| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d50dac43-51da-4b18-9fab-214896bdc9a5@assembler.cz> Date: Tue, 25 Feb 2025 21:06:39 +0100 From: Rudolf Marek <r.marek@...embler.cz> To: Andrew Cooper <andrew.cooper3@...rix.com>, Jann Horn <jannh@...gle.com> Cc: jmill@....edu, joao@...rdrivepizza.com, luto@...nel.org, samitolvanen@...gle.com, "Peter Zijlstra (Intel)" <peterz@...radead.org>, linux-hardening@...r.kernel.org, lkml <linux-kernel@...r.kernel.org>, x86 maintainers <x86@...nel.org> Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints Hi Andrew, Dne 25. 02. 25 v 19:10 Andrew Cooper napsal(a): > Very cunning. Yes it does, but the state needs to be safe to IRET back > to, and ... ... And intellectually very pleasing! >> Would it work to have KERNEL_CS as last entry in the GDT table? >> Therefore executing SYSCALL would set the CS as usual, >> but the numeric value of SS selector would be larger than GDT limit? > > ... this isn't safe. Any exception/interrupt will yield #SS when trying > to load an out-of-limit %ss.> i.e. a wrongly-timed NMI will take out the system with a very bizarre > looking oops. Hmm I was hoping that "the reader" will perform this NMI/#MC exercise :) The SYSCALL/SYSENTER startup has interrupts disabled, so it is the problem of NMI/#MC handler which would need deal with the normal case and attack case. It would need to check if it was executing that critical part of syscall64 entry from endbr64 to checkselector section, and if yes, the saved %ss needs to be "impossible" one. If it isn't -> panic. For non-attack case it just needs to forward RIP after the check... > You can do this in a less fatal way by e.g. having in-GDT form have a > segment limit, but any exception/interrupt will resync the out-of-sync > state, and break detection. Also it would make the segment unusable for > compatibility userspace, where the limit would take effect. Yeah couldn't figure out what else could work "vice-versa" :( > Finally, while this potentially gives us an option for SYSCALL and maybe > SYSENTER, it doesn't help with any of the main IDT entrypoints which can > also be attacked. I see, sorry I wasn't aware of this. But if I recall correctly only "paranoid" IDT entries do something with swapgs. But is there also some stack pivot where it would depend on GS? Or is it somewhat unrelated issue, that you might just redirect to "any endbr64" which are IDT entrypoints? Maybe you can share some details of how the attack would work in this case, or point me somewhere where I can read about it. If it is "any endbr64" case, would it work to just do "sanity check" of the exception stackframe? I mean if it is real or some random kernel stack state? 1) check %RSP alignment if it was ok 2) check if %ss and %cs for all possible valid values (16 bit) Unfortunately I think intel is not clearing high 48 bits of saved selector, AMD is. 3) check if %rip is kernel range 4) check if %rflags is sane (bit1 is 1) Because if the attacker has no or limited control on the stack content, it would be difficult to fake it. Thanks, Rudolf
Powered by blists - more mailing lists