lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 21 Feb 2024 07:32:09 +0000
From: Christophe Leroy <christophe.leroy@...roup.eu>
To: Maxwell Bland <mbland@...orola.com>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>
CC: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	"agordeev@...ux.ibm.com" <agordeev@...ux.ibm.com>,
	"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
	"andreyknvl@...il.com" <andreyknvl@...il.com>, "andrii@...nel.org"
	<andrii@...nel.org>, "aneesh.kumar@...nel.org" <aneesh.kumar@...nel.org>,
	"aou@...s.berkeley.edu" <aou@...s.berkeley.edu>, "ardb@...nel.org"
	<ardb@...nel.org>, "arnd@...db.de" <arnd@...db.de>, "ast@...nel.org"
	<ast@...nel.org>, "borntraeger@...ux.ibm.com" <borntraeger@...ux.ibm.com>,
	"bpf@...r.kernel.org" <bpf@...r.kernel.org>, "brauner@...nel.org"
	<brauner@...nel.org>, "catalin.marinas@....com" <catalin.marinas@....com>,
	"cl@...ux.com" <cl@...ux.com>, "daniel@...earbox.net" <daniel@...earbox.net>,
	"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
	"david@...hat.com" <david@...hat.com>, "dennis@...nel.org"
	<dennis@...nel.org>, "dvyukov@...gle.com" <dvyukov@...gle.com>,
	"glider@...gle.com" <glider@...gle.com>, "gor@...ux.ibm.com"
	<gor@...ux.ibm.com>, "guoren@...nel.org" <guoren@...nel.org>,
	"haoluo@...gle.com" <haoluo@...gle.com>, "hca@...ux.ibm.com"
	<hca@...ux.ibm.com>, "hch@...radead.org" <hch@...radead.org>,
	"john.fastabend@...il.com" <john.fastabend@...il.com>, "jolsa@...nel.org"
	<jolsa@...nel.org>, "kasan-dev@...glegroups.com"
	<kasan-dev@...glegroups.com>, "kpsingh@...nel.org" <kpsingh@...nel.org>,
	"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
	"linux@...linux.org.uk" <linux@...linux.org.uk>, "linux-efi@...r.kernel.org"
	<linux-efi@...r.kernel.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "linux-mm@...ck.org" <linux-mm@...ck.org>,
	"linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
	"linux-riscv@...ts.infradead.org" <linux-riscv@...ts.infradead.org>,
	"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
	"lstoakes@...il.com" <lstoakes@...il.com>, "mark.rutland@....com"
	<mark.rutland@....com>, "martin.lau@...ux.dev" <martin.lau@...ux.dev>,
	"meted@...ux.ibm.com" <meted@...ux.ibm.com>, "michael.christie@...cle.com"
	<michael.christie@...cle.com>, "mjguzik@...il.com" <mjguzik@...il.com>,
	"mpe@...erman.id.au" <mpe@...erman.id.au>, "mst@...hat.com" <mst@...hat.com>,
	"muchun.song@...ux.dev" <muchun.song@...ux.dev>, "naveen.n.rao@...ux.ibm.com"
	<naveen.n.rao@...ux.ibm.com>, "npiggin@...il.com" <npiggin@...il.com>,
	"palmer@...belt.com" <palmer@...belt.com>, "paul.walmsley@...ive.com"
	<paul.walmsley@...ive.com>, "quic_nprakash@...cinc.com"
	<quic_nprakash@...cinc.com>, "quic_pkondeti@...cinc.com"
	<quic_pkondeti@...cinc.com>, "rick.p.edgecombe@...el.com"
	<rick.p.edgecombe@...el.com>, "ryabinin.a.a@...il.com"
	<ryabinin.a.a@...il.com>, "ryan.roberts@....com" <ryan.roberts@....com>,
	"samitolvanen@...gle.com" <samitolvanen@...gle.com>, "sdf@...gle.com"
	<sdf@...gle.com>, "song@...nel.org" <song@...nel.org>, "surenb@...gle.com"
	<surenb@...gle.com>, "svens@...ux.ibm.com" <svens@...ux.ibm.com>,
	"tj@...nel.org" <tj@...nel.org>, "urezki@...il.com" <urezki@...il.com>,
	"vincenzo.frascino@....com" <vincenzo.frascino@....com>, "will@...nel.org"
	<will@...nel.org>, "wuqiang.matt@...edance.com" <wuqiang.matt@...edance.com>,
	"yonghong.song@...ux.dev" <yonghong.song@...ux.dev>, "zlim.lnx@...il.com"
	<zlim.lnx@...il.com>, "awheeler@...orola.com" <awheeler@...orola.com>
Subject: Re: [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration



Le 20/02/2024 à 21:32, Maxwell Bland a écrit :
> [Vous ne recevez pas souvent de courriers de mbland@...orola.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
> 
> Reworks ARM's virtual memory allocation infrastructure to support
> dynamic enforcement of page middle directory PXNTable restrictions
> rather than only during the initial memory mapping. Runtime enforcement
> of this bit prevents write-then-execute attacks, where malicious code is
> staged in vmalloc'd data regions, and later the page table is changed to
> make this code executable.
> 
> Previously the entire region from VMALLOC_START to VMALLOC_END was
> vulnerable, but now the vulnerable region is restricted to the 2GB
> reserved by module_alloc, a region which is generally read-only and more
> difficult to inject staging code into, e.g., data must pass the BPF
> verifier. These changes also set the stage for other systems, such as
> KVM-level (EL2) changes to mark page tables immutable and code page
> verification changes, forging a path toward complete mitigation of
> kernel exploits on ARM.
> 
> Implementing this required minimal changes to the generic vmalloc
> interface in the kernel to allow architecture overrides of some vmalloc
> wrapper functions, refactoring vmalloc calls to use a standard interface
> in the generic kernel, and passing the address parameter already passed
> into PTE allocation to the pte_allocate child function call.
> 
> The new arm64 vmalloc wrapper functions ensure vmalloc data is not
> allocated into the region reserved for module_alloc. arm64 BPF and
> kprobe code also see a two-line-change ensuring their allocations abide
> by the segmentation of code from data. Finally, arm64's pmd_populate
> function is modified to set the PXNTable bit appropriately.

On powerpc (book3s/32) we have more or less the same although it is not 
directly linked to PMDs: the virtual 4G address space is split in 
segments of 256M. On each segment there's a bit called NX to forbit 
execution. Vmalloc space is allocated in a segment with NX bit set while 
Module spare is allocated in a segment with NX bit unset. We never have 
to override vmalloc wrappers. All consumers of exec memory allocate it 
using module_alloc() while vmalloc() provides non-exec memory.

For modules, all you have to do is select 
ARCH_WANTS_MODULES_DATA_IN_VMALLOC and module data will be allocated 
using vmalloc() hence non-exec memory in our case.

Christophe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ