| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Jan 2019 16:25:03 -0700
From: Khalid Aziz <khalid.aziz@...cle.com>
To: Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...el.com>
Cc: Juerg Haefliger <juergh@...il.com>,
Tycho Andersen <tycho@...ho.ws>, jsteckli@...zon.de,
Andi Kleen <ak@...ux.intel.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
liran.alon@...cle.com, Kees Cook <keescook@...gle.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
deepa.srinivasan@...cle.com, chris hyser <chris.hyser@...cle.com>,
Tyler Hicks <tyhicks@...onical.com>,
"Woodhouse, David" <dwmw@...zon.co.uk>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Jon Masters <jcm@...hat.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
kanth.ghatraju@...cle.com,
Joao Martins <joao.m.martins@...cle.com>,
Jim Mattson <jmattson@...gle.com>, pradeep.vincent@...cle.com,
John Haxby <john.haxby@...cle.com>,
Thomas Gleixner <tglx@...utronix.de>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Christoph Hellwig <hch@....de>, steven.sistare@...cle.com,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Peter Zijlstra <peterz@...radead.org>
Subject: Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame
Ownership
On 1/11/19 2:06 PM, Andy Lutomirski wrote:
> On Fri, Jan 11, 2019 at 12:42 PM Dave Hansen <dave.hansen@...el.com> wrote:
>>
>>>> The second process could easily have the page's old TLB entry. It could
>>>> abuse that entry as long as that CPU doesn't context switch
>>>> (switch_mm_irqs_off()) or otherwise flush the TLB entry.
>>>
>>> That is an interesting scenario. Working through this scenario, physmap
>>> TLB entry for a page is flushed on the local processor when the page is
>>> allocated to userspace, in xpfo_alloc_pages(). When the userspace passes
>>> page back into kernel, that page is mapped into kernel space using a va
>>> from kmap pool in xpfo_kmap() which can be different for each new
>>> mapping of the same page. The physical page is unmapped from kernel on
>>> the way back from kernel to userspace by xpfo_kunmap(). So two processes
>>> on different CPUs sharing same physical page might not be seeing the
>>> same virtual address for that page while they are in the kernel, as long
>>> as it is an address from kmap pool. ret2dir attack relies upon being
>>> able to craft a predictable virtual address in the kernel physmap for a
>>> physical page and redirect execution to that address. Does that sound right?
>>
>> All processes share one set of kernel page tables. Or, did your patches
>> change that somehow that I missed?
>>
>> Since they share the page tables, they implicitly share kmap*()
>> mappings. kmap_atomic() is not *used* by more than one CPU, but the
>> mapping is accessible and at least exists for all processors.
>>
>> I'm basically assuming that any entry mapped in a shared page table is
>> exploitable on any CPU regardless of where we logically *want* it to be
>> used.
>>
>>
>
> We can, very easily, have kernel mappings that are private to a given
> mm. Maybe this is useful here.
>
That sounds like an interesting idea. kmap mappings would be a good
candidate for that. Those are temporary mappings and should only be
valid for one process.
--
Khalid
Download attachment "pEpkey.asc" of type "application/pgp-keys" (2461 bytes)
Powered by blists - more mailing lists