Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Jun 2020 15:15:18 -0600
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>, 
	ACPI Devel Maling List <linux-acpi@...r.kernel.org>, Will Deacon <will@...nel.org>, 
	Catalin Marinas <catalin.marinas@....com>, lorenzo.pieralisi@....com, sudeep.holla@....com, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [RFC PATCH] arm64/acpi: disallow AML memory opregions to access
 kernel memory

Hmm, actually...

> >         if (memblock_is_map_memory(phys))
> > -               return (void __iomem *)__phys_to_virt(phys);
> > +               return NULL;

It might be prudent to have this check take into account the size of
the region being mapped. I realize ACPI considers it to be undefined
if you cross borders, but I could imagine actual system behavior being
somewhat complicated, and a clever bypass being possible.
Hypothetically: KASLR starts kernel at phys_base+offset, [phys_base,
rounddownpage(offset)) doesn't get mapped, malicious acpi then maps
phys_base+rounddownpage(offset)-1, and then this check doesn't get
hit.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.