On Wed, Apr 17, 2019 at 11:41 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote: > I don't think this type of NX goof was ever the argument for XPFO. > The main argument I've heard is that a malicious user program writes a > ROP payload into user memory (regular anonymous user memory) and then > gets the kernel to erroneously set RSP (*not* RIP) to point there. Well, more than just ROP. Any of the various attack primitives. The NX stuff is about moving RIP: SMEP-bypassing. But there is still basic SMAP-bypassing for putting a malicious structure in userspace and having the kernel access it via the linear mapping, etc. > I find this argument fairly weak for a couple reasons. First, if > we're worried about this, let's do in-kernel CFI, not XPFO, to CFI is getting much closer. Getting the kernel happy under Clang, LTO, and CFI is under active development. (It's functional for arm64 already, and pieces have been getting upstreamed.) > mitigate it. Second, I don't see why the exact same attack can't be > done using, say, page cache, and unless I'm missing something, XPFO > doesn't protect page cache. Or network buffers, or pipe buffers, etc. My understanding is that it's much easier to feel out the linear mapping address than for the others. But yes, all of those same attack primitives are possible in other memory areas (though most are NX), and plenty of exploits have done such things. -- Kees Cook