Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership

From: Julian Stecklina
Date: Wed Jan 16 2019 - 10:00:03 EST

Khalid Aziz <khalid.aziz@xxxxxxxxxx> writes:

> I am continuing to build on the work Juerg, Tycho and Julian have done
> on XPFO.


> A rogue process can launch a ret2dir attack only from a CPU that has
> dual mapping for its pages in physmap in its TLB. We can hence defer
> TLB flush on a CPU until a process that would have caused a TLB flush
> is scheduled on that CPU.

Assuming the attacker already has the ability to execute arbitrary code
in userspace, they can just create a second process and thus avoid the
TLB flush. Am I getting this wrong?