Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935618Ab3DISyS (ORCPT ); Tue, 9 Apr 2013 14:54:18 -0400 Received: from mail-wg0-f48.google.com ([74.125.82.48]:35307 "EHLO mail-wg0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932780Ab3DISyQ (ORCPT ); Tue, 9 Apr 2013 14:54:16 -0400 MIME-Version: 1.0 In-Reply-To: References: <20130408224328.GA17641@www.outflux.net> <51634935.9010905@zytor.com> <51645D6F.7070705@zytor.com> <51646054.3090509@zytor.com> Date: Tue, 9 Apr 2013 11:54:15 -0700 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH] x86: make IDT read-only From: Eric Northup To: Kees Cook Cc: "H. Peter Anvin" , "kernel-hardening@lists.openwall.com" , Ingo Molnar , LKML , "x86@kernel.org" , Konrad Rzeszutek Wilk , Jeremy Fitzhardinge , Marcelo Tosatti , Alex Shi , Borislav Petkov , Alexander Duyck , Frederic Weisbecker , Steven Rostedt , "Paul E. McKenney" , "xen-devel@lists.xensource.com" , "virtualization@lists.linux-foundation.org" , Dan Rosenberg , Julien Tinnes , Will Drewry Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1288 Lines: 40 On Tue, Apr 9, 2013 at 11:46 AM, Kees Cook wrote: > On Tue, Apr 9, 2013 at 11:39 AM, H. Peter Anvin wrote: >> On 04/09/2013 11:31 AM, Kees Cook wrote: >>>>> ... >>>>> 0xffff880001e00000-0xffff88001fe00000 480M RW PSE GLB NX pmd >>>>> >>>> >>>> That is the 1:1 memory map area... >>> >>> Meaning what? >>> >>> -Kees >>> >> >> That's the area in which we just map 1:1 to memory. Anything allocated >> with e.g. kmalloc() ends up with those addresses. > > Ah-ha! Yes, I see now when comparing the debug/kernel_page_tables > reports. It's just the High Kernel Mapping that we care about. > Addresses outside that range are less of a leak. Excellent, then GDT > may not be a problem. Whew. The GDT is a problem if the address returned by 'sgdt' is kernel-writable - it doesn't necessarily reveal the random offset, but I'm pretty sure that writing to the GDT could cause privilege escalation. > > Does the v2 IDT patch look okay, BTW? > > -Kees > > -- > Kees Cook > Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/