Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jan 2019 16:25:03 -0700
From: Khalid Aziz <>
To: Andy Lutomirski <>, Dave Hansen <>
Cc: Juerg Haefliger <>, Tycho Andersen <>,, Andi Kleen <>,
        Linus Torvalds <>,,
        Kees Cook <>,
        Konrad Rzeszutek Wilk <>,, chris hyser <>,
        Tyler Hicks <>,
        "Woodhouse, David" <>,
        Andrew Cooper <>,
        Jon Masters <>,
        Boris Ostrovsky <>,, Joao Martins <>,
        Jim Mattson <>,,
        John Haxby <>,
        Thomas Gleixner <>,
        "Kirill A. Shutemov" <>,
        Christoph Hellwig <>,,
        Kernel Hardening <>,
        Linux-MM <>, LKML <>,
        Peter Zijlstra <>
Subject: Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame

On 1/11/19 2:06 PM, Andy Lutomirski wrote:
> On Fri, Jan 11, 2019 at 12:42 PM Dave Hansen <> wrote:
>>>> The second process could easily have the page's old TLB entry.  It could
>>>> abuse that entry as long as that CPU doesn't context switch
>>>> (switch_mm_irqs_off()) or otherwise flush the TLB entry.
>>> That is an interesting scenario. Working through this scenario, physmap
>>> TLB entry for a page is flushed on the local processor when the page is
>>> allocated to userspace, in xpfo_alloc_pages(). When the userspace passes
>>> page back into kernel, that page is mapped into kernel space using a va
>>> from kmap pool in xpfo_kmap() which can be different for each new
>>> mapping of the same page. The physical page is unmapped from kernel on
>>> the way back from kernel to userspace by xpfo_kunmap(). So two processes
>>> on different CPUs sharing same physical page might not be seeing the
>>> same virtual address for that page while they are in the kernel, as long
>>> as it is an address from kmap pool. ret2dir attack relies upon being
>>> able to craft a predictable virtual address in the kernel physmap for a
>>> physical page and redirect execution to that address. Does that sound right?
>> All processes share one set of kernel page tables.  Or, did your patches
>> change that somehow that I missed?
>> Since they share the page tables, they implicitly share kmap*()
>> mappings.  kmap_atomic() is not *used* by more than one CPU, but the
>> mapping is accessible and at least exists for all processors.
>> I'm basically assuming that any entry mapped in a shared page table is
>> exploitable on any CPU regardless of where we logically *want* it to be
>> used.
> We can, very easily, have kernel mappings that are private to a given
> mm.  Maybe this is useful here.

That sounds like an interesting idea. kmap mappings would be a good
candidate for that. Those are temporary mappings and should only be
valid for one process.


Download attachment "pEpkey.asc" of type "application/pgp-keys" (2461 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.