lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Aug 2018 11:28:58 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Sean Christopherson <sean.j.christopherson@...el.com>,
        linux-kernel@...r.kernel.org
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org
Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a
 bad area

On 08/07/2018 10:29 AM, Sean Christopherson wrote:
>  	if (unlikely(fault_in_kernel_space(address))) {
> +		/*
> +		 * We should never encounter a protection keys fault on a
> +		 * kernel address as kernel address are always mapped with
> +		 * _PAGE_USER=0, i.e. PKRU isn't enforced.
> +		 */
> +		if (WARN_ON_ONCE(error_code & X86_PF_PK))
> +			goto bad_kernel_address;

I just realized one more thing: the vsyscall page can bite us here.
It's at a fault_in_kernel_space() address and we *can* trigger a pkey
fault on it if we jump to an instruction that reads from a
pkey-protected area.

We can make a gadget out of unaligned vsyscall instructions that does
that.  See:

0xffffffffff600002:  shlb   $0x0,0x0(%rax)

Then, we turn off access to all pkeys, including pkey-0, then jump to
the unaligned vsyscall instruction, which reads %rax, which is a kernel
address:

        asm("movl $0xffffffff, %eax;\
             movl $0x00000000, %ecx;\
             movl $0x00000000, %edx;\
             wrpkru;\
             movq $0xffffffffff600000, %rax;\
             movq $0xffffffffff600002, %rbx;\
             jmpq *%rbx;");

So, my bad.  It was not a good suggestion to do a WARN_ON().  But, the
other funny thing is I would have expected spurious_fault() to get us
into a fault loop, which it doesn't.  It's definitely getting *called*
with my little test program (I see it in ftrace) but it's not quite
doing what I expect.

I need to dig a bit more.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ