Re: [PATCH 0/2] Donât leave executable TLB entries to freed pages

From: Nadav Amit
Date: Tue Nov 27 2018 - 20:06:14 EST

Next message: Ming Lei: "Re: [PATCH 1/2] loop: Report EOPNOTSUPP properly"
Previous message: Masahiro Yamada: "Re: [PATCH v4 0/2] dmaengine: add UniPhier MIO DMAC driver"
In reply to: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/modules: Make x86 allocs to flush when free"
Next in thread: Nadav Amit: "Re: [PATCH 0/2] Donât leave executable TLB entries to freed pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx> wrote:
>
> Sometimes when memory is freed via the module subsystem, an executable
> permissioned TLB entry can remain to a freed page. If the page is re-used to
> back an address that will receive data from userspace, it can result in user
> data being mapped as executable in the kernel. The root of this behavior is
> vfree lazily flushing the TLB, but not lazily freeing the underlying pages.
>
> There are sort of three categories of this which show up across modules, bpf,
> kprobes and ftrace:
>
> 1. When executable memory is touched and then immediatly freed
>
> This shows up in a couple error conditions in the module loader and BPF JIT
> compiler.

Interesting!

Note that this may cause conflict with "x86: avoid W^X being broken during
modules loadingâ, which I recently submitted.

Next message: Ming Lei: "Re: [PATCH 1/2] loop: Report EOPNOTSUPP properly"
Previous message: Masahiro Yamada: "Re: [PATCH v4 0/2] dmaengine: add UniPhier MIO DMAC driver"
In reply to: Edgecombe, Rick P: "Re: [PATCH 2/2] x86/modules: Make x86 allocs to flush when free"
Next in thread: Nadav Amit: "Re: [PATCH 0/2] Donât leave executable TLB entries to freed pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]