lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 16 Dec 2018 10:55:48 -0800
From:   Andy Lutomirski <luto@...nel.org>
To:     Paul Burton <paul.burton@...s.com>
Cc:     Andy Lutomirski <luto@...nel.org>,
        Linux MIPS Mailing List <linux-mips@...ux-mips.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Paul Burton <paul.burton@...tec.com>,
        David Daney <david.daney@...ium.com>,
        Ralf Baechle <ralf@...ux-mips.org>,
        James Hogan <jhogan@...nel.org>, Rich Felker <dalias@...c.org>
Subject: Re: Fixing MIPS delay slot emulation weakness?

On Sun, Dec 16, 2018 at 1:22 AM Paul Burton <paul.burton@...s.com> wrote:
>
> Hi Andy,
>
> On Sat, Dec 15, 2018 at 11:19:37AM -0800, Andy Lutomirski wrote:
> > Some security researchers pointed out that writing to the delay slot
> > emulation page is a great exploit technique on MIPS.  It was
> > introduced in:
> >
> > commit 432c6bacbd0c16ec210c43da411ccc3855c4c010
> > Author: Paul Burton <paul.burton@...tec.com>
> > Date:   Fri Jul 8 11:06:19 2016 +0100
> >
> >     MIPS: Use per-mm page to execute branch delay slot instructions
>
> Are there any further details you can share? You'd still need to
> persuade a program to both write to & jump to the page, right? We're
> talking purely about this providing writable+executable memory?

Yes, exactly.  You need a bug in order to take advantage of it.  The
RWX page at a known location just makes exploitation considerably
easier.

I should also note that, on x86 at least, emulating loads and stores
is not so bad.  The x86 vsyscall emulation code does it and has almost
fully correct fault semantics.  (I say "almost" because I didn't
bother getting the semantics exactly right for non-canonical addresses
and kernel addresses.)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ