Date: Mon, 22 Jun 2020 15:15:18 -0600 From: "Jason A. Donenfeld" <Jason@...c4.com> To: Ard Biesheuvel <ardb@...nel.org> Cc: linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>, ACPI Devel Maling List <linux-acpi@...r.kernel.org>, Will Deacon <will@...nel.org>, Catalin Marinas <catalin.marinas@....com>, lorenzo.pieralisi@....com, sudeep.holla@....com, Kernel Hardening <kernel-hardening@...ts.openwall.com> Subject: Re: [RFC PATCH] arm64/acpi: disallow AML memory opregions to access kernel memory Hmm, actually... > > if (memblock_is_map_memory(phys)) > > - return (void __iomem *)__phys_to_virt(phys); > > + return NULL; It might be prudent to have this check take into account the size of the region being mapped. I realize ACPI considers it to be undefined if you cross borders, but I could imagine actual system behavior being somewhat complicated, and a clever bypass being possible. Hypothetically: KASLR starts kernel at phys_base+offset, [phys_base, rounddownpage(offset)) doesn't get mapped, malicious acpi then maps phys_base+rounddownpage(offset)-1, and then this check doesn't get hit.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.