Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751931AbdIUBEO (ORCPT ); Wed, 20 Sep 2017 21:04:14 -0400 Received: from mail-it0-f52.google.com ([209.85.214.52]:45811 "EHLO mail-it0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751636AbdIUBEN (ORCPT ); Wed, 20 Sep 2017 21:04:13 -0400 X-Google-Smtp-Source: AOwi7QDIlGO4TYLNndpD68yXMrlW2jMcRI35bdC5pkKiLbx+Q4zbd1amiWNOMpuVpe6WwQ7ykkvn4w== Date: Wed, 20 Sep 2017 19:04:10 -0600 From: Tycho Andersen To: Dave Hansen Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, Marco Benatto , Juerg Haefliger , x86@kernel.org Subject: Re: [PATCH v6 03/11] mm, x86: Add support for eXclusive Page Frame Ownership (XPFO) Message-ID: <20170921010410.d4baj2crnzrlzvdj@docker> References: <20170907173609.22696-1-tycho@docker.com> <20170907173609.22696-4-tycho@docker.com> <9ca0ef74-b409-2eae-07f8-9fd7d83989a5@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9ca0ef74-b409-2eae-07f8-9fd7d83989a5@intel.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 637 Lines: 18 On Wed, Sep 20, 2017 at 05:28:11PM -0700, Dave Hansen wrote: > At a high level, does this approach keep an attacker from being able to > determine the address of data in the linear map, or does it keep them > from being able to *exploit* it? It keeps them from exploiting it, by faulting when a physmap alias is used. > Can you have a ret2dir attack if the attacker doesn't know the > address, for instance? Yes, through a technique similar to heap spraying. The original paper has a study of this, section 5.2 outlines the attack and 7.2 describes their success rate: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Tycho