Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp146028yba; Wed, 17 Apr 2019 21:42:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUMwcxTkuAAzYStnDRGf1J5MO5sgo5HPqInHQfbHGXQjkKOOPQ18re9bDvAxCM0XV0afKh X-Received: by 2002:a63:6804:: with SMTP id d4mr40097523pgc.240.1555562574898; Wed, 17 Apr 2019 21:42:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555562574; cv=none; d=google.com; s=arc-20160816; b=A6+RIiwpR4m0qf5MI8rAETKpf1FrWtR2tMhBhvM5YPTpTuqXTvJuYu4QWnuIlpKI4V +MsC84o4buI4C7/cuivenI3scdvk7f3m0ulXqMQyWA4xx5qychyvTvt+YCrUEvDOBhXL vPK3Lg1nFWnpLDpPNjtSFe/YG9PSWMjxIQ8vRb6S7cuYF1Kt7awO7q49UDU9cZhM4oXW HMgKn4rWfmXpLkQjJcOqsvrSIY6EzaglB1+PeZOCzMd88wgEuWhSwxWcCcG3mvqAu4ZF qp3qvA21qz4/8faXt9xvcToN7I0xR5hcnbdZmTrtdzhkOSVdGuTKmznz8fgWnxX4Vnfe n9PA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HEJvVD5uAri2/7g+yjiM7+uD6Xn5OUBCfeb7aIYw4eQ=; b=b1i79sCJ3kfzboNMCFtLly6TtW2FUXThH6kLoGj5s1ufAUodMDI+nPDJZQZxJX8iFq 3vsm/0hqjPeL9O3Bw9MVQZ9OXKS7hGtFioUJAu+lOjYPRNF1qBGkvpGOfLfi7pQG7hqW OICCiJ0Wuk+cJSLgkD/I8KBP/hl4WM0QmbQkI/sU0I4UcbXZtvowfB2gVNTFCjFQLJkN f6AAnbdpL5RiGuNKROY0Ro+K4nKOQxcox/VWd+r2fj7bYxF0/os92nshX3A3eHxLNltu W48NLBRQU4/+spg9y33LZYg+jYlOZ05V31tvo3ip65UzBwFtgMTmMeM/ZDcYyEp5vFOq SyXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QVWUihYI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70si1069845pla.82.2019.04.17.21.42.39; Wed, 17 Apr 2019 21:42:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QVWUihYI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726734AbfDRElu (ORCPT + 99 others); Thu, 18 Apr 2019 00:41:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:54936 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725987AbfDRElt (ORCPT ); Thu, 18 Apr 2019 00:41:49 -0400 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1752D21908 for ; Thu, 18 Apr 2019 04:41:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555562508; bh=ZzJFjyGToYfbKAC7a2m7yS86J4A8OLDkslCG6xa8cQM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=QVWUihYIOED3b6sf++tgY3iRdj8kiMHZVbckG4nNfCAClSFzLnTcPH+IgFSB9PrKC Z2tMpLhiQqQpdAO8Vqghyo+PaFXtDr9TPVxG3ICymGFgejmh9f9/1/nnjg3BTRsxMd IElW3sPpwA7MwJfgB7BILSJAa6MZxHiR0qJmXz6w= Received: by mail-wr1-f44.google.com with SMTP id w10so1161926wrm.4 for ; Wed, 17 Apr 2019 21:41:48 -0700 (PDT) X-Gm-Message-State: APjAAAXB2qEqFTGgtwLfzw3ZoC32LtB8JijivdO/w+IEZDGYFMBv7ePl 8NZeUVwJFV8bvmd5fjqc1C6Nmm1I+HGWn/JV8i9emQ== X-Received: by 2002:adf:efc1:: with SMTP id i1mr59073183wrp.199.1555562504832; Wed, 17 Apr 2019 21:41:44 -0700 (PDT) MIME-Version: 1.0 References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> In-Reply-To: From: Andy Lutomirski Date: Wed, 17 Apr 2019 21:41:33 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) To: Linus Torvalds Cc: Thomas Gleixner , Nadav Amit , Ingo Molnar , Khalid Aziz , Juerg Haefliger , Tycho Andersen , jsteckli@amazon.de, Kees Cook , Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris hyser , Tyler Hicks , David Woodhouse , Andrew Cooper , Jon Masters , Boris Ostrovsky , iommu , X86 ML , "linux-alpha@vger.kernel.org" , "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 17, 2019 at 5:00 PM Linus Torvalds wrote: > > On Wed, Apr 17, 2019 at 4:42 PM Thomas Gleixner wrote: > > > > On Wed, 17 Apr 2019, Linus Torvalds wrote: > > > > > With SMEP, user space pages are always NX. > > > > We talk past each other. The user space page in the ring3 valid virtual > > address space (non negative) is of course protected by SMEP. > > > > The attack utilizes the kernel linear mapping of the physical > > memory. I.e. user space address 0x43210 has a kernel equivalent at > > 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid > > kernel address and that is mapped X --> game over. SMEP does not help > > there. > > Oh, agreed. > > But that would simply be a kernel bug. We should only map kernel pages > executable when we have kernel code in them, and we should certainly > not allow those pages to be mapped writably in user space. > > That kind of "executable in kernel, writable in user" would be a > horrendous and major bug. > > So i think it's a non-issue. > > > From the top of my head I'd say this is a non issue as those kernel address > > space mappings _should_ be NX, but we got bitten by _should_ in the past:) > > I do agree that bugs can happen, obviously, and we might have missed something. > > But in the context of XPFO, I would argue (*very* strongly) that the > likelihood of the above kind of bug is absolutely *miniscule* compared > to the likelihood that we'd have something wrong in the software > implementation of XPFO. > > So if the argument is "we might have bugs in software", then I think > that's an argument _against_ XPFO rather than for it. > I don't think this type of NX goof was ever the argument for XPFO. The main argument I've heard is that a malicious user program writes a ROP payload into user memory (regular anonymous user memory) and then gets the kernel to erroneously set RSP (*not* RIP) to point there. I find this argument fairly weak for a couple reasons. First, if we're worried about this, let's do in-kernel CFI, not XPFO, to mitigate it. Second, I don't see why the exact same attack can't be done using, say, page cache, and unless I'm missing something, XPFO doesn't protect page cache. Or network buffers, or pipe buffers, etc.