[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [kernel-hardening] Re: [PATCH] x86: make IDT read-only



On Tue, Apr 9, 2013 at 11:46 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Tue, Apr 9, 2013 at 11:39 AM, H. Peter Anvin <hpa@xxxxxxxxx> wrote:
>> On 04/09/2013 11:31 AM, Kees Cook wrote:
>>>>> ...
>>>>> 0xffff880001e00000-0xffff88001fe00000         480M     RW         PSE GLB 
>>>>> NX pmd
>>>>>
>>>>
>>>> That is the 1:1 memory map area...
>>>
>>> Meaning what?
>>>
>>> -Kees
>>>
>>
>> That's the area in which we just map 1:1 to memory.  Anything allocated
>> with e.g. kmalloc() ends up with those addresses.
>
> Ah-ha! Yes, I see now when comparing the debug/kernel_page_tables
> reports. It's just the High Kernel Mapping that we care about.
> Addresses outside that range are less of a leak. Excellent, then GDT
> may not be a problem. Whew.

The GDT is a problem if the address returned by 'sgdt' is
kernel-writable - it doesn't necessarily reveal the random offset, but
I'm pretty sure that writing to the GDT could cause privilege
escalation.

>
> Does the v2 IDT patch look okay, BTW?
>
> -Kees
>
> --
> Kees Cook
> Chrome OS Security

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.