All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Pedro Falcato <pfalcato@suse.de>
Cc: Dave Hansen <dave.hansen@intel.com>, Xiang Mei <xmei5@asu.edu>,
	Kees Cook <kees@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org, linux-hardening@vger.kernel.org,
	Uladzislau Rezki <urezki@gmail.com>,
	"Gustavo A . R . Silva" <gustavoars@kernel.org>,
	"H . Peter Anvin" <hpa@zytor.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Jennifer Miller <jmill@asu.edu>, Tiffany Bao <tbao@asu.edu>,
	Ruoyu Wang <fishw@asu.edu>, Adam Doupe <doupe@asu.edu>,
	Kyle Zeng <zengyhkyle@asu.edu>,
	Yan Shoshitaishvili <yans@asu.edu>
Subject: Re: [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot
Date: Wed, 1 Jul 2026 09:23:51 +0200	[thread overview]
Message-ID: <20260701072351.GM48970@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <akPYNv37BCJXUg8-@pedro-suse.lan>

On Tue, Jun 30, 2026 at 03:58:41PM +0100, Pedro Falcato wrote:
> On Tue, Jun 30, 2026 at 07:01:48AM -0700, Dave Hansen wrote:
> > On 6/29/26 18:22, Xiang Mei wrote:
> > >> Please don't even try to send a v3 without addressing this.
> > > This is a demo exploiting CVE-2026-31419 with this technique:
> > > https://github.com/google/security-research/pull/397
> > 
> > Thanks for sharing that. That's really good info.
> > 
> > But what I want to hear a bit more about is why this new guard region is
> > a good, generic mitigation. Does it help mitigate a whole class of
> > vulnerabilities?
> 
> I guess, to add to the questions (to Xiang and/or x86 people):
> 1) Aren't initiatives like kCFI/CET/shadow stack supposed to mitigate these
> issues? Is this mitigation supposed to be applied in spite of these features?
> 2) Aren't you screwed by the time the attacker gets kernel remote code
> execution anyway?

Right; so CFI is supposed to eliminate the forward control flow
hijacking primitives, and shadow-stack will hobble the backward ones.

The whole ENTER thing is really only relevant provided you have a
control flow hijack of some sort. Once you do, it makes it easier to
build out a ROP chain.

  reply	other threads:[~2026-07-01  7:24 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 21:47 [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot Xiang Mei
2026-06-29 22:29 ` Dave Hansen
2026-06-29 23:28   ` Xiang Mei
2026-06-29 23:37     ` Dave Hansen
2026-06-30  1:22       ` Xiang Mei
2026-06-30 14:01         ` Dave Hansen
2026-06-30 14:58           ` Pedro Falcato
2026-07-01  7:23             ` Peter Zijlstra [this message]
2026-06-30 22:02           ` Xiang Mei
2026-06-30 22:05             ` Dave Hansen
2026-06-30 22:13               ` H. Peter Anvin
2026-06-30 22:47                 ` Xiang Mei
2026-06-30 23:40                   ` Dave Hansen
2026-06-30 23:48                     ` Xiang Mei
2026-07-01  7:19           ` Peter Zijlstra
2026-06-30 14:40     ` Pedro Falcato
2026-06-30 15:15       ` Dave Hansen
2026-06-30 21:54         ` Dave Hansen
2026-06-30 21:41       ` Xiang Mei
2026-07-01  7:27   ` Peter Zijlstra
2026-07-01  7:48     ` Peter Zijlstra
2026-07-01  7:58       ` H. Peter Anvin
2026-07-01  8:31         ` Peter Zijlstra
2026-07-01 21:04           ` Xiang Mei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701072351.GM48970@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=bp@alien8.de \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=doupe@asu.edu \
    --cc=fishw@asu.edu \
    --cc=gustavoars@kernel.org \
    --cc=hpa@zytor.com \
    --cc=jmill@asu.edu \
    --cc=kees@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mingo@redhat.com \
    --cc=pfalcato@suse.de \
    --cc=tbao@asu.edu \
    --cc=tglx@kernel.org \
    --cc=urezki@gmail.com \
    --cc=x86@kernel.org \
    --cc=xmei5@asu.edu \
    --cc=yans@asu.edu \
    --cc=zengyhkyle@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.