[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151003065906.GA23206@gmail.com>
Date: Sat, 3 Oct 2015 08:59:06 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Dave Hansen <dave@...1.net>, Kees Cook <keescook@...gle.com>,
"x86@...nel.org" <x86@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Andy Lutomirski <luto@...nel.org>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH 26/26] x86, pkeys: Documentation
* Ingo Molnar <mingo@...nel.org> wrote:
> > It's quite likely that you will find that compilers put read-only constants in
> > the text section, knowing that executable means readable.
>
> At least with pkeys enabling true --x mappings, that compiler practice becomes a
> (mild) security problem: it provides a readable and executable return target for
> stack/buffer overflow attacks - FWIIW. (It's a limited concern because the true
> code areas are executable already.)
Btw., it's not just security, there will also a robustness advantage to creating
true PROT_EXEC mappings: right now if buggy user-space code accidentally
references into an executable section: say uses a negative index in a table put
into .rodata, the code will not crash, it will happily read from the .text area.
But if we mapped .text with true PROT_EXEC (and the CPU enforced that) then we'd
get a nice segfault.
This has additional security benefits as well, beyond not providing readable ROP
sites - which in fact look more significant than the ROP readability angle I
mentioned initially.
So to sum it up, if we use true --x (non-readable PROT_EXEC) mappings using pkeys,
we get the following benefits:
- Overflows and other out of bounds accesses from .rodata (and other data
sections near .text) will be caught by the CPU instead of silent data flow
corruption. This has robustness (and thus security) advantages.
- True --x code is not readable, thus not 'soft-discoverable' via information
leaks for ROP purposes.
- The version fingerprinting of unknown remote target binaries via information
leaks becomes harder as well.
- The local (and remote) guessing of ASLR offsets via information leaks gets
harder as well.
- We get to test pkeys much more seriously than the opt-in special uses! :-)
Intel sent me pkeys test hardware, so I can give it a go in practice as well and
see how well it works.
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists