linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Borislav Petkov <bp@alien8.de>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Ingo Molnar <mingo@kernel.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"x86@kernel.org" <x86@kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Andy Lutomirski <luto@kernel.org>,
	Denys Vlasenko <dvlasenk@redhat.com>,
	Brian Gerst <brgerst@gmail.com>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>
Subject: Re: [PATCH v2] x86/mm: warn on W+x mappings
Date: Wed, 21 Oct 2015 13:49:07 -0700	[thread overview]
Message-ID: <CALCETrX=ddvegyK2_cvwHW=mXb3c8mGpfRT5WFP+qW_=nm_D-A@mail.gmail.com> (raw)
In-Reply-To: <20151021204522.GB20338@codeblueprint.co.uk>

On Wed, Oct 21, 2015 at 1:45 PM, Matt Fleming <matt@codeblueprint.co.uk> wrote:
> On Wed, 21 Oct, at 11:46:53AM, Andy Lutomirski wrote:
>>
>> If the UEFI stuff is mapped in its own PGD entry, we could just RO
>> that entire PGD entry everywhere except the UEFI pgd (and make sure to
>> clear G so that the TLB entries get zapped).
>
> What would be the benefit of making it RO as opposed to not having it
> mapped at all?

Nothing.

> The mappings only exist in the trampoline_pgd right now
> for x86 which minimizes the potentially vulnerable code paths to the
> EFI runtime calls and the suspend/resume code.

Oh, I didn't realize it.

So what's the problem here?  Honestly, while UEFI is full of
questionable things, I don't really see how an unprivileged user
program should be able to cause malicious input to be send to UEFI
code, so it should be quite difficult to exploit a buffer overflow or
other errant write in UEFI to escalate privileges from user to
anything else.  (Kernel -> SMM escalation is a whole different story,
but preventing that is SMM's business, not the kernel's.  I've
actually been a wee bit tempted to write a /dev/smram driver to expose
SMRAM using a portfolio of old known exploits.)

--Andy

-- 
Andy Lutomirski
AMA Capital Management, LLC

  reply	other threads:[~2015-10-21 20:49 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-02 19:29 [PATCH v2] x86/mm: warn on W+x mappings Stephen Smalley
2015-10-02 20:44 ` Kees Cook
2015-10-03 11:27 ` Ingo Molnar
2015-10-05 19:13   ` Stephen Smalley
2015-10-06  7:32     ` Ingo Molnar
2015-10-06 15:37       ` Stephen Smalley
2015-10-12 11:36         ` Borislav Petkov
2015-10-12 12:41           ` Matt Fleming
2015-10-12 12:49             ` Ingo Molnar
2015-10-12 12:55               ` Matt Fleming
2015-10-12 14:17                 ` Ingo Molnar
2015-10-12 14:49                   ` Matt Fleming
2015-10-12 15:34                     ` Ard Biesheuvel
2015-10-12 15:50                       ` Matt Fleming
2015-10-12 16:43                         ` Ard Biesheuvel
2015-10-14 15:18                     ` Ingo Molnar
2015-10-14 15:30                       ` Andy Lutomirski
2015-10-14 15:35                         ` Borislav Petkov
2015-10-15 10:10                           ` Matt Fleming
2015-10-15 10:33                             ` Borislav Petkov
2015-10-16  1:45                               ` Ricardo Neri
2015-10-14 21:02                       ` Matt Fleming
2015-10-21  9:42                         ` Ingo Molnar
2015-10-21 12:49                           ` Ingo Molnar
2015-10-21 12:57                             ` Ard Biesheuvel
2015-10-21 13:24                               ` Borislav Petkov
2015-10-21 13:28                                 ` Ard Biesheuvel
2015-10-21 14:36                                   ` Borislav Petkov
2015-10-21 18:46                                     ` Andy Lutomirski
2015-10-21 20:45                                       ` Matt Fleming
2015-10-21 20:49                                         ` Andy Lutomirski [this message]
2015-10-21 20:38                           ` Matt Fleming
2015-10-12 14:56                   ` Josh Triplett
2015-10-14 15:19                     ` Ingo Molnar
2015-10-14 16:47                       ` Josh Triplett
2015-10-21  9:43                         ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALCETrX=ddvegyK2_cvwHW=mXb3c8mGpfRT5WFP+qW_=nm_D-A@mail.gmail.com' \
    --to=luto@amacapital.net \
    --cc=a.p.zijlstra@chello.nl \
    --cc=ard.biesheuvel@linaro.org \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=dvlasenk@redhat.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=matt@codeblueprint.co.uk \
    --cc=mingo@kernel.org \
    --cc=sds@tycho.nsa.gov \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).