Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Nov 2018 08:19:13 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 "daniel@...earbox.net" <daniel@...earbox.net>, "jeyu@...nel.org"
 <jeyu@...nel.org>, "rostedt@...dmis.org" <rostedt@...dmis.org>,
 "ast@...nel.org" <ast@...nel.org>, "ard.biesheuvel@...aro.org"
 <ard.biesheuvel@...aro.org>, "linux-mm@...ck.org" <linux-mm@...ck.org>,
 "jannh@...gle.com" <jannh@...gle.com>, "Dock, Deneen T"
 <deneen.t.dock@...el.com>, "kristen@...ux.intel.com"
 <kristen@...ux.intel.com>, "akpm@...ux-foundation.org"
 <akpm@...ux-foundation.org>, "will.deacon@....com" <will.deacon@....com>,
 "mingo@...hat.com" <mingo@...hat.com>, "luto@...nel.org" <luto@...nel.org>,
 "kernel-hardening@...ts.openwall.com"
 <kernel-hardening@...ts.openwall.com>, "Keshavamurthy, Anil S"
 <anil.s.keshavamurthy@...el.com>, "Hansen, Dave" <dave.hansen@...el.com>,
 "naveen.n.rao@...ux.vnet.ibm.com" <naveen.n.rao@...ux.vnet.ibm.com>,
 "davem@...emloft.net" <davem@...emloft.net>, "netdev@...r.kernel.org"
 <netdev@...r.kernel.org>
Subject: Re: [PATCH 0/2] Don’t leave executable
 TLB entries to freed pages

On Thu, 29 Nov 2018 18:49:26 +0000
"Edgecombe, Rick P" <rick.p.edgecombe@...el.com> wrote:

> On Thu, 2018-11-29 at 23:06 +0900, Masami Hiramatsu wrote:
> > On Tue, 27 Nov 2018 16:07:52 -0800
> > Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
> > 
> > > Sometimes when memory is freed via the module subsystem, an executable
> > > permissioned TLB entry can remain to a freed page. If the page is re-used to
> > > back an address that will receive data from userspace, it can result in user
> > > data being mapped as executable in the kernel. The root of this behavior is
> > > vfree lazily flushing the TLB, but not lazily freeing the underlying pages. 
> > 
> > Good catch!
> > 
> > > 
> > > There are sort of three categories of this which show up across modules,
> > > bpf,
> > > kprobes and ftrace:
> > 
> > For x86-64 kprobe, it sets the page NX and after that RW, and then release
> > via module_memfree. So I'm not sure it really happens on kprobes. (Of course
> > the default memory allocator is simpler so it may happen on other archs) But
> > interesting fixes.
> Yes, I think you are right, it should not leave an executable TLB entry in this
> case. Ftrace actually does this on x86 as well.
> 
> Is there some other reason for calling set_memory_nx that should apply elsewhere
> for module users? Or could it be removed in the case of this patch to centralize
> the behavior?

According to the commit c93f5cf571e7 ("kprobes/x86: Fix to set RWX bits correctly
before releasing trampoline"), if we release readonly page by module_memfree(),
it causes kernel crash. And at this moment, on x86-64 set the trampoline page
readonly becuase it is an exacutable page. Setting NX bit is for security reason
that should be set before making it writable.
So I think if you centralize setting NX bit, it should be done before setting
writable bit.

Thank you,


-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.