lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50D495FD.8060103@zytor.com>
Date:	Fri, 21 Dec 2012 09:01:49 -0800
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Yinghai Lu <yinghai@...nel.org>
CC:	Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>, x86@...nel.org,
	Jim Kukunas <james.t.kukunas@...ux.intel.com>,
	Arjan van de Ven <arjan@...radead.org>
Subject: Re: [RFC] stack and heap are executable on x86_64

On 12/20/2012 10:27 PM, Yinghai Lu wrote:
>
> after for-x86-boot we will have
> ---[ Low Kernel Mapping ]---
> 0xffff880000000000-0xffff880000099000         612K     RW             GLB NX pte
> 0xffff880000099000-0xffff88000009a000           4K     ro             GLB NX pte
> 0xffff88000009a000-0xffff88000009b000           4K     ro             GLB x  pte
> 0xffff88000009b000-0xffff880000200000        1428K     RW             GLB NX pte
> 0xffff880000200000-0xffff8800dfe00000        3580M     RW         PSE GLB NX pmd
> 0xffff8800dfe00000-0xffff8800dfffe000        2040K     RW             GLB NX pte
> 0xffff8800dfffe000-0xffff8800e0000000           8K                           pte
> 0xffff8800e0000000-0xffff880100000000         512M                           pmd
> 0xffff880100000000-0xffff8801a0000000        2560M     RW         PSE GLB NX pmd
> ---[ High Kernel Mapping ]---
> 0xffffffff80000000-0xffffffff81000000          16M                           pmd
> 0xffffffff81000000-0xffffffff82a00000          26M     RW         PSE GLB x  pmd
> 0xffffffff82a00000-0xffffffff82b21000        1156K     RW             GLB x  pte
> 0xffffffff82b21000-0xffffffff82c00000         892K     RW             GLB NX pte
> 0xffffffff82c00000-0xffffffff82e00000           2M     RW         PSE GLB NX pmd
> 0xffffffff82e00000-0xffffffff82e92000         584K     RW             GLB NX pte
> 0xffffffff82e92000-0xffffffff83000000        1464K     RW             GLB x  pte
> 0xffffffff83000000-0xffffffff83c00000          12M     RW         PSE GLB x  pmd
> 0xffffffff83c00000-0xffffffffa0000000         452M                           pmd
>
> so low mapping will only have trampoline get x set.
> is that expected ?
>

Yes.

> Do we need to set low mapping corresponding to kernel range to x?

No; we probably should never have the low mappings set to X, which comes 
down to what I said earlier... we should mark the low mapping NX at the 
PGD/PML4 level.

However, this isn't good enough.  You still have a large number of pages 
which are RWX, and we should *never* have RWX pages, period, full stop, 
and your map above sill have megabytes of them.

Furthermore, just saying "we applied this patchset and it seems to go 
away" isn't good enough... we need an understanding of *why* it makes 
things go away and how that makes it safe.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ