[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jL-qJtW7eH8S2yhqciE+J+FWz8HHzTrGJTgVUbd55n6dQ@mail.gmail.com>
Date: Thu, 18 Apr 2019 00:41:45 -0500
From: Kees Cook <keescook@...gle.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Nadav Amit <nadav.amit@...il.com>,
Ingo Molnar <mingo@...nel.org>,
Khalid Aziz <khalid.aziz@...cle.com>,
Juerg Haefliger <juergh@...il.com>,
Tycho Andersen <tycho@...ho.ws>,
Julian Stecklina <jsteckli@...zon.de>,
Kees Cook <keescook@...gle.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Juerg Haefliger <juerg.haefliger@...onical.com>,
deepa.srinivasan@...cle.com, chris hyser <chris.hyser@...cle.com>,
Tyler Hicks <tyhicks@...onical.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Jon Masters <jcm@...hat.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
iommu <iommu@...ts.linux-foundation.org>,
X86 ML <x86@...nel.org>,
"linux-alpha@...r.kernel.org" <linux-arm-kernel@...ts.infradead.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
LSM List <linux-security-module@...r.kernel.org>,
Khalid Aziz <khalid@...ehiking.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Dave Hansen <dave@...1.net>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>,
Arjan van de Ven <arjan@...radead.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame
Ownership (XPFO)
On Wed, Apr 17, 2019 at 11:41 PM Andy Lutomirski <luto@...nel.org> wrote:
> I don't think this type of NX goof was ever the argument for XPFO.
> The main argument I've heard is that a malicious user program writes a
> ROP payload into user memory (regular anonymous user memory) and then
> gets the kernel to erroneously set RSP (*not* RIP) to point there.
Well, more than just ROP. Any of the various attack primitives. The NX
stuff is about moving RIP: SMEP-bypassing. But there is still basic
SMAP-bypassing for putting a malicious structure in userspace and
having the kernel access it via the linear mapping, etc.
> I find this argument fairly weak for a couple reasons. First, if
> we're worried about this, let's do in-kernel CFI, not XPFO, to
CFI is getting much closer. Getting the kernel happy under Clang, LTO,
and CFI is under active development. (It's functional for arm64
already, and pieces have been getting upstreamed.)
> mitigate it. Second, I don't see why the exact same attack can't be
> done using, say, page cache, and unless I'm missing something, XPFO
> doesn't protect page cache. Or network buffers, or pipe buffers, etc.
My understanding is that it's much easier to feel out the linear
mapping address than for the others. But yes, all of those same attack
primitives are possible in other memory areas (though most are NX),
and plenty of exploits have done such things.
--
Kees Cook
Powered by blists - more mailing lists