lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 31 Aug 2018 04:38:44 +0200
From:   Jann Horn <jannh@...gle.com>
To:     Dave Hansen <dave.hansen@...el.com>,
        Andy Lutomirski <luto@...nel.org>
Cc:     sean.j.christopherson@...el.com,
        kernel list <linux-kernel@...r.kernel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H . Peter Anvin" <hpa@...or.com>,
        "the arch/x86 maintainers" <x86@...nel.org>
Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a
 bad area

On Tue, 7 Aug 2018 Dave Hansen <dave.hansen@...el.com> wrote:
>
> On 08/07/2018 10:29 AM, Sean Christopherson wrote:
> >       if (unlikely(fault_in_kernel_space(address))) {
> > +             /*
> > +              * We should never encounter a protection keys fault on a
> > +              * kernel address as kernel address are always mapped with
> > +              * _PAGE_USER=0, i.e. PKRU isn't enforced.
> > +              */
> > +             if (WARN_ON_ONCE(error_code & X86_PF_PK))
> > +                     goto bad_kernel_address;
>
> I just realized one more thing: the vsyscall page can bite us here.
> It's at a fault_in_kernel_space() address and we *can* trigger a pkey
> fault on it if we jump to an instruction that reads from a
> pkey-protected area.
>
> We can make a gadget out of unaligned vsyscall instructions that does
> that.  See:
>
> 0xffffffffff600002:  shlb   $0x0,0x0(%rax)
>
> Then, we turn off access to all pkeys, including pkey-0, then jump to
> the unaligned vsyscall instruction, which reads %rax, which is a kernel
> address:

Andy got rid of the (native) vsyscall page in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=076ca272a14cea558b1092ec85cea08510283f2a
('x86/vsyscall/64: Drop "native" vsyscalls') a few months ago, right?
At this point, the vsyscall page should never be executable.

Powered by blists - more mailing lists