Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Jan 2017 09:11:14 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Thomas Garnier <thgarnie@...gle.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
	"H . Peter Anvin" <hpa@...or.com>,
	Kees Cook <keescook@...omium.org>, Borislav Petkov <bp@...en8.de>,
	Andy Lutomirski <luto@...nel.org>, Dave Hansen <dave@...1.net>,
	Chen Yucong <slaoub@...il.com>,
	Arjan van de Ven <arjan@...ux.intel.com>,
	Paul Gortmaker <paul.gortmaker@...driver.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Masahiro Yamada <yamada.masahiro@...ionext.com>,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
	Anna-Maria Gleixner <anna-maria@...utronix.de>,
	Boris Ostrovsky <boris.ostrovsky@...cle.com>,
	Rasmus Villemoes <linux@...musvillemoes.dk>,
	Michael Ellerman <mpe@...erman.id.au>,
	Juergen Gross <jgross@...e.com>,
	Richard Weinberger <richard@....at>, x86@...nel.org,
	linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location


* Thomas Garnier <thgarnie@...gle.com> wrote:

> Each processor holds a GDT in its per-cpu structure. The sgdt
> instruction gives the base address of the current GDT. This address can
> be used to bypass KASLR memory randomization. With another bug, an
> attacker could target other per-cpu structures or deduce the base of the
> main memory section (PAGE_OFFSET).
> 
> In this change, a space is reserved at the end of the memory range
> available for KASLR memory randomization. The space is big enough to hold
> the maximum number of CPUs (as defined by setup_max_cpus). Each GDT is
> mapped at specific offset based on the target CPU. Note that if there is
> not enough space available, the GDTs are not remapped.
> 
> The document was changed to mention GDT remapping for KASLR. This patch
> also include dump page tables support.
> 
> This patch was tested on multiple hardware configurations and for
> hibernation support.

>  void kernel_randomize_memory(void);
> +void kernel_randomize_smp(void);
> +void* kaslr_get_gdt_remap(int cpu);

Yeah, no fundamental objections from me to the principle, but I get some bad vibes 
from the naming here: seeing that kernel_randomize_smp() actually makes things 
less random.

Also, don't we want to do this unconditionally and not allow remapping failures? 

The GDT is fairly small, plus making the SGDT instruction expose fewer kernel 
internals would be (marginally) useful on non-randomized kernels as well.

It also makes the code more common, more predictable, more debuggable and less 
complex overall - which is pretty valuable in terms of long term security as well.

Thanks,

	Ingo

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.