* Khalid Aziz <khalid.aziz@xxxxxxxxxx> wrote: > > I.e. the original motivation of the XPFO patches was to prevent execution > > of direct kernel mappings. Is this motivation still present if those > > mappings are non-executable? > > > > (Sorry if this has been asked and answered in previous discussions.) > > Hi Ingo, > > That is a good question. Because of the cost of XPFO, we have to be very > sure we need this protection. The paper from Vasileios, Michalis and > Angelos - <http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf>, > does go into how ret2dir attacks can bypass SMAP/SMEP in sections 6.1 > and 6.2. So it would be nice if you could generally summarize external arguments when defending a patchset, instead of me having to dig through a PDF which not only causes me to spend time that you probably already spent reading that PDF, but I might also interpret it incorrectly. ;-) The PDF you cited says this: "Unfortunately, as shown in Table 1, the W^X prop-erty is not enforced in many platforms, including x86-64. In our example, the content of user address 0xBEEF000 is also accessible through kernel address 0xFFFF87FF9F080000 as plain, executable code." Is this actually true of modern x86-64 kernels? We've locked down W^X protections in general. I.e. this conclusion: "Therefore, by simply overwriting kfptr with 0xFFFF87FF9F080000 and triggering the kernel to dereference it, an attacker can directly execute shell code with kernel privileges." ... appears to be predicated on imperfect W^X protections on the x86-64 kernel. Do such holes exist on the latest x86-64 kernel? If yes, is there a reason to believe that these W^X holes cannot be fixed, or that any fix would be more expensive than XPFO? Thanks, Ingo
