Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame
 Ownership (XPFO)
From:   Nadav Amit <nadav.amit@gmail.com>
In-Reply-To: <20190417172632.GA95485@gmail.com>
Date:   Wed, 17 Apr 2019 10:44:56 -0700
Cc:     Khalid Aziz <khalid.aziz@oracle.com>, juergh@gmail.com,
        Tycho Andersen <tycho@tycho.ws>, jsteckli@amazon.de,
        keescook@google.com,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        Juerg Haefliger <juerg.haefliger@canonical.com>,
        deepa.srinivasan@oracle.com, chris.hyser@oracle.com,
        tyhicks@canonical.com, David Woodhouse <dwmw@amazon.co.uk>,
        Andrew Cooper <andrew.cooper3@citrix.com>, jcm@redhat.com,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        iommu <iommu@lists.linux-foundation.org>,
        X86 ML <x86@kernel.org>, linux-arm-kernel@lists.infradead.org,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Khalid Aziz <khalid@gonehiking.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>,
        Dave Hansen <dave@sr71.net>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Arjan van de Ven <arjan@infradead.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <063753CC-5D83-4789-B594-019048DE22D9@gmail.com>
References: <cover.1554248001.git.khalid.aziz@oracle.com>
 <f1ac3700970365fb979533294774af0b0dd84b3b.1554248002.git.khalid.aziz@oracle.com>
 <20190417161042.GA43453@gmail.com>
 <e16c1d73-d361-d9c7-5b8e-c495318c2509@oracle.com>
 <20190417170918.GA68678@gmail.com>
 <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com>
 <20190417172632.GA95485@gmail.com>
To:     Ingo Molnar <mingo@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

> On Apr 17, 2019, at 10:26 AM, Ingo Molnar <mingo@kernel.org> wrote:
>=20
>=20
> * Nadav Amit <nadav.amit@gmail.com> wrote:
>=20
>>> On Apr 17, 2019, at 10:09 AM, Ingo Molnar <mingo@kernel.org> wrote:
>>>=20
>>>=20
>>> * Khalid Aziz <khalid.aziz@oracle.com> wrote:
>>>=20
>>>>> I.e. the original motivation of the XPFO patches was to prevent =
execution=20
>>>>> of direct kernel mappings. Is this motivation still present if =
those=20
>>>>> mappings are non-executable?
>>>>>=20
>>>>> (Sorry if this has been asked and answered in previous =
discussions.)
>>>>=20
>>>> Hi Ingo,
>>>>=20
>>>> That is a good question. Because of the cost of XPFO, we have to be =
very
>>>> sure we need this protection. The paper from Vasileios, Michalis =
and
>>>> Angelos - =
<http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf>,
>>>> does go into how ret2dir attacks can bypass SMAP/SMEP in sections =
6.1
>>>> and 6.2.
>>>=20
>>> So it would be nice if you could generally summarize external =
arguments=20
>>> when defending a patchset, instead of me having to dig through a PDF=20=

>>> which not only causes me to spend time that you probably already =
spent=20
>>> reading that PDF, but I might also interpret it incorrectly. ;-)
>>>=20
>>> The PDF you cited says this:
>>>=20
>>> "Unfortunately, as shown in Table 1, the W^X prop-erty is not =
enforced=20
>>>  in many platforms, including x86-64.  In our example, the content =
of=20
>>>  user address 0xBEEF000 is also accessible through kernel address=20
>>>  0xFFFF87FF9F080000 as plain, executable code."
>>>=20
>>> Is this actually true of modern x86-64 kernels? We've locked down =
W^X=20
>>> protections in general.
>>=20
>> As I was curious, I looked at the paper. Here is a quote from it:
>>=20
>> "In x86-64, however, the permissions of physmap are not in sane =
state.
>> Kernels up to v3.8.13 violate the W^X property by mapping the entire =
region
>> as =E2=80=9Creadable, writeable, and executable=E2=80=9D (RWX)=E2=80=94=
only very recent kernels
>> (=E2=89=A5v3.9) use the more conservative RW mapping.=E2=80=9D
>=20
> But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern"=20=

> kernel in any sense of the word. For any proposed patchset with=20
> significant complexity and non-trivial costs the benchmark version=20
> threshold is the "current upstream kernel".
>=20
> So does that quote address my followup questions:
>=20
>> Is this actually true of modern x86-64 kernels? We've locked down W^X
>> protections in general.
>>=20
>> I.e. this conclusion:
>>=20
>>  "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and
>>   triggering the kernel to dereference it, an attacker can directly
>>   execute shell code with kernel privileges."
>>=20
>> ... appears to be predicated on imperfect W^X protections on the =
x86-64
>> kernel.
>>=20
>> Do such holes exist on the latest x86-64 kernel? If yes, is there a
>> reason to believe that these W^X holes cannot be fixed, or that any =
fix
>> would be more expensive than XPFO?
>=20
> ?
>=20
> What you are proposing here is a XPFO patch-set against recent kernels=20=

> with significant runtime overhead, so my questions about the W^X holes=20=

> are warranted.
>=20

Just to clarify - I am an innocent bystander and have no part in this =
work.
I was just looking (again) at the paper, as I was curious due to the =
recent
patches that I sent that improve W^X protection.