On Tue, Apr 9, 2013 at 11:46 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Tue, Apr 9, 2013 at 11:39 AM, H. Peter Anvin <hpa@xxxxxxxxx> wrote: >> On 04/09/2013 11:31 AM, Kees Cook wrote: >>>>> ... >>>>> 0xffff880001e00000-0xffff88001fe00000 480M RW PSE GLB NX pmd >>>>> >>>> >>>> That is the 1:1 memory map area... >>> >>> Meaning what? >>> >>> -Kees >>> >> >> That's the area in which we just map 1:1 to memory. Anything allocated >> with e.g. kmalloc() ends up with those addresses. > > Ah-ha! Yes, I see now when comparing the debug/kernel_page_tables > reports. It's just the High Kernel Mapping that we care about. > Addresses outside that range are less of a leak. Excellent, then GDT > may not be a problem. Whew. The GDT is a problem if the address returned by 'sgdt' is kernel-writable - it doesn't necessarily reveal the random offset, but I'm pretty sure that writing to the GDT could cause privilege escalation. > > Does the v2 IDT patch look okay, BTW? > > -Kees > > -- > Kees Cook > Chrome OS Security _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization
