| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Jun 2023 07:45:24 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Lee Jones <lee@...nel.org>, Peter Zijlstra <peterz@...radead.org>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: x86: pgtable / kaslr initialisation (OOB) help
On 6/14/23 07:37, Lee Jones wrote:
> Still unsure how we (the kernel) can/should write to an area of memory
> that does not belong to it. Should we allocate enough memory
> (2*PAGE_SIZE? rather than 8-Bytes) for trampoline_pgd_entry to consume
> in a more sane way?
No.
I think this:
set_pgd(&trampoline_pgd_entry,
__pgd(_KERNPG_TABLE | __pa(p4d_page_tramp)));
is bogus-ish. set_pgd() wants to operate on a pgd_t inside a pgd
*PAGE*. But it's just being pointed at a single _entry_. The address
of 'trampoline_pgd_entry' in your case also just (unfortunately)
happens to pass the:
__pti_set_user_pgtbl -> pgdp_maps_userspace()
test. I _think_ we want these to just be something like:
trampoline_pgd_entry = __pgd(_KERNPG_TABLE |
__pa(p4d_page_tramp);
That'll keep us away from all of the set_pgd()-induced nastiness.
Powered by blists - more mailing lists