Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Pedro Falcato <pfalcato@suse.de>
To: Dave Hansen <dave.hansen@intel.com>, Xiang Mei <xmei5@asu.edu>
Cc: Kees Cook <kees@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	 Thomas Gleixner <tglx@kernel.org>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	 Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org, linux-hardening@vger.kernel.org,
	 Uladzislau Rezki <urezki@gmail.com>,
	"Gustavo A . R . Silva" <gustavoars@kernel.org>,
	 "H . Peter Anvin" <hpa@zytor.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	 Jennifer Miller <jmill@asu.edu>, Tiffany Bao <tbao@asu.edu>,
	Ruoyu Wang <fishw@asu.edu>,  Adam Doupe <doupe@asu.edu>,
	Kyle Zeng <zengyhkyle@asu.edu>,
	 Yan Shoshitaishvili <yans@asu.edu>
Subject: Re: [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot
Date: Tue, 30 Jun 2026 15:58:41 +0100	[thread overview]
Message-ID: <akPYNv37BCJXUg8-@pedro-suse.lan> (raw)
In-Reply-To: <c7c5d2c7-db83-404f-b40f-ee01ae8b9299@intel.com>

On Tue, Jun 30, 2026 at 07:01:48AM -0700, Dave Hansen wrote:
> On 6/29/26 18:22, Xiang Mei wrote:
> >> Please don't even try to send a v3 without addressing this.
> > This is a demo exploiting CVE-2026-31419 with this technique:
> > https://github.com/google/security-research/pull/397
> 
> Thanks for sharing that. That's really good info.
> 
> But what I want to hear a bit more about is why this new guard region is
> a good, generic mitigation. Does it help mitigate a whole class of
> vulnerabilities?

I guess, to add to the questions (to Xiang and/or x86 people):
1) Aren't initiatives like kCFI/CET/shadow stack supposed to mitigate these
issues? Is this mitigation supposed to be applied in spite of these features?
2) Aren't you screwed by the time the attacker gets kernel remote code
execution anyway?

> 
> I think you're making the claim that this ENTER technique takes what
> would normally just be a DoS and makes it fully exploitable. Does this
> happen for a lot of DoS bugs? Or is CVE-2026-31419 very unusual and this
> stack guard gunk won't ever be useful again?

I suspect it's just the typical UAF with a function pointer table, that leads
into remote code execution. I know that for our (SUSE) CVE scoring, we tend
to treat these kinds of UAFs a lot more seriously than others. But I didn't
look closely.

-- 
Pedro


  reply	other threads:[~2026-06-30 14:58 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 21:47 [PATCH v2] mm/vmalloc: widen guard region to defeat ENTER-based stack pivot Xiang Mei
2026-06-29 22:29 ` Dave Hansen
2026-06-29 23:28   ` Xiang Mei
2026-06-29 23:37     ` Dave Hansen
2026-06-30  1:22       ` Xiang Mei
2026-06-30 14:01         ` Dave Hansen
2026-06-30 14:58           ` Pedro Falcato [this message]
2026-06-30 22:02           ` Xiang Mei
2026-06-30 22:05             ` Dave Hansen
2026-06-30 22:13               ` H. Peter Anvin
2026-06-30 22:47                 ` Xiang Mei
2026-06-30 23:40                   ` Dave Hansen
2026-06-30 23:48                     ` Xiang Mei
2026-06-30 14:40     ` Pedro Falcato
2026-06-30 15:15       ` Dave Hansen
2026-06-30 21:54         ` Dave Hansen
2026-06-30 21:41       ` Xiang Mei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=akPYNv37BCJXUg8-@pedro-suse.lan \
    --to=pfalcato@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=bp@alien8.de \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=doupe@asu.edu \
    --cc=fishw@asu.edu \
    --cc=gustavoars@kernel.org \
    --cc=hpa@zytor.com \
    --cc=jmill@asu.edu \
    --cc=kees@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mingo@redhat.com \
    --cc=tbao@asu.edu \
    --cc=tglx@kernel.org \
    --cc=urezki@gmail.com \
    --cc=x86@kernel.org \
    --cc=xmei5@asu.edu \
    --cc=yans@asu.edu \
    --cc=zengyhkyle@asu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox