool nx, bool rw)
{ {
unsigned long end; unsigned long end;
...@@ -641,6 +642,10 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star ...@@ -641,6 +642,10 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star
if ((pgprot_val(new) & (_PAGE_RW | _PAGE_NX)) != _PAGE_RW) if ((pgprot_val(new) & (_PAGE_RW | _PAGE_NX)) != _PAGE_RW)
return new; return new;
/* Non-leaf translation entries can disable writing or execution. */
if (!rw || nx)
return new;
end = start + npg * PAGE_SIZE - 1; end = start + npg * PAGE_SIZE - 1;
WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n", WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n",
(unsigned long long)pgprot_val(old), (unsigned long long)pgprot_val(old),
...@@ -742,7 +747,7 @@ pte_t *lookup_address(unsigned long address, unsigned int *level) ...@@ -742,7 +747,7 @@ pte_t *lookup_address(unsigned long address, unsigned int *level)
EXPORT_SYMBOL_GPL(lookup_address); EXPORT_SYMBOL_GPL(lookup_address);
static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address,
unsigned int *level) unsigned int *level, bool *nx, bool *rw)
{ {
pgd_t *pgd; pgd_t *pgd;
...@@ -751,7 +756,7 @@ static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address, ...@@ -751,7 +756,7 @@ static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long address,
else else
pgd = cpa->pgd + pgd_index(address); pgd = cpa->pgd + pgd_index(address);
return lookup_address_in_pgd(pgd, address, level); return lookup_address_in_pgd_attr(pgd, address, level, nx, rw);
} }
/* /*
...@@ -879,12 +884,13 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, ...@@ -879,12 +884,13 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address,
pgprot_t old_prot, new_prot, req_prot, chk_prot; pgprot_t old_prot, new_prot, req_prot, chk_prot;
pte_t new_pte, *tmp; pte_t new_pte, *tmp;
enum pg_level level; enum pg_level level;
bool nx, rw;
/* /*
* Check for races, another CPU might have split this page * Check for races, another CPU might have split this page
* up already: * up already:
*/ */
tmp = _lookup_address_cpa(cpa, address, &level); tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw);
if (tmp != kpte) if (tmp != kpte)
return 1; return 1;
...@@ -995,7 +1001,8 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address, ...@@ -995,7 +1001,8 @@ static int __should_split_large_page(pte_t *kpte, unsigned long address,
new_prot = static_protections(req_prot, lpaddr, old_pfn, numpages, new_prot = static_protections(req_prot, lpaddr, old_pfn, numpages,
psize, CPA_DETECT); psize, CPA_DETECT);
new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages); new_prot = verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages,
nx, rw);
/* /*
* If there is a conflict, split the large page. * If there is a conflict, split the large page.
...@@ -1076,6 +1083,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, ...@@ -1076,6 +1083,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address,
pte_t *pbase = (pte_t *)page_address(base); pte_t *pbase = (pte_t *)page_address(base);
unsigned int i, level; unsigned int i, level;
pgprot_t ref_prot; pgprot_t ref_prot;
bool nx, rw;
pte_t *tmp; pte_t *tmp;
spin_lock(&pgd_lock); spin_lock(&pgd_lock);
...@@ -1083,7 +1091,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address, ...@@ -1083,7 +1091,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte, unsigned long address,
* Check for races, another CPU might have split this page * Check for races, another CPU might have split this page
* up for us already: * up for us already:
*/ */
tmp = _lookup_address_cpa(cpa, address, &level); tmp = _lookup_address_cpa(cpa, address, &level, &nx, &rw);
if (tmp != kpte) { if (tmp != kpte) {
spin_unlock(&pgd_lock); spin_unlock(&pgd_lock);
return 1; return 1;
...@@ -1624,10 +1632,11 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) ...@@ -1624,10 +1632,11 @@ static int __change_page_attr(struct cpa_data *cpa, int primary)
int do_split, err; int do_split, err;
unsigned int level; unsigned int level;
pte_t *kpte, old_pte; pte_t *kpte, old_pte;
bool nx, rw;
address = __cpa_addr(cpa, cpa->curpage); address = __cpa_addr(cpa, cpa->curpage);
repeat: repeat:
kpte = _lookup_address_cpa(cpa, address, &level); kpte = _lookup_address_cpa(cpa, address, &level, &nx, &rw);
if (!kpte) if (!kpte)
return __cpa_process_fault(cpa, address, primary); return __cpa_process_fault(cpa, address, primary);
...@@ -1649,7 +1658,8 @@ static int __change_page_attr(struct cpa_data *cpa, int primary) ...@@ -1649,7 +1658,8 @@ static int __change_page_attr(struct cpa_data *cpa, int primary)
new_prot = static_protections(new_prot, address, pfn, 1, 0, new_prot = static_protections(new_prot, address, pfn, 1, 0,
CPA_PROTECT); CPA_PROTECT);
new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1); new_prot = verify_rwx(old_prot, new_prot, address, pfn, 1,
nx, rw);
new_prot = pgprot_clear_protnone_bits(new_prot); new_prot = pgprot_clear_protnone_bits(new_prot);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment