Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4660371yba; Wed, 17 Apr 2019 16:44:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxQh/rBKG5CGNWLgL9ii26XtFx7/BkemwuvQeiFz5YcCxqlE2ek0IPa12G7V1TpdWPHqIxB X-Received: by 2002:a62:b612:: with SMTP id j18mr94080873pff.124.1555544656782; Wed, 17 Apr 2019 16:44:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555544656; cv=none; d=google.com; s=arc-20160816; b=IkyBTKc7VefdT9PhIsUER6LCcXMfJAvlSAS9mSxxq+duhRLty/bHiyHqJBKHvb2Ry8 TEOEWS8C6kKpvNIKKglfihRTXj9qNt1ejzn2ygFqZaAjImRVlu59xj//rJYTFK96/eoL s0URqu9wujKNiz70pVN9AIPH39hu0uLyPKBy+IgRJrt/YG3grRfacqTDI8u6wpIQbLLJ vQQYd3HEfk44iSHYrR5NWIAv5nTcOh5/9Cvc3MU7gcxcv9FnNVXQ5vxkD4/UsQwMT1Hr 0wkiTRVZEaxd/8Upj+/3TqE50qQ8OMJRKW1Lfih5/QxoikHTgdioN09pEbdaJV+tFDAx xtEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=nTplI4lOzcOU1/o/w2xesZThxaJRu4MjYRJby2qPg7w=; b=YpEHXrAqxgFSBOvsJxrLJ3+soQdas9uZHrmzPgRTuDjvCAEGtacRdSYWQeULIlcwyv xSlcFqpt39yHge/XuZxco1JLsaqj9HIAZhGGyR8teX3j0Cy5UM47nLjV5wMUFVLAIRHK b+XTo7RK48oxc2zlfiMUFBb0xDE/yzUBpfNKkPPMY0z9ycIYdc6y00bAwkD8ib0lflFf vB66ETmIJJ3KBRMHwng2TyPhU1iV7+4IP7XXpjT008Rvl+HdreAqx+rrcdx10vbYeICx XB+Zt1llpbM5cr3suWkiLXB10inMAMgBgK5Ms9ilPj7CPTlmV3SHOgH7aEHA0zyvscU8 +CuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p17si228615pgl.181.2019.04.17.16.43.59; Wed, 17 Apr 2019 16:44:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387614AbfDQXmo (ORCPT + 99 others); Wed, 17 Apr 2019 19:42:44 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:59790 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729099AbfDQXmo (ORCPT ); Wed, 17 Apr 2019 19:42:44 -0400 Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hGuCC-0000Cz-3h; Thu, 18 Apr 2019 01:42:28 +0200 Date: Thu, 18 Apr 2019 01:42:26 +0200 (CEST) From: Thomas Gleixner To: Linus Torvalds cc: Nadav Amit , Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, keescook@google.com, Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, David Woodhouse , Andrew Cooper , jcm@redhat.com, Boris Ostrovsky , iommu , X86 ML , linux-arm-kernel@lists.infradead.org, "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 17 Apr 2019, Linus Torvalds wrote: > On Wed, Apr 17, 2019, 14:20 Thomas Gleixner wrote: > > > > > It's not necessarily a W+X issue. The user space text is mapped in the > > kernel as well and even if it is mapped RX then this can happen. So any > > kernel mappings of user space text need to be mapped NX! > > With SMEP, user space pages are always NX. We talk past each other. The user space page in the ring3 valid virtual address space (non negative) is of course protected by SMEP. The attack utilizes the kernel linear mapping of the physical memory. I.e. user space address 0x43210 has a kernel equivalent at 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid kernel address and that is mapped X --> game over. SMEP does not help there. From the top of my head I'd say this is a non issue as those kernel address space mappings _should_ be NX, but we got bitten by _should_ in the past:) Thanks, tglx