From: Jennifer Miller <jmill@asu.edu>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Jann Horn <jannh@google.com>, Andy Lutomirski <luto@kernel.org>,
linux-hardening@vger.kernel.org, kees@kernel.org,
joao@overdrivepizza.com, samitolvanen@google.com,
kernel list <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints
Date: Fri, 14 Feb 2025 17:07:20 -0700 [thread overview]
Message-ID: <Z6/auDKBF1E0m/6L@ubun> (raw)
In-Reply-To: <c2af5771-1c16-4ac8-bc09-c33d07956358@citrix.com>
On Fri, Feb 14, 2025 at 11:06:50PM +0000, Andrew Cooper wrote:
> On 13/02/2025 11:24 pm, Jennifer Miller wrote:
> > On Thu, Feb 13, 2025 at 09:24:18PM +0000, Andrew Cooper wrote:
> >>>> ; swap stacks as normal
> >>>> mov QWORD PTR gs:[rip+0x7f005f85],rsp # 0x6014 <cpu_tss_rw+20>
> >>>> mov rsp,QWORD PTR gs:[rip+0x7f02c56d] # 0x2c618 <pcpu_hot+24>
> >> ... these are memory accesses using the user %gs. As you note a few
> >> lines lower, %gs isn't safe at this point.
> >>
> >> A cunning attacker can make gs:[rip+0x7f02c56d] be a read-only mapping,
> >> at point we'll have loaded an attacker controlled %rsp, then take #PF
> >> trying to spill %rsp into pcpu_hot, and now we're running the pagefault
> >> handler on an attacker controlled stack and gsbase.
> >>
> > I don't follow, the spill of %rsp into pcpu_hot occurs first, before we
> > would move to the attacker controlled stack. This is Intel asm syntax,
> > sorry if that was unclear.
>
> No, sorry. It's clearly written; I simply wasn't paying enough attention.
>
> > Still, I hadn't considered misusing readonly/unmapped pages on the GPR
> > register spill that follows. Could we enforce that the stack pointer we get
> > be page aligned to prevent this vector? So that if one were to attempt to
> > point the stack to readonly or unmapped memory they should be guaranteed to
> > double fault?
>
> Hmm.
>
> Espfix64 does involve #DF recovering from a write to a read-only stack.
> (This broken corner of x86 is also fixed in FRED. We fixed a *lot* of
> thing.)
Interesting, I haven't gotten around to reading into how FRED works, it
sounds neat.
>
> As long the #DF handler can be updated to safely distinguish espfix64
> from this entrypoint attack, this seems like it might mitigate the
> read-only case.
> > I think we can do the overwrite at any point before actually calling into
> > the individual syscall handlers, really anywhere before potentially
> > hijacked indirect control flow can occur and then restore it just after
> > those return e.g., for the 64-bit path I am currently overwriting it at the
> > start of do_syscall_64 and then restoring it just before
> > syscall_exit_to_user_mode. I'm not sure if there is any reason to do it
> > sooner while we'd still be register constrained.
>
> I don't follow. If any "bad" execution is found in an entrypoint, Linux
> needs to panic(). Detecting the malice involves clobbering an in-use
> stack, and there's no ability to safely recover.
Sorry, this was in response to Jann's question about the mitigation
strategy proposed in my initial email.
>
> ~Andrew
~Jennifer
next prev parent reply other threads:[~2025-02-15 0:07 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Z60NwR4w/28Z7XUa@ubun>
2025-02-12 22:29 ` [RFC] Circumventing FineIBT Via Entrypoints Jann Horn
2025-02-13 1:31 ` Andrew Cooper
2025-02-13 2:09 ` Jann Horn
2025-02-13 2:42 ` Andrew Cooper
2025-02-22 20:43 ` Rudolf Marek
2025-02-25 18:10 ` Andrew Cooper
2025-02-25 20:06 ` Rudolf Marek
2025-02-25 21:14 ` Andrew Cooper
2025-02-26 2:55 ` Kees Cook
2025-02-26 22:48 ` Rudolf Marek
2025-02-27 0:41 ` Andrew Cooper
2025-03-01 22:48 ` Rudolf Marek
2025-03-02 19:16 ` Rudolf Marek
2025-03-02 22:31 ` Andrew Cooper
2025-02-28 12:13 ` Florian Weimer
2025-02-13 20:28 ` Kees Cook
2025-02-13 20:41 ` Andrew Cooper
2025-02-13 20:53 ` Kees Cook
2025-02-13 20:57 ` Jann Horn
2025-02-16 23:42 ` Kees Cook
2025-02-14 9:57 ` Peter Zijlstra
2025-02-15 21:07 ` Peter Zijlstra
2025-02-16 23:51 ` Kees Cook
2025-02-17 10:39 ` Peter Zijlstra
2025-02-17 13:06 ` David Laight
2025-02-17 13:13 ` Peter Zijlstra
2025-02-17 18:38 ` David Laight
2025-02-17 18:54 ` Peter Zijlstra
2025-02-14 10:05 ` Peter Zijlstra
2025-02-14 9:54 ` Peter Zijlstra
2025-02-13 6:15 ` Jennifer Miller
2025-02-13 19:23 ` Jann Horn
2025-02-13 21:24 ` Andrew Cooper
2025-02-13 23:24 ` Jennifer Miller
2025-02-13 23:43 ` Jann Horn
2025-02-14 23:06 ` Andrew Cooper
2025-02-15 0:07 ` Jennifer Miller [this message]
2025-02-15 0:11 ` Andrew Cooper
2025-02-15 0:19 ` Jennifer Miller
2025-02-14 22:25 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z6/auDKBF1E0m/6L@ubun \
--to=jmill@asu.edu \
--cc=andrew.cooper3@citrix.com \
--cc=jannh@google.com \
--cc=joao@overdrivepizza.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=samitolvanen@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox