Hello, >> I have now completed the kernel bisection between 4.7.8 and 4.8-rc1 and >> identified the kernel modification that triggers the errors cited above : >> >>> commit 021182e52fe01c1f7b126f97fd6ba048dc4234fd >>> Author: Thomas Garnier <thgarnie at google.com> >>> Date: Tue Jun 21 17:47:03 2016 -0700 >>> >>> x86/mm: Enable KASLR for physical mapping memory regions >>> >>> Add the physical mapping in the list of randomized memory regions. >>> >>> The physical memory mapping holds most allocations from boot and heap >>> allocators. Knowing the base address and physical memory size, an attacker >>> can deduce the PDE virtual address for the vDSO memory page. This attack >>> was demonstrated at CanSecWest 2016, in the following presentation: >>> >>> "Getting Physical: Extreme Abuse of Intel Based Paged Systems": >>> >https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/blob/master/Prese >ntation/CanSec2016_Presentation.pdf >>> >>> (See second part of the presentation). >>> >>> The exploits used against Linux worked successfully against 4.6+ but >>> fail with KASLR memory enabled: >>> >>> >https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/tree/master/Demos >/Linux/exploits >>> >>> Similar research was done at Google leading to this patch proposal. >>> >>> Variants exists to overwrite /proc or /sys objects ACLs leading to >>> elevation of privileges. These variants were tested against 4.6+. >>> >>> The page offset used by the compressed kernel retains the static value >>> since it is not yet randomized during this boot stage. >>> >>> Signed-off-by: Thomas Garnier <thgarnie at google.com> >>> Signed-off-by: Kees Cook <keescook at chromium.org> >>> Cc: Alexander Kuleshov <kuleshovmail at gmail.com> >> <truncated> >> >> The interesting change seems to be : >> >>> -#define __PAGE_OFFSET _AC(0xffff880000000000, UL) >>> +#define __PAGE_OFFSET_BASE _AC(0xffff880000000000, UL) >>> +#ifdef CONFIG_RANDOMIZE_MEMORY >>> +#define __PAGE_OFFSET page_offset_base >>> +#else >>> +#define __PAGE_OFFSET __PAGE_OFFSET_BASE >>> +#endif /* CONFIG_RANDOMIZE_MEMORY */ >> >> I'll try to see if I can fix that. >> >> Kind regards, >> >> ...Louis >> >> >> >> > >Some more *important* information in this mostly monologue thread : Pratyush >Anand has pushed a patch to the list earlier today that apparently fixes this >issue : > >[PATCH Makedumpfile 1/4] x86_64: Calculate page_offset from pt_load[1] > >HTH, > >Kind regards, Yeah, It appears so. I'm reviewing the patches, please wait for that. I appreciate your investigation for this issue. Thanks, Atsushi Kumagai >...Louis > >[1] https://www.mail-archive.com/kexec at lists.infradead.org/msg16628.html >-- >Louis Bouchard >Software engineer, Cloud & Sustaining eng. >Canonical Ltd >Ubuntu developer Debian Maintainer >GPG : 429D 7A3B DD05 B6F8 AF63 B9C4 8B3D 867C 823E 7A61
