From: Ingo Molnar Subject: Re: x86: PIE support and option to extend KASLR randomization Date: Fri, 20 Oct 2017 10:13:20 +0200 Message-ID: <20171020081320.h5hsp46m7rgocusm@gmail.com> References: <20170815075609.mmzbfwritjzvrpsn@gmail.com> <20170816151235.oamkdva6cwpc4cex@gmail.com> <20170821133222.2ek6bhqgdeoymxsg@hirez.programming.kicks-ass.net> <20170821142854.dmuusnbc2tsrai3v@hirez.programming.kicks-ass.net> <20170923100029.6nzpui6c3ke76bbs@gmail.com> <20170924223708.GA12616@amd> <20170925073342.2yoghmanhx6c75ho@gmail.com> <20171006103933.GA9497@amd> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "H. Peter Anvin" , Peter Zijlstra , Thomas Garnier , Herbert Xu , "David S . Miller" , Thomas Gleixner , Ingo Molnar , Josh Poimboeuf , Arnd Bergmann , Matthias Kaehlcke , Boris Ostrovsky , Juergen Gross , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , Joerg Roedel , Tom Lendacky , Andy Lutomirski , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , "Rafael J . Wysocki" , Len Brown , Tejun Heo , Christo To: Pavel Machek Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Sender: Ingo Molnar Content-Disposition: inline In-Reply-To: <20171006103933.GA9497@amd> List-Id: linux-crypto.vger.kernel.org * Pavel Machek wrote: > On Mon 2017-09-25 09:33:42, Ingo Molnar wrote: > > > > * Pavel Machek wrote: > > > > > > For example, there would be collision with regular user-space mappings, right? > > > > Can local unprivileged users use mmap(MAP_FIXED) probing to figure out where > > > > the kernel lives? > > > > > > Local unpriviledged users can probably get your secret bits using cache probing > > > and jump prediction buffers. > > > > > > Yes, you don't want to leak the information using mmap(MAP_FIXED), but CPU will > > > leak it for you, anyway. > > > > Depends on the CPU I think, and CPU vendors are busy trying to mitigate this > > angle. > > I believe any x86 CPU running Linux will leak it. And with CPU vendors > putting "artifical inteligence" into branch prediction, no, I don't > think it is going to get better. > > That does not mean we shoudl not prevent mmap() info leak, but... That might or might not be so, but there's a world of a difference between running a relatively long statistical attack figuring out the kernel's location, versus being able to programmatically probe the kernel's location by using large MAP_FIXED user-space mmap()s, within a few dozen microseconds or so and a 100% guaranteed, non-statistical result. Thanks, Ingo