From: "H. Peter Anvin" <hpa@zytor.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
x86@kernel.org, Jim Kukunas <james.t.kukunas@linux.intel.com>,
Arjan van de Ven <arjan@infradead.org>
Subject: Re: [RFC] stack and heap are executable on x86_64
Date: Thu, 20 Dec 2012 20:44:12 -0800 [thread overview]
Message-ID: <50D3E91C.9060907@zytor.com> (raw)
In-Reply-To: <20121221030018.GA15032@www.outflux.net>
On 12/20/2012 07:00 PM, Kees Cook wrote:
>
> This change for pre-v3.5 creates a new exception table instead of
> trying to rewrite the old one. Since the tables are now relative,
> we can't actually set up an exception for things in stack and heap on
> x86_64 since the distance between the address and the table's .insn is
> more than INT_MAX. And if the table were moved into the stack or heap,
> then the fixup couldn't point back to the module's text segment. For
> v3.5 and later, I'm not sure what to do...
>
> So, mainly two things:
> - we need to fix the stack/heap markings.
> - it'd be nice to get test_nx back on its feet again.
>
I just looked at a /sys/kernel/debug/kernel_page_tables dump.... and
there are a bunch of pages which are RWX:
0xffff880000000000-0xffff880000097000 604K RW GLB x pte
0xffff88000009d000-0xffff880000200000 1420K RW GLB x pte
0xffff880000200000-0xffff880001000000 14M RW PSE GLB x pmd
0xffff880001c00000-0xffff880035e00000 834M RW PSE GLB x pmd
0xffff880035e00000-0xffff880035ffe000 2040K RW GLB x pte
0xffff880036ff7000-0xffff880037000000 36K RW GLB x pte
0xffff880037000000-0xffff880040000000 144M RW PSE GLB x pmd
0xffffffff81c00000-0xffffffff81cea000 936K RW GLB x pte
0xffffffff81dfd000-0xffffffff81e00000 12K RW GLB x pte
0xffffffff81e00000-0xffffffff82000000 2M RW PSE GLB x pmd
One particular piece of idiocy is that we tied marking the pages
executable into the PAT system, which means that if it is executable
anywhere in the kernel it is executable everywhere. That being said, I
don't think that is the only thing at play here.
On the other hand... do we *ever* have a legitimate reason to run code
below the -2G point? If so we could/should probably mark those NX
already at the higher paging levels...
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
next prev parent reply other threads:[~2012-12-21 4:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-21 3:00 [RFC] stack and heap are executable on x86_64 Kees Cook
2012-12-21 3:06 ` Kees Cook
2012-12-21 3:30 ` H. Peter Anvin
2012-12-21 4:44 ` H. Peter Anvin [this message]
2012-12-21 6:27 ` Yinghai Lu
2012-12-21 17:01 ` H. Peter Anvin
2012-12-21 17:28 ` Yinghai Lu
2012-12-21 17:36 ` H. Peter Anvin
2012-12-21 21:26 ` Yinghai Lu
2012-12-21 22:22 ` Yinghai Lu
2012-12-21 22:23 ` H. Peter Anvin
2012-12-21 22:26 ` Yinghai Lu
2012-12-21 22:28 ` H. Peter Anvin
2012-12-21 22:30 ` Yinghai Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D3E91C.9060907@zytor.com \
--to=hpa@zytor.com \
--cc=arjan@infradead.org \
--cc=james.t.kukunas@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox