| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <CDB8B7C1-FD55-44AD-9B71-B3A750BF5489@gmail.com>
Date: Tue, 27 Nov 2018 17:06:05 -0800
From: Nadav Amit <nadav.amit@...il.com>
To: Rick Edgecombe <rick.p.edgecombe@...el.com>
Cc: akpm@...ux-foundation.org, luto@...nel.org, will.deacon@....com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
kernel-hardening@...ts.openwall.com,
naveen.n.rao@...ux.vnet.ibm.com, anil.s.keshavamurthy@...el.com,
davem@...emloft.net, mhiramat@...nel.org, rostedt@...dmis.org,
mingo@...hat.com, ast@...nel.org, daniel@...earbox.net,
jeyu@...nel.org, netdev@...r.kernel.org, ard.biesheuvel@...aro.org,
jannh@...gle.com, kristen@...ux.intel.com, dave.hansen@...el.com,
deneen.t.dock@...el.com
Subject: Re: [PATCH 0/2] Don’t leave executable TLB entries to freed pages
> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
>
> Sometimes when memory is freed via the module subsystem, an executable
> permissioned TLB entry can remain to a freed page. If the page is re-used to
> back an address that will receive data from userspace, it can result in user
> data being mapped as executable in the kernel. The root of this behavior is
> vfree lazily flushing the TLB, but not lazily freeing the underlying pages.
>
> There are sort of three categories of this which show up across modules, bpf,
> kprobes and ftrace:
>
> 1. When executable memory is touched and then immediatly freed
>
> This shows up in a couple error conditions in the module loader and BPF JIT
> compiler.
Interesting!
Note that this may cause conflict with "x86: avoid W^X being broken during
modules loading”, which I recently submitted.
Powered by blists - more mailing lists