| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Apr 2014 15:31:54 -0700 From: Andrew Lutomirski <amluto@...il.com> To: "H. Peter Anvin" <hpa@...ux.intel.com> Cc: comex <comexk@...il.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "H. Peter Anvin" <hpa@...or.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Ingo Molnar <mingo@...nel.org>, Alexander van Heukelum <heukelum@...tmail.fm>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Borislav Petkov <bp@...en8.de>, Arjan van de Ven <arjan.van.de.ven@...el.com>, Brian Gerst <brgerst@...il.com>, Alexandre Julliard <julliard@...ehq.com>, Andi Kleen <andi@...stfloor.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH] x86-64: espfix for 64-bit mode *PROTOTYPE* On Thu, Apr 24, 2014 at 3:24 PM, H. Peter Anvin <hpa@...ux.intel.com> wrote: > On 04/23/2014 09:53 PM, Andrew Lutomirski wrote: >>> >>> - The user can put arbitrary data in registers before returning to the >>> LDT in order to get it saved at a known address accessible from the >>> kernel. With SMAP and KASLR this might otherwise be difficult. >> >> For one thing, this only matters on Haswell. Otherwise the user can >> put arbitrary data in userspace. >> >> On Haswell, the HPET fixmap is currently a much simpler vector that >> can do much the same thing, as long as you're willing to wait for the >> HPET counter to contain some particular value. I have patches that >> will fix that as a side effect. >> >> Would it pay to randomize the location of the espfix area? Another >> somewhat silly idea is to add some random offset to the CPU number mod >> NR_CPUS so that at attacker won't know which ministack is which. > > Since we store the espfix stack location explicitly, as long as the > scrambling happens in the initialization code that's fine. However, we > don't want to reduce locality lest we massively blow up the memory > requirements. I was imagining just randomizing a couple of high bits so the whole espfix area moves as a unit. > > We could XOR with a random constant with no penalty at all. Only > problem is that this happens early, so the entropy system is not yet > available. Fine if we have RDRAND, but... How many people have SMAP and not RDRAND? I think this is a complete nonissue for non-SMAP systems. >> Peter, is this idea completely nuts? The only exceptions that can >> happen there are NMI, MCE, #DB, #SS, and #GP. The first four use IST, >> so they won't double-fault. > > It is completely nuts, but sometimes completely nuts is actually useful. > It is more complexity, to be sure, but it doesn't seem completely out > of the realm of reason, and avoids having to unwind the ministack except > in the normally-fatal #DF handler. #DFs are documented as not > recoverable, but we might be able to do something here. > > The only real disadvantage I see is the need for more bookkeeping > metadata. Basically the bitmask in espfix_64.c now needs to turn into > an array, plus we need a second percpu variable. Given that if > CONFIG_NR_CPUS=8192 the array has 128 entries I think we can survive that. Doing something in #DF needs percpu data? What am I missing? --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists