From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=t1Yj=SU=lists.infradead.org=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D3849C10F0B
	for <infradead-linux-arm-kernel@archiver.kernel.org>; Thu, 18 Apr 2019 04:41:58 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id A13ED217D7
	for <infradead-linux-arm-kernel@archiver.kernel.org>; Thu, 18 Apr 2019 04:41:58 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="nxJ5ypwc";
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="QVWUihYI"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A13ED217D7
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:
	In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=ND5GphkazzkeT7zwyTetTnNgL033pyxqRhEVZTwWL4M=; b=nxJ5ypwc4WWIGx
	A9FRKaHT6MrWVzpK3OAZU1L95isw6kQnqJ1QW39F3RimU9GEbZtmfD3FY+qdBTv0LdZaKbFeMqzUm
	SBy80u6klXRhHJXSkTaOr5V0GDsYNw/20lzuGVsHyJazcp1HbOE2fec03QBZL6PocLF+gsYLl2B6G
	TwDdiHdFqeHBqw95CLLJ0Q7mEvHGnfxkNnAIf39Zoy+ozReda40r61YBzV3bXiWE4YYdkZo9T3+VA
	k6BcgiDTLBcICq8YDgYU9bvDcyNbdGLEljktBt44dc/plso9qoswzTVA4epSqCuWQc0sZIdFTLBkf
	pFU8vHnJteoOx2Ou+a4A==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1hGyry-0001Ml-O6; Thu, 18 Apr 2019 04:41:54 +0000
Received: from mail.kernel.org ([198.145.29.99])
 by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux))
 id 1hGyrt-0001CI-4Q
 for linux-arm-kernel@lists.infradead.org; Thu, 18 Apr 2019 04:41:52 +0000
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com
 [209.85.221.41])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.kernel.org (Postfix) with ESMTPSA id EDF9E21871
 for <linux-arm-kernel@lists.infradead.org>;
 Thu, 18 Apr 2019 04:41:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1555562508;
 bh=ZzJFjyGToYfbKAC7a2m7yS86J4A8OLDkslCG6xa8cQM=;
 h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
 b=QVWUihYIOED3b6sf++tgY3iRdj8kiMHZVbckG4nNfCAClSFzLnTcPH+IgFSB9PrKC
 Z2tMpLhiQqQpdAO8Vqghyo+PaFXtDr9TPVxG3ICymGFgejmh9f9/1/nnjg3BTRsxMd
 IElW3sPpwA7MwJfgB7BILSJAa6MZxHiR0qJmXz6w=
Received: by mail-wr1-f41.google.com with SMTP id q1so1178995wrp.0
 for <linux-arm-kernel@lists.infradead.org>;
 Wed, 17 Apr 2019 21:41:47 -0700 (PDT)
X-Gm-Message-State: APjAAAVEE+dx9qLvErXEBkE6KW8zRnzDms02qBFq6nDAoXgyEpAYFthw
 NbNc3p7sMbbVCc/bGh69b0O6tMdDSwcQBPI9PD67WQ==
X-Google-Smtp-Source: APXvYqyfUEuC3mEmPG9s4i6tESlRo9oZEsPzue7aX/a76mK2HZr1+EEwlvQomlchaeb55fwDfrvGp+xyZoI6blk5d70=
X-Received: by 2002:adf:efc1:: with SMTP id i1mr59073183wrp.199.1555562504832; 
 Wed, 17 Apr 2019 21:41:44 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1554248001.git.khalid.aziz@oracle.com>
 <f1ac3700970365fb979533294774af0b0dd84b3b.1554248002.git.khalid.aziz@oracle.com>
 <20190417161042.GA43453@gmail.com>
 <e16c1d73-d361-d9c7-5b8e-c495318c2509@oracle.com>
 <20190417170918.GA68678@gmail.com>
 <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com>
 <20190417172632.GA95485@gmail.com>
 <063753CC-5D83-4789-B594-019048DE22D9@gmail.com>
 <alpine.DEB.2.21.1904172317460.3174@nanos.tec.linutronix.de>
 <CAHk-=wgBMg9P-nYQR2pS0XwVdikPCBqLsMFqR9nk=wSmAd4_5g@mail.gmail.com>
 <alpine.DEB.2.21.1904180129000.3174@nanos.tec.linutronix.de>
 <CAHk-=whUwOjFW6RjHVM8kNOv1QVLJuHj2Dda0=mpLPdJ1UyatQ@mail.gmail.com>
In-Reply-To: <CAHk-=whUwOjFW6RjHVM8kNOv1QVLJuHj2Dda0=mpLPdJ1UyatQ@mail.gmail.com>
From: Andy Lutomirski <luto@kernel.org>
Date: Wed, 17 Apr 2019 21:41:33 -0700
X-Gmail-Original-Message-ID: <CALCETrXm9PuUTEEmzA8bQJmg=PHC_2XSywECittVhXbMJS1rSA@mail.gmail.com>
Message-ID: <CALCETrXm9PuUTEEmzA8bQJmg=PHC_2XSywECittVhXbMJS1rSA@mail.gmail.com>
Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame
 Ownership (XPFO)
To: Linus Torvalds <torvalds@linux-foundation.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190417_214149_215702_1A30DF54 
X-CRM114-Status: GOOD (  23.45  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Dave Hansen <dave@sr71.net>,
 "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
 Linux-MM <linux-mm@kvack.org>, Khalid Aziz <khalid.aziz@oracle.com>,
 deepa.srinivasan@oracle.com, "H. Peter Anvin" <hpa@zytor.com>,
 Nadav Amit <nadav.amit@gmail.com>, Thomas Gleixner <tglx@linutronix.de>,
 Tycho Andersen <tycho@tycho.ws>, X86 ML <x86@kernel.org>,
 LSM List <linux-security-module@vger.kernel.org>,
 Ingo Molnar <mingo@kernel.org>, jsteckli@amazon.de,
 Arjan van de Ven <arjan@infradead.org>,
 Peter Zijlstra <a.p.zijlstra@chello.nl>,
 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, Jon Masters <jcm@redhat.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 chris hyser <chris.hyser@oracle.com>,
 "linux-alpha@vger.kernel.org" <linux-arm-kernel@lists.infradead.org>,
 Khalid Aziz <khalid@gonehiking.org>, Juerg Haefliger <juergh@gmail.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>,
 Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
 Tyler Hicks <tyhicks@canonical.com>, iommu <iommu@lists.linux-foundation.org>,
 Juerg Haefliger <juerg.haefliger@canonical.com>,
 Kees Cook <keescook@google.com>, Andrew Morton <akpm@linux-foundation.org>,
 David Woodhouse <dwmw@amazon.co.uk>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Wed, Apr 17, 2019 at 5:00 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Wed, Apr 17, 2019 at 4:42 PM Thomas Gleixner <tglx@linutronix.de> wrote:
> >
> > On Wed, 17 Apr 2019, Linus Torvalds wrote:
> >
> > > With SMEP, user space pages are always NX.
> >
> > We talk past each other. The user space page in the ring3 valid virtual
> > address space (non negative) is of course protected by SMEP.
> >
> > The attack utilizes the kernel linear mapping of the physical
> > memory. I.e. user space address 0x43210 has a kernel equivalent at
> > 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid
> > kernel address and that is mapped X --> game over. SMEP does not help
> > there.
>
> Oh, agreed.
>
> But that would simply be a kernel bug. We should only map kernel pages
> executable when we have kernel code in them, and we should certainly
> not allow those pages to be mapped writably in user space.
>
> That kind of "executable in kernel, writable in user" would be a
> horrendous and major bug.
>
> So i think it's a non-issue.
>
> > From the top of my head I'd say this is a non issue as those kernel address
> > space mappings _should_ be NX, but we got bitten by _should_ in the past:)
>
> I do agree that bugs can happen, obviously, and we might have missed something.
>
> But in the context of XPFO, I would argue (*very* strongly) that the
> likelihood of the above kind of bug is absolutely *miniscule* compared
> to the likelihood that we'd have something wrong in the software
> implementation of XPFO.
>
> So if the argument is "we might have bugs in software", then I think
> that's an argument _against_ XPFO rather than for it.
>

I don't think this type of NX goof was ever the argument for XPFO.
The main argument I've heard is that a malicious user program writes a
ROP payload into user memory (regular anonymous user memory) and then
gets the kernel to erroneously set RSP (*not* RIP) to point there.

I find this argument fairly weak for a couple reasons.  First, if
we're worried about this, let's do in-kernel CFI, not XPFO, to
mitigate it.  Second, I don't see why the exact same attack can't be
done using, say, page cache, and unless I'm missing something, XPFO
doesn't protect page cache.  Or network buffers, or pipe buffers, etc.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel