linux/arch
Thomas Garnier 021182e52f x86/mm: Enable KASLR for physical mapping memory regions
Add the physical mapping in the list of randomized memory regions.

The physical memory mapping holds most allocations from boot and heap
allocators. Knowing the base address and physical memory size, an attacker
can deduce the PDE virtual address for the vDSO memory page. This attack
was demonstrated at CanSecWest 2016, in the following presentation:

  "Getting Physical: Extreme Abuse of Intel Based Paged Systems":
  https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/blob/master/Presentation/CanSec2016_Presentation.pdf

(See second part of the presentation).

The exploits used against Linux worked successfully against 4.6+ but
fail with KASLR memory enabled:

  https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/tree/master/Demos/Linux/exploits

Similar research was done at Google leading to this patch proposal.

Variants exists to overwrite /proc or /sys objects ACLs leading to
elevation of privileges. These variants were tested against 4.6+.

The page offset used by the compressed kernel retains the static value
since it is not yet randomized during this boot stage.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Alexander Kuleshov <kuleshovmail@gmail.com>
Cc: Alexander Popov <alpopov@ptsecurity.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Lv Zheng <lv.zheng@intel.com>
Cc: Mark Salter <msalter@redhat.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Toshi Kani <toshi.kani@hpe.com>
Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/1466556426-32664-7-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-08 17:35:15 +02:00
..
alpha tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
arc ARC Fix for 4.7-rc6 2016-06-30 09:53:43 -07:00
arm KVM/ARM Fixes for v4.7-rc6: 2016-06-30 17:11:20 +02:00
arm64 Merge branch 'akpm' (patches from Andrew) 2016-06-24 19:08:33 -07:00
avr32 tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
blackfin printk/nmi: generic solution for safe printk in NMI 2016-05-20 17:58:30 -07:00
c6x asm-generic patch for 4.7 2016-05-24 15:24:37 -07:00
cris tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
frv tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
h8300 Merge branch 'hash' of git://ftp.sciencehorizons.net/linux 2016-05-28 16:15:25 -07:00
hexagon tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
ia64 fix up initial thread stack pointer vs thread_info confusion 2016-06-24 17:07:33 -07:00
m32r Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2016-05-26 22:01:22 -07:00
m68k tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
metag tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
microblaze tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
mips MIPS: Fix possible corruption of cache mode by mprotect. 2016-07-02 01:51:39 +02:00
mn10300 Merge branch 'akpm' (patches from Andrew) 2016-06-24 19:08:33 -07:00
nios2 nios2: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
openrisc tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
parisc parisc: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
powerpc powerpc fixes for 4.7 #5 2016-07-02 17:47:54 -07:00
s390 s390: fix test_fp_ctl inline assembly contraints 2016-06-28 09:24:28 +02:00
score score: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
sh sh: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
sparc sparc: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
tile Merge branch 'akpm' (patches from Andrew) 2016-06-24 19:08:33 -07:00
um tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
unicore32 unicore32: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
x86 x86/mm: Enable KASLR for physical mapping memory regions 2016-07-08 17:35:15 +02:00
xtensa tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
.gitignore
Kconfig Clarify naming of thread info/stack allocators 2016-06-24 15:09:37 -07:00