Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2337612rwd; Wed, 17 May 2023 08:41:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5CiwzaWIN6JdR2z6r3qcw5UwxRU4mlgmpNY/Rbca41/DLoVQzGap6YMoVhrViFx/4NrcPM X-Received: by 2002:a17:90a:b291:b0:24e:3b69:a87f with SMTP id c17-20020a17090ab29100b0024e3b69a87fmr72466pjr.25.1684338114289; Wed, 17 May 2023 08:41:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684338114; cv=none; d=google.com; s=arc-20160816; b=U6cxD5ZL3mAx8cKy9DD2PkbfjsIkMtYx6tqJzyhZMYeJiNYpG4h4rB3y06kLTmZlT0 dQ02lMZuFPcTwv36+WdtOU7iOHcEnIb2BmTROtfIRSNX0Dhu8nFJTAxmHjgwJUxi4kC6 Q2lvcmLjJn+PyYwT1nHn9vt82N5p1oYkutLacOd0+PMCz4TCMHZAfF4MPn3Vff/T5etE NwLrF+0zVOF5jV04qI9LZwu8zUiEAQWkRBGv1NrWdn/fxLfxkW/Ctvnno9YqwQGekbg8 JvVXCW0line7H2WJq6SXmH+YCAUraLoU/QDts4aCq0Tf9OvVw/bRjFizrhEkf3BC/KvK 34wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=KDm6SS8dafehl0JiQkfaHbx/8Lt4OV4WNnaeJtIvQyg=; b=SF0QUcn/P/euNl+BUcgC8JHFf88zh+WRemEyCp05Bso+V6tNXYuaL1c3LnnCej6z7q 6GBSbyfPPA/UB41YNlMEQ+4IZMEtDrm6lpFckVLo+ynCqC1CQMeDdOgOETosD1BY2bgI 2uVzrld9xUXe0K2hh0AbHBTh5JIYTL90c1CGr2433YVeA6KLKmm7y6Flifse62MST4a2 hOXiZt6LhLPW7ao/zrvaVn4pdU8fxiBoz5KQfr/0NhPF0Jgmbm1otB/RUZ8TUKGj6+1x e4wN8/2JTGBEw/jbAeuJygvmCuEPoc0/ilcWoYiA68y84hlOGt/7I+g4zCIFhEbu75EX ts8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="oDe4Q3O/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bs184-20020a6328c1000000b0052c3f0ae398si20426394pgb.158.2023.05.17.08.41.39; Wed, 17 May 2023 08:41:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="oDe4Q3O/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231627AbjEQPcJ (ORCPT + 99 others); Wed, 17 May 2023 11:32:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231464AbjEQPcH (ORCPT ); Wed, 17 May 2023 11:32:07 -0400 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E73A5A5C6; Wed, 17 May 2023 08:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684337488; x=1715873488; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=s7w7liuVQK6OILCFceYzFS73/MrLg8U8eXJ3628P3TM=; b=oDe4Q3O/gq9qyielJx7TYnzEIPkGcm6qtYwenQBd6n7YLgzA8M+Dfaqv Ov/MEl30m1XUjcoHwI7CYYg9AW6yljgSMyL8tx1otenpLYhFILHkA+1R1 5b8Z+hgYAkO1yKPOtPLUxIvGsCIrto82xC3PFAQ+8O04qn5cxtm66CaNX AohGwjXOwYhMFp3nU4sPuAiYfH9smv46gzCMxQzTKtoYkzR8aUtW3PN75 y1T52Ih4Tgc9vQ+EQ6X2sR1QE7nVsoaC/l1JvUYv86Ff3TgK3u0blu/Nl ELAsfTvH6pZDbg+xS5bOMt3F07ql7jViJDTvyZcX9axG5gOCN2JjfHIaJ A==; X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="349294763" X-IronPort-AV: E=Sophos;i="5.99,282,1677571200"; d="scan'208";a="349294763" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 08:29:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10713"; a="695907865" X-IronPort-AV: E=Sophos;i="5.99,282,1677571200"; d="scan'208";a="695907865" Received: from cbrown-mobl1.amr.corp.intel.com (HELO [10.212.129.207]) ([10.212.129.207]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2023 08:29:47 -0700 Message-ID: Date: Wed, 17 May 2023 08:29:47 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 Content-Language: en-US To: Jeff Xu Cc: =?UTF-8?Q?Stephen_R=c3=b6ttger?= , jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org, keescook@chromium.org, groeck@chromium.org, jannh@google.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org References: <20230515130553.2311248-1-jeffxu@chromium.org> <2bcffc9f-9244-0362-2da9-ece230055320@intel.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/17/23 08:21, Jeff Xu wrote: >>> I’m not sure I follow the details, can you give an example of an asynchronous >>> mechanism to do this? E.g. would this be the kernel writing to the memory in a >>> syscall for example? >> I was thinking of all of the IORING_OP_*'s that can write to memory or >> aio(7). > IORING is challenging from security perspectives, for now, it is > disabled in ChromeOS. Though I'm not sure how aio is related ? Let's say you're the attacking thread and you're the *only* attacking thread. You have three things at your disposal: 1. A benign thread doing aio_read() 2. An arbitrary write primitive 3. You can send signals to yourself 4. You can calculate where your signal stack will be You calculate the address of PKRU on the future signal stack. You then leverage the otherwise benign aio_write() to write a 0 to that PKRU location. Then, send a signal to yourself. The attacker's PKRU value will be written to the stack. If you can time it right, the AIO will complete while the signal handler is in progress and PKRU is on the stack. On sigreturn, the kernel restores the aio_read()-placed, attacker-provided PKRU value. Now the attacker has PKRU==0. It effectively build a WRPKRU primitive out of those other pieces.