From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F040CC282DC for ; Wed, 17 Apr 2019 21:20:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C5A55217FA for ; Wed, 17 Apr 2019 21:20:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387453AbfDQVUP (ORCPT ); Wed, 17 Apr 2019 17:20:15 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:58981 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726162AbfDQVUP (ORCPT ); Wed, 17 Apr 2019 17:20:15 -0400 Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGryH-0005mC-Kp; Wed, 17 Apr 2019 23:19:57 +0200 Date: Wed, 17 Apr 2019 23:19:50 +0200 (CEST) From: Thomas Gleixner To: Nadav Amit cc: Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, keescook@google.com, Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, David Woodhouse , Andrew Cooper , jcm@redhat.com, Boris Ostrovsky , iommu , X86 ML , linux-arm-kernel@lists.infradead.org, "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Linus Torvalds , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1402638458-1555535997=:3174" X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT On Wed, 17 Apr 2019, Nadav Amit wrote: > > On Apr 17, 2019, at 10:26 AM, Ingo Molnar wrote: > >> As I was curious, I looked at the paper. Here is a quote from it: > >> > >> "In x86-64, however, the permissions of physmap are not in sane state. > >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region > >> as “readable, writeable, and executable” (RWX)—only very recent kernels > >> (≥v3.9) use the more conservative RW mapping.” > > > > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern" > > kernel in any sense of the word. For any proposed patchset with > > significant complexity and non-trivial costs the benchmark version > > threshold is the "current upstream kernel". > > > > So does that quote address my followup questions: > > > >> Is this actually true of modern x86-64 kernels? We've locked down W^X > >> protections in general. > >> > >> I.e. this conclusion: > >> > >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and > >> triggering the kernel to dereference it, an attacker can directly > >> execute shell code with kernel privileges." > >> > >> ... appears to be predicated on imperfect W^X protections on the x86-64 > >> kernel. > >> > >> Do such holes exist on the latest x86-64 kernel? If yes, is there a > >> reason to believe that these W^X holes cannot be fixed, or that any fix > >> would be more expensive than XPFO? > > > > ? > > > > What you are proposing here is a XPFO patch-set against recent kernels > > with significant runtime overhead, so my questions about the W^X holes > > are warranted. > > > > Just to clarify - I am an innocent bystander and have no part in this work. > I was just looking (again) at the paper, as I was curious due to the recent > patches that I sent that improve W^X protection. It's not necessarily a W+X issue. The user space text is mapped in the kernel as well and even if it is mapped RX then this can happen. So any kernel mappings of user space text need to be mapped NX! Thanks, tglx --8323329-1402638458-1555535997=:3174-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 504DCC282DA for ; Wed, 17 Apr 2019 21:20:15 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 087A02183F for ; Wed, 17 Apr 2019 21:20:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 087A02183F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linutronix.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9FE7B6B0006; Wed, 17 Apr 2019 17:20:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9AF0D6B0007; Wed, 17 Apr 2019 17:20:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 89E9D6B0008; Wed, 17 Apr 2019 17:20:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by kanga.kvack.org (Postfix) with ESMTP id 3C53E6B0006 for ; Wed, 17 Apr 2019 17:20:14 -0400 (EDT) Received: by mail-wr1-f69.google.com with SMTP id t10so76548wrp.3 for ; Wed, 17 Apr 2019 14:20:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:date:from:to :cc:subject:in-reply-to:message-id:references:user-agent :mime-version; bh=QXC34O10+SYM03YZaJNXk8fM16dOe9sLFuJmsxUwR3M=; b=maG8qhBU6PB0QxnPjdOSgfh4taLRM8U6g1RyymFMfSvFqOohQiyRtSJHBaPnh1/Zk6 88M5BOD7+d3H8Ok+jYAx+Wm/dfI2HQle0h21SUBWXz6vbEcZHMmDljRJp/UZ/zme6l2W V2oSiJxgYCHIcZGqm25mmDIwxrHMGlknsU7HDIEdI/lNRP9hMfLPDdmir1cb3ztGwz7Z Qf2xOZDuB9kO/h+7yoiuCQaeZW1xbteJdDV3uZ6D0Jz8KI/X2qmcr29T7DqfYqTouTKz g4JNtUOkfNF98MCbWZDTa3pYyHo6NjnAox3TLJxWA4xRQWGVPNhCGlUxKOF+5awknuYh QZuA== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of tglx@linutronix.de designates 2a01:7a0:2:106d:700::1 as permitted sender) smtp.mailfrom=tglx@linutronix.de X-Gm-Message-State: APjAAAVMEJy76PoX/T72q0dOrlRlbAacdAeatysIB6dGfvPDiqq7sEFl y/AXCKj88WbOD4h5loiztYUEFoNIsxu7gHo85IODUk6EH9SVxr6LWUvhp6fjWlCT8nFH3+h0Vjp z9a6ULzPcpOjff3M7aDOK8y/xfkQXkQYeaU5HIgTh84ewiufX9VaQ3OnGJaRNPbA9jw== X-Received: by 2002:adf:e487:: with SMTP id i7mr29665054wrm.264.1555536013724; Wed, 17 Apr 2019 14:20:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxNnw/L5J7mePKn60Q6ZEjJnPQiSthD66H8I9v14byfYEXk5SF5bGihvW2rbZEtLETs95wj X-Received: by 2002:adf:e487:: with SMTP id i7mr29665016wrm.264.1555536012954; Wed, 17 Apr 2019 14:20:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555536012; cv=none; d=google.com; s=arc-20160816; b=GBAHQ46vdjZhzmMisMn7z2xmM2TU2x1LAPVXyDvdUpDhezr/LxQMj67Fv1N6fUh1dw 12sOzwSPKMd4pDkL+bF0UkMW5QIpe/Hekp8CATFC/2ihbkGjP3W1omqIHXyfHqeFsnKt 2uK3oiJMIuwGk9ANoFoQVxZoVMz64qe4K/9Bgy9PSxgGwsN5RRXiHC0mO9j1RkoD4Vzk etIWDOAxz/eFrsYoWKOYRWHWjqoF28XkOiqn0QMTz7Vl3GeU/wcJ80PNJeZ3BWyUUfL+ nGYGdfbyWFY0L0AHHV5cv6D8WJ7HHoZGVsCdP1RF5sFuduTPHhLpuJK7+CAscJBvwUbJ lcjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:message-id:in-reply-to:subject :cc:to:from:date; bh=QXC34O10+SYM03YZaJNXk8fM16dOe9sLFuJmsxUwR3M=; b=LokPxKoup9Ogohwc31jXNuWzZnBXhJJGz23R+6GN8vqzTXW+izajfzWlFZqW8nJTu/ mQSKkGs4mPGrJNL9Oocv3JOxbXerbBkpEXuEwzRbPI5RyXmSHq6q2bB9cq/SJVixnMN6 q6VBD7Mu8l/idg2bM1lcccLeSg+V0hHrVeeFPJvWmznF/wiA4SAYESx95RsLTXju+dVZ sxhM3HL6Xa2zN3d1Df5GtbmgeGJh/0xXlXKdB86KZeLnEquZeI8CIgSGrWyEx0pYXoR8 l2UfckWERsd8tUtJK9poVlG8uWqroCmqmIGgcnOGWWy2fhUtS8U1G6dJvp3iH44kiYIT cAAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of tglx@linutronix.de designates 2a01:7a0:2:106d:700::1 as permitted sender) smtp.mailfrom=tglx@linutronix.de Received: from Galois.linutronix.de (Galois.linutronix.de. [2a01:7a0:2:106d:700::1]) by mx.google.com with ESMTPS id a127si68203wmh.202.2019.04.17.14.20.12 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 17 Apr 2019 14:20:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of tglx@linutronix.de designates 2a01:7a0:2:106d:700::1 as permitted sender) client-ip=2a01:7a0:2:106d:700::1; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of tglx@linutronix.de designates 2a01:7a0:2:106d:700::1 as permitted sender) smtp.mailfrom=tglx@linutronix.de Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGryH-0005mC-Kp; Wed, 17 Apr 2019 23:19:57 +0200 Date: Wed, 17 Apr 2019 23:19:50 +0200 (CEST) From: Thomas Gleixner To: Nadav Amit cc: Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, keescook@google.com, Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, David Woodhouse , Andrew Cooper , jcm@redhat.com, Boris Ostrovsky , iommu , X86 ML , linux-arm-kernel@lists.infradead.org, "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Linus Torvalds , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1402638458-1555535997=:3174" X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT On Wed, 17 Apr 2019, Nadav Amit wrote: > > On Apr 17, 2019, at 10:26 AM, Ingo Molnar wrote: > >> As I was curious, I looked at the paper. Here is a quote from it: > >> > >> "In x86-64, however, the permissions of physmap are not in sane state. > >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region > >> as “readable, writeable, and executable” (RWX)—only very recent kernels > >> (≥v3.9) use the more conservative RW mapping.” > > > > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern" > > kernel in any sense of the word. For any proposed patchset with > > significant complexity and non-trivial costs the benchmark version > > threshold is the "current upstream kernel". > > > > So does that quote address my followup questions: > > > >> Is this actually true of modern x86-64 kernels? We've locked down W^X > >> protections in general. > >> > >> I.e. this conclusion: > >> > >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and > >> triggering the kernel to dereference it, an attacker can directly > >> execute shell code with kernel privileges." > >> > >> ... appears to be predicated on imperfect W^X protections on the x86-64 > >> kernel. > >> > >> Do such holes exist on the latest x86-64 kernel? If yes, is there a > >> reason to believe that these W^X holes cannot be fixed, or that any fix > >> would be more expensive than XPFO? > > > > ? > > > > What you are proposing here is a XPFO patch-set against recent kernels > > with significant runtime overhead, so my questions about the W^X holes > > are warranted. > > > > Just to clarify - I am an innocent bystander and have no part in this work. > I was just looking (again) at the paper, as I was curious due to the recent > patches that I sent that improve W^X protection. It's not necessarily a W+X issue. The user space text is mapped in the kernel as well and even if it is mapped RX then this can happen. So any kernel mappings of user space text need to be mapped NX! Thanks, tglx --8323329-1402638458-1555535997=:3174-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Gleixner Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) Date: Wed, 17 Apr 2019 23:19:50 +0200 (CEST) Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1402638458-1555535997=:3174" Return-path: In-Reply-To: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Sender: linux-kernel-owner@vger.kernel.org To: Nadav Amit Cc: Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, keescook@google.com, Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, David Woodhouse , Andrew Cooper , jcm@redhat.com, Boris Ostrovsky , iommu , X86 ML , linux-arm-kernel@lists.infradead.org, "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List List-Id: iommu@lists.linux-foundation.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT On Wed, 17 Apr 2019, Nadav Amit wrote: > > On Apr 17, 2019, at 10:26 AM, Ingo Molnar wrote: > >> As I was curious, I looked at the paper. Here is a quote from it: > >> > >> "In x86-64, however, the permissions of physmap are not in sane state. > >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region > >> as “readable, writeable, and executable” (RWX)—only very recent kernels > >> (≥v3.9) use the more conservative RW mapping.” > > > > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern" > > kernel in any sense of the word. For any proposed patchset with > > significant complexity and non-trivial costs the benchmark version > > threshold is the "current upstream kernel". > > > > So does that quote address my followup questions: > > > >> Is this actually true of modern x86-64 kernels? We've locked down W^X > >> protections in general. > >> > >> I.e. this conclusion: > >> > >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and > >> triggering the kernel to dereference it, an attacker can directly > >> execute shell code with kernel privileges." > >> > >> ... appears to be predicated on imperfect W^X protections on the x86-64 > >> kernel. > >> > >> Do such holes exist on the latest x86-64 kernel? If yes, is there a > >> reason to believe that these W^X holes cannot be fixed, or that any fix > >> would be more expensive than XPFO? > > > > ? > > > > What you are proposing here is a XPFO patch-set against recent kernels > > with significant runtime overhead, so my questions about the W^X holes > > are warranted. > > > > Just to clarify - I am an innocent bystander and have no part in this work. > I was just looking (again) at the paper, as I was curious due to the recent > patches that I sent that improve W^X protection. It's not necessarily a W+X issue. The user space text is mapped in the kernel as well and even if it is mapped RX then this can happen. So any kernel mappings of user space text need to be mapped NX! Thanks, tglx --8323329-1402638458-1555535997=:3174-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6E3DC282DC for ; Wed, 17 Apr 2019 21:20:14 +0000 (UTC) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 889CB217FA for ; Wed, 17 Apr 2019 21:20:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 889CB217FA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linutronix.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=iommu-bounces@lists.linux-foundation.org Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 45F58D9A; Wed, 17 Apr 2019 21:20:14 +0000 (UTC) Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8B2DECC1 for ; Wed, 17 Apr 2019 21:20:12 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from Galois.linutronix.de (Galois.linutronix.de [146.0.238.70]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9104C881 for ; Wed, 17 Apr 2019 21:20:10 +0000 (UTC) Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGryH-0005mC-Kp; Wed, 17 Apr 2019 23:19:57 +0200 Date: Wed, 17 Apr 2019 23:19:50 +0200 (CEST) From: Thomas Gleixner To: Nadav Amit Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1402638458-1555535997=:3174" X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1, SHORTCIRCUIT=-0.0001 Cc: Dave Hansen , "open list:DOCUMENTATION" , Linux-MM , Khalid Aziz , deepa.srinivasan@oracle.com, "H. Peter Anvin" , Ingo Molnar , Tycho Andersen , X86 ML , iommu , jsteckli@amazon.de, Arjan van de Ven , Peter Zijlstra , Konrad Rzeszutek Wilk , jcm@redhat.com, Greg Kroah-Hartman , Borislav Petkov , Andy Lutomirski , Boris Ostrovsky , chris.hyser@oracle.com, linux-arm-kernel@lists.infradead.org, Khalid Aziz , juergh@gmail.com, Andrew Cooper , Linux List Kernel Mailing , tyhicks@canonical.com, LSM List , Juerg Haefliger , keescook@google.com, Andrew Morton , Linus Torvalds , David Woodhouse X-BeenThere: iommu@lists.linux-foundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Development issues for Linux IOMMU support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces@lists.linux-foundation.org Errors-To: iommu-bounces@lists.linux-foundation.org Message-ID: <20190417211950.4WUv415cHqTmTQ_HyZH76zloym1s-UM2TCpDtPnRzC0@z> This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT On Wed, 17 Apr 2019, Nadav Amit wrote: > > On Apr 17, 2019, at 10:26 AM, Ingo Molnar wrote: > >> As I was curious, I looked at the paper. Here is a quote from it: > >> > >> "In x86-64, however, the permissions of physmap are not in sane state. > >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region > >> as “readable, writeable, and executable” (RWX)—only very recent kernels > >> (≥v3.9) use the more conservative RW mapping.” > > > > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern" > > kernel in any sense of the word. For any proposed patchset with > > significant complexity and non-trivial costs the benchmark version > > threshold is the "current upstream kernel". > > > > So does that quote address my followup questions: > > > >> Is this actually true of modern x86-64 kernels? We've locked down W^X > >> protections in general. > >> > >> I.e. this conclusion: > >> > >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and > >> triggering the kernel to dereference it, an attacker can directly > >> execute shell code with kernel privileges." > >> > >> ... appears to be predicated on imperfect W^X protections on the x86-64 > >> kernel. > >> > >> Do such holes exist on the latest x86-64 kernel? If yes, is there a > >> reason to believe that these W^X holes cannot be fixed, or that any fix > >> would be more expensive than XPFO? > > > > ? > > > > What you are proposing here is a XPFO patch-set against recent kernels > > with significant runtime overhead, so my questions about the W^X holes > > are warranted. > > > > Just to clarify - I am an innocent bystander and have no part in this work. > I was just looking (again) at the paper, as I was curious due to the recent > patches that I sent that improve W^X protection. It's not necessarily a W+X issue. The user space text is mapped in the kernel as well and even if it is mapped RX then this can happen. So any kernel mappings of user space text need to be mapped NX! Thanks, tglx --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu --8323329-1402638458-1555535997=:3174-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 942BBC282DA for ; Wed, 17 Apr 2019 21:20:30 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5EACC217FA for ; Wed, 17 Apr 2019 21:20:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="BpTbOiC+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5EACC217FA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linutronix.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type: MIME-Version:References:Message-ID:In-Reply-To:Subject:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=s/nG1vA4apnO5DtkPPcEu4+7RRFasTCX4VBiotE+/A4=; b=BpTbOiC+jZwXTciffZGuymkor m7WWjegqinVNJzkeR+pHhy/A8WVrFvi8hxdcjWyQQQvrPsp1zn7EZGv+4Gm8G9UPctgcCLuNR6RPr H4MtRBJ1VuFIHudIAgfV+PLW2cfWw8bdJLmEV64tbkgY2wNY6Oha30BAWV5T2FVMt6mqnVivuHA7f MbPbKJnU4sRw4DA5W5Mtc3zkXkqTsv+vBBqDRNKcTpYUlcBVunIKXjAmrE9sbtE16I7ZO9IuNVhU1 Aw5LLIVEdhaHOWoDR3oX+XoR6nvXdcGR8TNirw9na5mt3Lgv9A2bwMYv//T+JHwqTZoUMLHyrm6Tl ABAkrzoTw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hGryc-00060O-Hp; Wed, 17 Apr 2019 21:20:18 +0000 Received: from galois.linutronix.de ([2a01:7a0:2:106d:700::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1hGryZ-0005zp-Pv for linux-arm-kernel@lists.infradead.org; Wed, 17 Apr 2019 21:20:17 +0000 Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGryH-0005mC-Kp; Wed, 17 Apr 2019 23:19:57 +0200 Date: Wed, 17 Apr 2019 23:19:50 +0200 (CEST) From: Thomas Gleixner To: Nadav Amit Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1402638458-1555535997=:3174" X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1, SHORTCIRCUIT=-0.0001 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190417_142015_984820_3FB8CB1B X-CRM114-Status: GOOD ( 23.63 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dave Hansen , "open list:DOCUMENTATION" , Linux-MM , Khalid Aziz , deepa.srinivasan@oracle.com, "H. Peter Anvin" , Ingo Molnar , Tycho Andersen , X86 ML , iommu , jsteckli@amazon.de, Arjan van de Ven , Peter Zijlstra , Konrad Rzeszutek Wilk , jcm@redhat.com, Greg Kroah-Hartman , Borislav Petkov , Andy Lutomirski , Boris Ostrovsky , chris.hyser@oracle.com, linux-arm-kernel@lists.infradead.org, Khalid Aziz , juergh@gmail.com, Andrew Cooper , Linux List Kernel Mailing , tyhicks@canonical.com, LSM List , Juerg Haefliger , keescook@google.com, Andrew Morton , Linus Torvalds , David Woodhouse Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT On Wed, 17 Apr 2019, Nadav Amit wrote: > > On Apr 17, 2019, at 10:26 AM, Ingo Molnar wrote: > >> As I was curious, I looked at the paper. Here is a quote from it: > >> > >> "In x86-64, however, the permissions of physmap are not in sane state. > >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region > >> as “readable, writeable, and executable” (RWX)—only very recent kernels > >> (≥v3.9) use the more conservative RW mapping.” > > > > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern" > > kernel in any sense of the word. For any proposed patchset with > > significant complexity and non-trivial costs the benchmark version > > threshold is the "current upstream kernel". > > > > So does that quote address my followup questions: > > > >> Is this actually true of modern x86-64 kernels? We've locked down W^X > >> protections in general. > >> > >> I.e. this conclusion: > >> > >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and > >> triggering the kernel to dereference it, an attacker can directly > >> execute shell code with kernel privileges." > >> > >> ... appears to be predicated on imperfect W^X protections on the x86-64 > >> kernel. > >> > >> Do such holes exist on the latest x86-64 kernel? If yes, is there a > >> reason to believe that these W^X holes cannot be fixed, or that any fix > >> would be more expensive than XPFO? > > > > ? > > > > What you are proposing here is a XPFO patch-set against recent kernels > > with significant runtime overhead, so my questions about the W^X holes > > are warranted. > > > > Just to clarify - I am an innocent bystander and have no part in this work. > I was just looking (again) at the paper, as I was curious due to the recent > patches that I sent that improve W^X protection. It's not necessarily a W+X issue. The user space text is mapped in the kernel as well and even if it is mapped RX then this can happen. So any kernel mappings of user space text need to be mapped NX! Thanks, tglx --8323329-1402638458-1555535997=:3174 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel --8323329-1402638458-1555535997=:3174--