On Wed, 17 Apr 2019, Linus Torvalds wrote: > On Wed, Apr 17, 2019, 14:20 Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > > > > It's not necessarily a W+X issue. The user space text is mapped in the > > kernel as well and even if it is mapped RX then this can happen. So any > > kernel mappings of user space text need to be mapped NX! > > With SMEP, user space pages are always NX. We talk past each other. The user space page in the ring3 valid virtual address space (non negative) is of course protected by SMEP. The attack utilizes the kernel linear mapping of the physical memory. I.e. user space address 0x43210 has a kernel equivalent at 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid kernel address and that is mapped X --> game over. SMEP does not help there. >From the top of my head I'd say this is a non issue as those kernel address space mappings _should_ be NX, but we got bitten by _should_ in the past:) Thanks, tglx
