| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Jan 2017 13:53:00 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Thomas Garnier <thgarnie@...gle.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Arjan van de Ven <arjan@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H . Peter Anvin" <hpa@...or.com>,
Kees Cook <keescook@...omium.org>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave@...1.net>,
Chen Yucong <slaoub@...il.com>,
Paul Gortmaker <paul.gortmaker@...driver.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <yamada.masahiro@...ionext.com>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Anna-Maria Gleixner <anna-maria@...utronix.de>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Michael Ellerman <mpe@...erman.id.au>,
Juergen Gross <jgross@...e.com>,
Richard Weinberger <richard@....at>, X86 ML <x86@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>
Subject: Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location
On Fri, Jan 6, 2017 at 10:02 AM, Thomas Garnier <thgarnie@...gle.com> wrote:
> On Thu, Jan 5, 2017 at 6:34 PM, Andy Lutomirski <luto@...capital.net> wrote:
>> On Thu, Jan 5, 2017 at 3:05 PM, Linus Torvalds
>> <torvalds@...ux-foundation.org> wrote:
>>> On Thu, Jan 5, 2017 at 12:18 PM, Andy Lutomirski <luto@...nel.org> wrote:
>>>>
>>>> Hmm. I bet that if we preset the accessed bits in all the segments
>>>> then we don't need it to be writable in general.
>>>
>>> I'm not sure that this is architecturally safe.
>>>
>>
>> Hmm. Last time I looked, I couldn't find *anything* in the SDM
>> explaining what happened if a GDT access resulted in a page fault. I
>> did discover that Xen intentionally (!) lazily populates and maps LDT
>> pages. An attempt to access a not-present page results in #PF with
>> the error cod e indicating kernel access even if the access came from
>> user mode.
>>
>> SDM volume 3 7.2.2 says "Pages corresponding to the previous task’s
>> TSS, the current task’s TSS, and the descriptor table entries for
>> each all should be marked as read/write." But I don't see how a CPU
>> implementation could possibly care what the page table for the TSS
>> descriptor table entries says after LTR is done because the CPU isn't
>> even supposed to *read* that memory.
>>
>> OTOH a valid implementation could easily require that the page table
>> says that the page is writable merely to load a segment, especially in
>> weird cases (IRET?). That being said, this is all quite easy to test.
>>
>> Also, Thomas, why are you creating a new memory region? I don't see
>> any benefit to randomizing the GDT address. How about just putting it
>> in the fixmap? This would be NR_CPUS * 4 pages if do my limit=0xffff
>> idea. I'm not sure if the fixmap code knows how to handle this much
>> space.
>
> When I looked at the fixmap, you had to define the space you need
> ahead of time and I am not sure there was enough space as you said.
Can you try it and see if anything goes wrong? Even if something does
go wrong, I think we should fix *that* rather than making the memory
layout more complicated.
Powered by blists - more mailing lists