Date: Tue, 27 Nov 2018 17:06:05 -0800 From: Nadav Amit <nadav.amit@...il.com> To: Rick Edgecombe <rick.p.edgecombe@...el.com> Cc: akpm@...ux-foundation.org, luto@...nel.org, will.deacon@....com, linux-mm@...ck.org, linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com, naveen.n.rao@...ux.vnet.ibm.com, anil.s.keshavamurthy@...el.com, davem@...emloft.net, mhiramat@...nel.org, rostedt@...dmis.org, mingo@...hat.com, ast@...nel.org, daniel@...earbox.net, jeyu@...nel.org, netdev@...r.kernel.org, ard.biesheuvel@...aro.org, jannh@...gle.com, kristen@...ux.intel.com, dave.hansen@...el.com, deneen.t.dock@...el.com Subject: Re: [PATCH 0/2] Don’t leave executable TLB entries to freed pages > On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@...el.com> wrote: > > Sometimes when memory is freed via the module subsystem, an executable > permissioned TLB entry can remain to a freed page. If the page is re-used to > back an address that will receive data from userspace, it can result in user > data being mapped as executable in the kernel. The root of this behavior is > vfree lazily flushing the TLB, but not lazily freeing the underlying pages. > > There are sort of three categories of this which show up across modules, bpf, > kprobes and ftrace: > > 1. When executable memory is touched and then immediatly freed > > This shows up in a couple error conditions in the module loader and BPF JIT > compiler. Interesting! Note that this may cause conflict with "x86: avoid W^X being broken during modules loading”, which I recently submitted.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.