Date: Fri, 30 Nov 2018 08:19:13 +0900 From: Masami Hiramatsu <mhiramat@...nel.org> To: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "daniel@...earbox.net" <daniel@...earbox.net>, "jeyu@...nel.org" <jeyu@...nel.org>, "rostedt@...dmis.org" <rostedt@...dmis.org>, "ast@...nel.org" <ast@...nel.org>, "ard.biesheuvel@...aro.org" <ard.biesheuvel@...aro.org>, "linux-mm@...ck.org" <linux-mm@...ck.org>, "jannh@...gle.com" <jannh@...gle.com>, "Dock, Deneen T" <deneen.t.dock@...el.com>, "kristen@...ux.intel.com" <kristen@...ux.intel.com>, "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>, "will.deacon@....com" <will.deacon@....com>, "mingo@...hat.com" <mingo@...hat.com>, "luto@...nel.org" <luto@...nel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "Keshavamurthy, Anil S" <anil.s.keshavamurthy@...el.com>, "Hansen, Dave" <dave.hansen@...el.com>, "naveen.n.rao@...ux.vnet.ibm.com" <naveen.n.rao@...ux.vnet.ibm.com>, "davem@...emloft.net" <davem@...emloft.net>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: [PATCH 0/2] Don’t leave executable TLB entries to freed pages On Thu, 29 Nov 2018 18:49:26 +0000 "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> wrote: > On Thu, 2018-11-29 at 23:06 +0900, Masami Hiramatsu wrote: > > On Tue, 27 Nov 2018 16:07:52 -0800 > > Rick Edgecombe <rick.p.edgecombe@...el.com> wrote: > > > > > Sometimes when memory is freed via the module subsystem, an executable > > > permissioned TLB entry can remain to a freed page. If the page is re-used to > > > back an address that will receive data from userspace, it can result in user > > > data being mapped as executable in the kernel. The root of this behavior is > > > vfree lazily flushing the TLB, but not lazily freeing the underlying pages. > > > > Good catch! > > > > > > > > There are sort of three categories of this which show up across modules, > > > bpf, > > > kprobes and ftrace: > > > > For x86-64 kprobe, it sets the page NX and after that RW, and then release > > via module_memfree. So I'm not sure it really happens on kprobes. (Of course > > the default memory allocator is simpler so it may happen on other archs) But > > interesting fixes. > Yes, I think you are right, it should not leave an executable TLB entry in this > case. Ftrace actually does this on x86 as well. > > Is there some other reason for calling set_memory_nx that should apply elsewhere > for module users? Or could it be removed in the case of this patch to centralize > the behavior? According to the commit c93f5cf571e7 ("kprobes/x86: Fix to set RWX bits correctly before releasing trampoline"), if we release readonly page by module_memfree(), it causes kernel crash. And at this moment, on x86-64 set the trampoline page readonly becuase it is an exacutable page. Setting NX bit is for security reason that should be set before making it writable. So I think if you centralize setting NX bit, it should be done before setting writable bit. Thank you, -- Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.