[RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO)
Thomas Gleixner
tglx at linutronix.de
Wed Apr 17 21:19:50 UTC 2019
On Wed, 17 Apr 2019, Nadav Amit wrote:
> > On Apr 17, 2019, at 10:26 AM, Ingo Molnar <mingo at kernel.org> wrote:
> >> As I was curious, I looked at the paper. Here is a quote from it:
> >>
> >> "In x86-64, however, the permissions of physmap are not in sane state.
> >> Kernels up to v3.8.13 violate the W^X property by mapping the entire region
> >> as “readable, writeable, and executable” (RWX)—only very recent kernels
> >> (≥v3.9) use the more conservative RW mapping.”
> >
> > But v3.8.13 is a 5+ years old kernel, it doesn't count as a "modern"
> > kernel in any sense of the word. For any proposed patchset with
> > significant complexity and non-trivial costs the benchmark version
> > threshold is the "current upstream kernel".
> >
> > So does that quote address my followup questions:
> >
> >> Is this actually true of modern x86-64 kernels? We've locked down W^X
> >> protections in general.
> >>
> >> I.e. this conclusion:
> >>
> >> "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and
> >> triggering the kernel to dereference it, an attacker can directly
> >> execute shell code with kernel privileges."
> >>
> >> ... appears to be predicated on imperfect W^X protections on the x86-64
> >> kernel.
> >>
> >> Do such holes exist on the latest x86-64 kernel? If yes, is there a
> >> reason to believe that these W^X holes cannot be fixed, or that any fix
> >> would be more expensive than XPFO?
> >
> > ?
> >
> > What you are proposing here is a XPFO patch-set against recent kernels
> > with significant runtime overhead, so my questions about the W^X holes
> > are warranted.
> >
>
> Just to clarify - I am an innocent bystander and have no part in this work.
> I was just looking (again) at the paper, as I was curious due to the recent
> patches that I sent that improve W^X protection.
It's not necessarily a W+X issue. The user space text is mapped in the
kernel as well and even if it is mapped RX then this can happen. So any
kernel mappings of user space text need to be mapped NX!
Thanks,
tglx
More information about the Linux-security-module-archive
mailing list