Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2019 07:49:23 -0800
From: Andy Lutomirski <>
To: Jann Horn <>
Cc: Andy Lutomirski <>, Kees Cook <>,
 "Reshetova, Elena" <>,
 "Perla, Enrico" <>,
 Peter Zijlstra <>,
 "" <>,
 "" <>,
 "" <>, "" <>,
 "" <>
Subject: Re: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call

> On Feb 21, 2019, at 5:20 AM, Jann Horn <> wrote:
> On Thu, Feb 21, 2019 at 7:38 AM Andy Lutomirski <> wrote:
>>> On Feb 20, 2019, at 2:20 PM, Kees Cook <> wrote:
>>> On Wed, Feb 13, 2019 at 11:52 PM Reshetova, Elena
>>> <> wrote:
>>>> Now back to our proposed countermeasures given that attacker has found a way to do
>>>> a crafted overflow and overwrite:
>>>> 1) pt_regs is not predictable, but can be discovered in ptrace-style scenario or cache-probing.
>>>>    If discovered, then attack succeeds as of now.
>>>> 2) relative stack offset is not predictable and randomized, cannot be probed very easily via
>>>>     cache or ptrace. So, this is an additional hurdle on the attacker's way since stack is non-
>>>>     deterministic now.
>>>> 3) nothing changed for this type of attack, given that attacker's goal is not to overwrite CS
>>>>     in adjusted pt_regs. If it is his goal, then it helps with that.
>>>> Now summary:
>>>> It would seem to me that:
>>>> - regs->cs |= 3 on exit is a thing worth doing anyway, just because it is cheap, as Andy said, and it
>>>> might make a positive difference in two out of three attack scenarios. Objections?
>>> I would agree, let's just do this.
>> Thinking slightly more about this, it’s an incomplete protection.  It
>> keeps an attacker from returning to kernel mode, but it does not
>> protect the privileged flag bits.  I think that IOPL is the only thing
>> we really care about, and doing anything useful about IOPL would be
>> rather more complex, unfortunately.  I suppose we could just zero it
>> and guard that with a static branch that is switched off the first
>> time anyone uses iopl(3).
>> I suppose we could also add a config option to straight-up disable
>> IOPL.  I sincerely hope that no one uses it any more. Even the small
>> number of semi-legit users really ought to be using ioperm() instead.
> /me raises hand. iopl(3) is useful for making CLI and STI work from
> userspace, I've used it for that (for testing stuff, not for anything
> that has been shipped to people). Of course, that's probably a reason
> to get rid of it, not to keep it. ^^

I was thinking that I don’t even try to make this use case work correctly ;)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.