| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20181130081913.916a27c8230b125da4bcf2f7@kernel.org>
Date: Fri, 30 Nov 2018 08:19:13 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"daniel@...earbox.net" <daniel@...earbox.net>,
"jeyu@...nel.org" <jeyu@...nel.org>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"ast@...nel.org" <ast@...nel.org>,
"ard.biesheuvel@...aro.org" <ard.biesheuvel@...aro.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"jannh@...gle.com" <jannh@...gle.com>,
"Dock, Deneen T" <deneen.t.dock@...el.com>,
"kristen@...ux.intel.com" <kristen@...ux.intel.com>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"will.deacon@....com" <will.deacon@....com>,
"mingo@...hat.com" <mingo@...hat.com>,
"luto@...nel.org" <luto@...nel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
"Keshavamurthy, Anil S" <anil.s.keshavamurthy@...el.com>,
"Hansen, Dave" <dave.hansen@...el.com>,
"naveen.n.rao@...ux.vnet.ibm.com" <naveen.n.rao@...ux.vnet.ibm.com>,
"davem@...emloft.net" <davem@...emloft.net>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [PATCH 0/2] Don’t leave executable
TLB entries to freed pages
On Thu, 29 Nov 2018 18:49:26 +0000
"Edgecombe, Rick P" <rick.p.edgecombe@...el.com> wrote:
> On Thu, 2018-11-29 at 23:06 +0900, Masami Hiramatsu wrote:
> > On Tue, 27 Nov 2018 16:07:52 -0800
> > Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
> >
> > > Sometimes when memory is freed via the module subsystem, an executable
> > > permissioned TLB entry can remain to a freed page. If the page is re-used to
> > > back an address that will receive data from userspace, it can result in user
> > > data being mapped as executable in the kernel. The root of this behavior is
> > > vfree lazily flushing the TLB, but not lazily freeing the underlying pages.
> >
> > Good catch!
> >
> > >
> > > There are sort of three categories of this which show up across modules,
> > > bpf,
> > > kprobes and ftrace:
> >
> > For x86-64 kprobe, it sets the page NX and after that RW, and then release
> > via module_memfree. So I'm not sure it really happens on kprobes. (Of course
> > the default memory allocator is simpler so it may happen on other archs) But
> > interesting fixes.
> Yes, I think you are right, it should not leave an executable TLB entry in this
> case. Ftrace actually does this on x86 as well.
>
> Is there some other reason for calling set_memory_nx that should apply elsewhere
> for module users? Or could it be removed in the case of this patch to centralize
> the behavior?
According to the commit c93f5cf571e7 ("kprobes/x86: Fix to set RWX bits correctly
before releasing trampoline"), if we release readonly page by module_memfree(),
it causes kernel crash. And at this moment, on x86-64 set the trampoline page
readonly becuase it is an exacutable page. Setting NX bit is for security reason
that should be set before making it writable.
So I think if you centralize setting NX bit, it should be done before setting
writable bit.
Thank you,
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists