| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14fea0e6809b42393388d20f5b62509108a87a71.camel@intel.com>
Date: Mon, 19 Sep 2022 18:14:48 +0000
From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>
CC: "peterz@...radead.org" <peterz@...radead.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"x86@...nel.org" <x86@...nel.org>, "hpa@...or.com" <hpa@...or.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"Lutomirski, Andy" <luto@...nel.org>,
"Liu, Yujie" <yujie.liu@...el.com>, "bp@...en8.de" <bp@...en8.de>
Subject: Re: [PATCH] x86/mm: Set NX bit when making pages present
On Fri, 2022-09-09 at 08:27 -0700, Dave Hansen wrote:
> 0day ran across a case triggered by module unloading, but that looks
> to be a generic problem. It presumably goes like this:
>
> 1. Load module with direct map, P=1,W=1,NX=1
> 2. Map module executable, set P=1,W=0,NX=0
> 3. Free module, land in vfree()->vm_remove_mappings()
> 4. Set P=0 during alias processing, P=0,W=0,NX=0
> 5. Restore kernel mapping via
> set_direct_map_default_noflush(),
> set P=1,W=1, resulting in P=1,W=1,NX=0
I don't think this is right. CPA skips NX modification on the alias, so
the earlier module CPA's (1-2) shouldn't have touched NX where
set_direct_map() is operating. So NX *shouldn't* have been cleared in
this case.
Clearly somehow it is though. The original report has this in the log:
Notice: NX (Execute Disable) protection cannot be enabled: non-PAE
kernel!
So probably the W^X checker needs to check this non-PAE case
differently.
Powered by blists - more mailing lists