| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202502131224.D6F5A235@keescook> Date: Thu, 13 Feb 2025 12:28:33 -0800 From: Kees Cook <kees@...nel.org> To: Andrew Cooper <andrew.cooper3@...rix.com> Cc: jannh@...gle.com, jmill@....edu, joao@...rdrivepizza.com, linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org, luto@...nel.org, samitolvanen@...gle.com, "Peter Zijlstra (Intel)" <peterz@...radead.org> Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints On Thu, Feb 13, 2025 at 01:31:30AM +0000, Andrew Cooper wrote: > >> Assuming this is an issue you all feel is worth addressing, I will > >> continue working on providing a patch. I'm concerned though that the > >> overhead from adding a wrmsr on both syscall entry and exit to > >> overwrite and restore the KERNEL_GS_BASE MSR may be quite high, so > >> any feedback in regards to the approach or suggestions of alternate > >> approaches to patching are welcome :) > > > > Since the kernel, as far as I understand, uses FineIBT without > > backwards control flow protection (in other words, I think we assume > > that the kernel stack is trusted?), > > This is fun indeed. Linux cannot use supervisor shadow stacks because > the mess around NMI re-entrancy (and IST more generally) requires ROP > gadgets in order to function safely. Implementing this with shadow > stacks active, while not impossible, is deemed to be prohibitively > complicated. And just validate my understanding here, this attack is fundamentally about FineIBT, not regular CFI (IBT or not), as the validation of target addresses is done at indirect call time, yes? -Kees -- Kees Cook
Powered by blists - more mailing lists