Re: arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory)

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: Laura Abbott <labbott@redhat.com>, Jann Horn <jannh@google.com>,
	Boris Lukashev <blukashev@sempervictus.com>,
	Christopher Lameter <cl@linux.com>,
	Matthew Wilcox <willy@infradead.org>,
	Jerome Glisse <jglisse@redhat.com>,
	Michal Hocko <mhocko@kernel.org>,
	Christoph Hellwig <hch@infradead.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Linux-MM <linux-mm@kvack.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>,
	linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory)
Date: Wed, 21 Feb 2018 14:22:10 -0800	[thread overview]
Message-ID: <CAGXu5jKbuGcrdtVjEqp72e0+enzg26p1EGVPJ7goorbOnvcniA@mail.gmail.com> (raw)
In-Reply-To: <b67209f5-4aa7-ffc0-99e6-3ab05e281ce5@huawei.com>

On Tue, Feb 20, 2018 at 8:28 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>
>
> On 14/02/18 21:29, Kees Cook wrote:
>> On Wed, Feb 14, 2018 at 11:06 AM, Laura Abbott <labbott@redhat.com> wrote:
>
> [...]
>
>>> Kernel code should be fine, if it isn't that is a bug that should be
>>> fixed. Modules yes are not fully protected. The conclusion from past
>>
>> I think that's a pretty serious problem: we can't have aliases with
>> mismatched permissions; this degrades a deterministic protection
>> (read-only) to a probabilistic protection (knowing where the alias of
>> a target is mapped). Having an attack be "needs some info leaks"
>> instead of "need execution control to change perms" is a much lower
>> bar, IMO.
>
> Why "need execution control to change permission"?
> Or, iow, what does it mean exactly?
> ROP/JOP? Data-oriented control flow hijack?

Right, I mean, if an attacker has already gained execute control, they
can just call the needed functions to change memory permissions. But
that isn't needed if there is a mismatch between physmap and virtmap:
i.e. they can write to the physmap without needing to change perms
first.

> One can argue that this sort of R/W activity probably does require some
> form of execution control, but AFAIK, the only way to to prevent it, is
> to have CFI - btw, is there any standardization in that sense?

I meant that I don't want a difference in protection between physmap
and virtmap. I'd like to be able to reason the smae about the
exposures in either.

> So, from my (pessimistic?) perspective, the best that can be hoped for,
> is to make it much harder to figure out where the data is located.
>
> Virtual mapping has this side effect, compared to linear mapping.

Right, this is good, for sure. No complaints there at all. It's why I
think pmalloc and arm64 physmap perms are separate issues.

-Kees

-- 
Kees Cook
Pixel Security

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2018-02-21 22:22 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-24 17:56 [RFC PATCH v11 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-01-24 17:56 ` [PATCH 1/6] genalloc: track beginning of allocations Igor Stoppa
2018-01-24 17:56 ` [PATCH 2/6] genalloc: selftest Igor Stoppa
2018-01-24 17:56 ` [PATCH 3/6] struct page: add field for vm_struct Igor Stoppa
2018-01-24 17:56 ` [PATCH 4/6] Protectable Memory Igor Stoppa
2018-01-24 19:10   ` [kernel-hardening] " Jann Horn
2018-01-25 11:59     ` Igor Stoppa
2018-01-25 15:14       ` Boris Lukashev
2018-01-25 15:38         ` Jerome Glisse
2018-01-26 12:28           ` Igor Stoppa
2018-01-26 16:36             ` Boris Lukashev
2018-01-30 13:46               ` Igor Stoppa
2018-01-26  5:35     ` Matthew Wilcox
2018-01-26 11:46       ` Igor Stoppa
2018-02-02 18:39       ` Christopher Lameter
2018-02-03 15:38         ` Igor Stoppa
2018-02-03 19:57           ` Igor Stoppa
2018-02-03 20:12             ` Boris Lukashev
2018-02-03 20:32               ` Igor Stoppa
2018-02-03 22:29                 ` Boris Lukashev
2018-02-04 15:05                   ` Igor Stoppa
2018-02-12 23:27                     ` Kees Cook
2018-02-13  0:40                       ` Laura Abbott
2018-02-13  1:25                         ` Kees Cook
2018-02-13  3:39                           ` Jann Horn
2018-02-13 16:09                             ` Laura Abbott
2018-02-13 21:43                               ` Kees Cook
2018-02-14 19:06                                 ` arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) Laura Abbott
2018-02-14 19:28                                   ` Ard Biesheuvel
2018-02-14 20:13                                     ` Laura Abbott
2018-02-14 19:29                                   ` Kees Cook
2018-02-14 19:35                                     ` Kees Cook
2018-02-20 16:28                                     ` Igor Stoppa
2018-02-21 22:22                                       ` Kees Cook [this message]
2018-02-14 19:48                                   ` Kees Cook
2018-02-14 22:13                                     ` Tycho Andersen
2018-02-14 22:27                                       ` Kees Cook
2018-02-13 15:20                         ` [PATCH 4/6] Protectable Memory Igor Stoppa
2018-02-13 15:20                         ` [kernel-hardening] " Igor Stoppa
     [not found]                         ` <5a83024c.64369d0a.a1e94.cdd6SMTPIN_ADDED_BROKEN@mx.google.com>
2018-02-13 18:10                           ` Laura Abbott
2018-02-20 17:16                             ` Igor Stoppa
2018-02-21 22:37                               ` Kees Cook
2018-02-05 15:40           ` Christopher Lameter
2018-02-09 11:17             ` Igor Stoppa
2018-01-26 19:41   ` Igor Stoppa
2018-01-24 17:56 ` [PATCH 5/6] Documentation for Pmalloc Igor Stoppa
2018-01-24 19:14   ` Ralph Campbell
2018-01-25  7:53     ` Igor Stoppa
2018-01-24 17:56 ` [PATCH 6/6] Pmalloc: self-test Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jKbuGcrdtVjEqp72e0+enzg26p1EGVPJ7goorbOnvcniA@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=blukashev@sempervictus.com \
    --cc=cl@linux.com \
    --cc=hch@infradead.org \
    --cc=igor.stoppa@huawei.com \
    --cc=jannh@google.com \
    --cc=jglisse@redhat.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mhocko@kernel.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox