Received: by 10.192.165.148 with SMTP id m20csp104949imm; Thu, 3 May 2018 15:52:54 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpbhIaqcOvrm445/GflBnQAZCuSzppAmdqAqMTY+MERDDVWvmqAnJkFPEfIxh/F/aeRz6dm X-Received: by 2002:a65:4c4d:: with SMTP id l13-v6mr20717108pgr.46.1525387974879; Thu, 03 May 2018 15:52:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525387974; cv=none; d=google.com; s=arc-20160816; b=vlKhpMQUoMk215fVUeX8A+Vf08sEUANrJP9x+I7ZM2NJPWk4aibmPpsvFwHjjRO17y ydF31j/LuCRFk7yrm8uB5J2tQbbLvQHhBFMVS7NX5yusH9IJgByXwJ9cSwCNoDDTFR24 m4i/n6AhIFRmrVj7+s22r7IFMf/Y9oWuPomavqRSrKDXFRvEGyZu1HjfnAatsxalN0/X mrju5o4noJAuC7blUhzlS7hZfRHt7w58auMQu6zXp8E1t7Fv+3Un2pN0sYoPsy6a07UR 2tw4XVDnyhxX7uhtvhkW2Z1lYc0CgbVqce1hD5ZMqMs2asX3tUa6wNclnAYbBIQRgOUI qMyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=lt0G6sHCVHJx/SgaEuFaMK4BnHfDsZn9sZ5KIv4dylU=; b=gcvbAtP6G4RJEcL+EVVRJQWscD7oZR0WeqwxuTF+hSp4F/ewytEzn6zNOSZyFCs2/v xGaToJIqL4zuBtu0H6wuDu6d+kCAh8RLnbBNPErK3cSEK9DsY0A8m/S4JKsxxZo2QIfd dJhYOu4/pclT8YJxqEbtpqrJZsD2Xt7MqL794eh8W2prLpCROjG9ZmjgEu9QAmaMLEX0 gqj8sys4A6JzYOob5ySmnYB9oSUiO6pKyYK/LYvrFQvSEY/Ghpy90o/mhH4k/CT4MUCv Z3I8tKkV4kRADaUFnANFB5W171W3Xik1Ibm19g1qzvlZ3vVWayLK5mM6/0ciaCRggpin Zs+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZLYfSFXc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g14-v6si3058524plj.146.2018.05.03.15.52.40; Thu, 03 May 2018 15:52:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZLYfSFXc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751336AbeECWw1 (ORCPT + 99 others); Thu, 3 May 2018 18:52:27 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:44727 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751111AbeECWwZ (ORCPT ); Thu, 3 May 2018 18:52:25 -0400 Received: by mail-lf0-f65.google.com with SMTP id h197-v6so28271215lfg.11; Thu, 03 May 2018 15:52:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=lt0G6sHCVHJx/SgaEuFaMK4BnHfDsZn9sZ5KIv4dylU=; b=ZLYfSFXc+p2FNCyibhFxI2U7hro7CWV887gX+/i6SrqhZ2oKAnjd1ls2dv74gSxPac HRFt0PE+0pBQaIWNL3xP1ukHdyQ0Fpj+yljhI7gmZs364g8HVLcbiWro8lKszYJuuJzO 8UxcLwX5DAgbFh6sIWRcC1+ENGmmyvkWjhBvgcUWY5IGi7RIeAbZMG3C5x6MHDqlX9ig +UGbLDWbBMxZajkLaXCOSVbSoXNWRwLN17XRJqggShokE9RDVZ+YZk/Y7CoUiOYc/HA4 96PDSca9vKJ2J14cjSvDmAqhqCP4v1/f96lid9okv/XKRQ6yMhrMz9S8N55V/gmvaQQ5 2ucA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=lt0G6sHCVHJx/SgaEuFaMK4BnHfDsZn9sZ5KIv4dylU=; b=mIKxmt+TwJiN7+1JPiPauyW/iDSeoYav8b0viicJOvlYeRpxmWF7oPdFcr8lps9Bi8 kJ0AYeZieBiyHMdWbi3stmzrfstU/v1bujcTv/ceHXwk6UXiSix3rRbDb4zX7SizFrqK XH+Pr02x06f4c8jy1yOY3izjtIQwixOQGocUd9pnYMaLSMrRql+3k4OXX4cspkS90m2L f8OAei5dqKVwKCgKisimFSxkL4jQ2p9RpOj7iqD2MTIfTEMkKmRyuwDFwJ46yQkDRpD8 erAn5hEie6k8CIi+1oum3pdzpPyKEUzvsoskmCBB3J92/Zg6k2ZUhEaHuFXyL41j9okM fFOQ== X-Gm-Message-State: ALQs6tCs9rYrgdAKEzLeFhwxMUll2V+rfqcSCg/x6BaAQfcHWayTMSIF wLnaTRvIXra09WM3l6pykto= X-Received: by 2002:a19:434c:: with SMTP id m12-v6mr16154478lfj.120.1525387944402; Thu, 03 May 2018 15:52:24 -0700 (PDT) Received: from [192.168.10.160] (91-156-179-40.elisa-laajakaista.fi. [91.156.179.40]) by smtp.gmail.com with ESMTPSA id n66-v6sm2709683lfi.53.2018.05.03.15.52.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 May 2018 15:52:23 -0700 (PDT) Subject: Re: Correct way to access the physmap? - Was: Re: [PATCH 7/9] Pmalloc Rare Write: modify selected pools To: Dave Hansen , Matthew Wilcox Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Igor Stoppa References: <20180423125458.5338-1-igor.stoppa@huawei.com> <20180423125458.5338-8-igor.stoppa@huawei.com> <20180424115050.GD26636@bombadil.infradead.org> <035f2bba-ebb1-06a0-fb88-3d40f7e484a7@gmail.com> From: Igor Stoppa Message-ID: <91ca0b5e-0719-7ebf-4e11-8b17f54251fe@gmail.com> Date: Fri, 4 May 2018 02:52:22 +0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/05/18 01:55, Dave Hansen wrote: > On 05/03/2018 02:52 PM, Igor Stoppa wrote: >> At the end of the summit, we agreed that I would go through the physmap. > > Do you mean the kernel linear map? Apparently I did mean it. It was confusing, because I couldn't find a single place stating it explicitly, like you just did. > That's just another name for the > virtual address that you get back from page_to_virt(): > > int *j = page_to_virt(vmalloc_to_page(i)); > One reason why I was not sure is that also the linear mapping gets protected, when I protect hte corresponding page in the vmap_area: if i do: int *i = vmalloc(sizeof(int)); int *j = page_to_virt(vmalloc_to_page(i)); *i = 1; set_memory_ro(i, 1); *j = 2; I get an error, because also *j has become read only. I was expecting to have to do the protection of the linear mapping in a second phase. It turns out that - at least on x86_64 - it's already in place. But it invalidates what we agreed, which was based on the assumption that the linear mapping was writable all the time. I see two options: 1) continue to go through the linear mapping, unprotecting it for the time it takes to make the write. 2) use the code I already wrote, which creates an additional, temporary mapping in R/W mode at a random address. I'd prefer 2) because it is already designed to make life harder for someone trying to attack the data in the page: even if one manages to take over a core and busy loop on it, option 2) will use a random temporary address, that is harder to figure out. Option 1) re-uses the linear mapping and therefore the attacker really only needs to get lucky and, depending on the target, write over some other data that was in the same page being unprotected, or overwrite the same data being updated, after the update has taken place. Is there any objection if I continue with options 2? -- igor