Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1882374imu; Sun, 16 Dec 2018 10:58:26 -0800 (PST) X-Google-Smtp-Source: AFSGD/UJWs/eyCgQFbBAMbUlL4M6tRQ3NGviAJ9am+h7L6X3O6vxbnSLiNVIu7o6tf2pCxNU/gDM X-Received: by 2002:a62:1d8f:: with SMTP id d137mr10146431pfd.11.1544986706611; Sun, 16 Dec 2018 10:58:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544986706; cv=none; d=google.com; s=arc-20160816; b=m57rPhu3e0OF/OBaXcToDye/dvJHeRCwBixYZDE6rywEfIXQ3ZkVxMgutBT9Nn+BpV 6vaZkcnhdonq44swmXISOzyjcU8tPhKugE0btMA+TgyxLvEkTQh9SKg2CrZUcIPT7r6g x0VF6DXSvuoorP3OpVakM9WsEIjk68bJbTRT/OUdNm7CgSeHFV4MObmun0A/HoMgYXYD ViCn2+TF1Y1x5MeMATA71Td5ClshGBnREK+qB2VcD5PVHtBXq95iVH3EqHOAcBImy9c3 TAF+pwYkOhx7vMYau20WtjMm+MDGcCnzz4QvOr3d2jt9bSTdAnf21QItuy2iSgVxDfS9 AsUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9XEnPADDnOFGfZbWmFfSZsxQJl7h4B/XNEL59K66EDY=; b=pEUuh+b+I0KYN5T5Us8l+oLzu3Gvua0oqqBc/jfZCUQTXQrOYN16p57gJlit72FVOX trclAnc+bShG3zT4DeaOp/ysviFj/UO4/8456uuwrmT0GA/qEqWh/mLE2mcH9Tv10kys y+atsPwPx0heJlgkPFvrtdtGn8b4mMgLznFCDbkNazgOq46DZQZUBJjQ5PMQGO2ICod2 kmQWlmyul75sorGWJOYu8HVcDnaJy4x7yRVyp1Mu8XCCKziPgFr8ZitQWOyfom1twkYF LfOW30Q+ij6rY6/mn9EpJvfNmzIGm71lQPQrdDlW9MQdqQWpYVD9mXy8Emjm4WHlZ8cl 2aqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rtP3SvRp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m2si9067430pgs.96.2018.12.16.10.58.11; Sun, 16 Dec 2018 10:58:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rtP3SvRp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730835AbeLPS4N (ORCPT + 99 others); Sun, 16 Dec 2018 13:56:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:46606 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730097AbeLPS4N (ORCPT ); Sun, 16 Dec 2018 13:56:13 -0500 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 62E082086C for ; Sun, 16 Dec 2018 18:56:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544986572; bh=MCiUR2NprOQeHfKvw6aflAs3MJrwmgnf25fiVDa0aRE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rtP3SvRpe2SHQ0k60c1F0mev9/rr4Blk1PwutDPFBbxn83HVVt12NbEQAumejkc/Z g3uxCwdBjtWMBO9hh0q3+4sXnnTWj85O2fI2dviIQb71bXErJZjobpNkHw/zBP7VGZ Xlh7/Trs7iimCXlmeGWUf0vLahUA6hivkSqfRBgE= Received: by mail-wr1-f44.google.com with SMTP id t27so10119195wra.6 for ; Sun, 16 Dec 2018 10:56:12 -0800 (PST) X-Gm-Message-State: AA+aEWZxIP5aLxJn46aMrhVjwvYtShl+re2c3pl3EYLSiZetZfhVpQKE n1wKySkDqRH6D0B1NyI7gvXgubTo+oX4fXOwiSpM3g== X-Received: by 2002:adf:8323:: with SMTP id 32mr8013201wrd.176.1544986570861; Sun, 16 Dec 2018 10:56:10 -0800 (PST) MIME-Version: 1.0 References: <20181215212643.sfk2zwzatdfysbk3@pburton-laptop> In-Reply-To: <20181215212643.sfk2zwzatdfysbk3@pburton-laptop> From: Andy Lutomirski Date: Sun, 16 Dec 2018 10:55:48 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Fixing MIPS delay slot emulation weakness? To: Paul Burton Cc: Andy Lutomirski , Linux MIPS Mailing List , LKML , Paul Burton , David Daney , Ralf Baechle , James Hogan , Rich Felker Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Dec 16, 2018 at 1:22 AM Paul Burton wrote: > > Hi Andy, > > On Sat, Dec 15, 2018 at 11:19:37AM -0800, Andy Lutomirski wrote: > > Some security researchers pointed out that writing to the delay slot > > emulation page is a great exploit technique on MIPS. It was > > introduced in: > > > > commit 432c6bacbd0c16ec210c43da411ccc3855c4c010 > > Author: Paul Burton > > Date: Fri Jul 8 11:06:19 2016 +0100 > > > > MIPS: Use per-mm page to execute branch delay slot instructions > > Are there any further details you can share? You'd still need to > persuade a program to both write to & jump to the page, right? We're > talking purely about this providing writable+executable memory? Yes, exactly. You need a bug in order to take advantage of it. The RWX page at a known location just makes exploitation considerably easier. I should also note that, on x86 at least, emulating loads and stores is not so bad. The x86 vsyscall emulation code does it and has almost fully correct fault semantics. (I say "almost" because I didn't bother getting the semantics exactly right for non-canonical addresses and kernel addresses.)