From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6230CC282DA for ; Wed, 17 Apr 2019 23:42:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3AC4F217FA for ; Wed, 17 Apr 2019 23:42:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730848AbfDQXmo (ORCPT ); Wed, 17 Apr 2019 19:42:44 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:59790 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729099AbfDQXmo (ORCPT ); Wed, 17 Apr 2019 19:42:44 -0400 Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGuCC-0000Cz-3h; Thu, 18 Apr 2019 01:42:28 +0200 Date: Thu, 18 Apr 2019 01:42:26 +0200 (CEST) From: Thomas Gleixner To: Linus Torvalds cc: Nadav Amit , Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, keescook@google.com, Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, David Woodhouse , Andrew Cooper , jcm@redhat.com, Boris Ostrovsky , iommu , X86 ML , linux-arm-kernel@lists.infradead.org, "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Wed, 17 Apr 2019, Linus Torvalds wrote: > On Wed, Apr 17, 2019, 14:20 Thomas Gleixner wrote: > > > > > It's not necessarily a W+X issue. The user space text is mapped in the > > kernel as well and even if it is mapped RX then this can happen. So any > > kernel mappings of user space text need to be mapped NX! > > With SMEP, user space pages are always NX. We talk past each other. The user space page in the ring3 valid virtual address space (non negative) is of course protected by SMEP. The attack utilizes the kernel linear mapping of the physical memory. I.e. user space address 0x43210 has a kernel equivalent at 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid kernel address and that is mapped X --> game over. SMEP does not help there. >From the top of my head I'd say this is a non issue as those kernel address space mappings _should_ be NX, but we got bitten by _should_ in the past:) Thanks, tglx