Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp187485yba; Wed, 17 Apr 2019 22:43:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqw+vZx0NoIOeHYtrcXPqvIO9LYcNgxtDw592E6TyZXEC1VXT2zkeTvDyzvwuiE49+8R6cEf X-Received: by 2002:a65:6212:: with SMTP id d18mr82208532pgv.162.1555566185555; Wed, 17 Apr 2019 22:43:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555566185; cv=none; d=google.com; s=arc-20160816; b=vwzdvOT2LIEydOf/3KUSZGXbVFzri0bwmUu8CNKb/YGw9qEBv025xha57aNQBmW9AH y8bF9Q8qw+NwIVpNIPFqcvAszb1gnuuu7oSJeQNrrg6NiqxIikFi/De0GU1SUd2J0Uaz rgi4sCtgI2n4+8jymI5IzNhRbSJQrvGEWCkamaqxa0E7/a1cBILNz0LY7oAhSBwkjyAg siAPOANiAmJ+YssabADOy6vCSTNJqFiDThgwVf8CyVMtmLovTrD6gppGQRYXyPxvbuQD FijcBzxMa/qZm4fOo4OzlHVdzA8JKtQx3CNWiVkEanifcCIoNP7TJbNAJDf7VZnroMIQ zKqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zQ9PhXUre7lv39dhKUe3RnNugaLVkc5Fpp+aduMWHKc=; b=v0Eem6Aq9Mr2cfrejrEZ2iFuM19O+wTi1e9pARThC9Zr80XPhmJYjtYotnqnz++rFe G5wyXqIDDxtM0zSedNfbjT6pOrzlpQSr8hv79kzPOSbnC9OQLRdioNR3EOzpV6Q5qpA9 KeJ31hRdGLfDFp8UtH8wJeX3hWTlryDNgnNZ5aqaMpjNZEKuh+Hhmuj7P8TRVpOm5qPr GFL3wsX5sSPp6xqr5CXBCHKwY2PAFGqKbH2xXNMs5+x53PY2nrXe5L7zxgcmh2JXCLJH zvtyHv1YAx+qXW0yq7VrAGkuO/zohXkuHti2Bq3Bt+ZEOzZXGqLHfxTh1YCuYdEf0u1z CnWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="R/AYdV4I"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 24si1313704pfi.21.2019.04.17.22.42.50; Wed, 17 Apr 2019 22:43:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="R/AYdV4I"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731254AbfDRFl7 (ORCPT + 99 others); Thu, 18 Apr 2019 01:41:59 -0400 Received: from mail-vk1-f195.google.com ([209.85.221.195]:38669 "EHLO mail-vk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725836AbfDRFl7 (ORCPT ); Thu, 18 Apr 2019 01:41:59 -0400 Received: by mail-vk1-f195.google.com with SMTP id h71so219450vkf.5 for ; Wed, 17 Apr 2019 22:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zQ9PhXUre7lv39dhKUe3RnNugaLVkc5Fpp+aduMWHKc=; b=R/AYdV4IFItQnfjUNNubyf9+5USGcILzz8B1DmWPKSECRCluWxSP8rnztSiAw/nHbx OgWc7upQI8/4NLGzsj8XCYD8CtK21EXPUD3kqVz8L9yqhXJs06gDEQL5f14t98XkKrDi zZLGfesRzIi7SEtmDIBJc/zWHSSeITVGpq4qWo6pCUtYoX+1nKYsEkGc/aMtjhfeYPaR zpe5obPY5UDXKnX5Ux3km1WyEqJmPrsvxZPBHysfpd+ZMjsl8a01eFzYpNC5mgWQOQvs wfgj8VJjyeSiWxP7AB+2Th18IJzOpvgz45GRbENtjjUmOZDRpabHmRe+wBMg/KPgX8r9 SNsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zQ9PhXUre7lv39dhKUe3RnNugaLVkc5Fpp+aduMWHKc=; b=WDUxQaUrSkMijcaPwp2sJVrUWYHsInToEM2/oREHH7CfxzH2Z2j16Hx0XY2lx8SHiT DnwWdSnW7eNqB0ByvdSWa8xwZ9YYcI2LH5NCgC61nCXDqPHmvqZvB7kDKpSQ7FiJsvKv jnbwLUGiIGiI+HMnIaRuC+vnKUGwAErhFiZ/wVupypyhQzL+lyYlKLAv7Xy0N2zeodEN b8XtBovqlchN39HrV4u5PG5vdBCPKxbP9s18QN55TD0Qcr7iwgOmfMXO3rjJtRRuFaO/ bte1COYmDdZ/sNIW3tMq8pDrbhxutcnS1+6asI40vO0BPWquWY7N0o/XX2PsIPw+IqV5 KfbA== X-Gm-Message-State: APjAAAUcTflXi2AFT5JW7yd0LIKGDxWl/2YsY4nVdNGqPzZyVhgp9U8A p4kJ8qAl32Lz2WjAF/OH3YBODZE6lfRctGEtyxH1PA== X-Received: by 2002:a1f:a4d:: with SMTP id 74mr51091145vkk.13.1555566117779; Wed, 17 Apr 2019 22:41:57 -0700 (PDT) MIME-Version: 1.0 References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> In-Reply-To: From: Kees Cook Date: Thu, 18 Apr 2019 00:41:45 -0500 Message-ID: Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) To: Andy Lutomirski Cc: Linus Torvalds , Thomas Gleixner , Nadav Amit , Ingo Molnar , Khalid Aziz , Juerg Haefliger , Tycho Andersen , Julian Stecklina , Kees Cook , Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris hyser , Tyler Hicks , David Woodhouse , Andrew Cooper , Jon Masters , Boris Ostrovsky , iommu , X86 ML , "linux-alpha@vger.kernel.org" , "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 17, 2019 at 11:41 PM Andy Lutomirski wrote: > I don't think this type of NX goof was ever the argument for XPFO. > The main argument I've heard is that a malicious user program writes a > ROP payload into user memory (regular anonymous user memory) and then > gets the kernel to erroneously set RSP (*not* RIP) to point there. Well, more than just ROP. Any of the various attack primitives. The NX stuff is about moving RIP: SMEP-bypassing. But there is still basic SMAP-bypassing for putting a malicious structure in userspace and having the kernel access it via the linear mapping, etc. > I find this argument fairly weak for a couple reasons. First, if > we're worried about this, let's do in-kernel CFI, not XPFO, to CFI is getting much closer. Getting the kernel happy under Clang, LTO, and CFI is under active development. (It's functional for arm64 already, and pieces have been getting upstreamed.) > mitigate it. Second, I don't see why the exact same attack can't be > done using, say, page cache, and unless I'm missing something, XPFO > doesn't protect page cache. Or network buffers, or pipe buffers, etc. My understanding is that it's much easier to feel out the linear mapping address than for the others. But yes, all of those same attack primitives are possible in other memory areas (though most are NX), and plenty of exploits have done such things. -- Kees Cook