Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location
From: Ingo Molnar
Date: Thu Jan 05 2017 - 03:21:04 EST
* Thomas Garnier <thgarnie@xxxxxxxxxx> wrote:
> Each processor holds a GDT in its per-cpu structure. The sgdt
> instruction gives the base address of the current GDT. This address can
> be used to bypass KASLR memory randomization. With another bug, an
> attacker could target other per-cpu structures or deduce the base of the
> main memory section (PAGE_OFFSET).
>
> In this change, a space is reserved at the end of the memory range
> available for KASLR memory randomization. The space is big enough to hold
> the maximum number of CPUs (as defined by setup_max_cpus). Each GDT is
> mapped at specific offset based on the target CPU. Note that if there is
> not enough space available, the GDTs are not remapped.
>
> The document was changed to mention GDT remapping for KASLR. This patch
> also include dump page tables support.
>
> This patch was tested on multiple hardware configurations and for
> hibernation support.
> void kernel_randomize_memory(void);
> +void kernel_randomize_smp(void);
> +void* kaslr_get_gdt_remap(int cpu);
Yeah, no fundamental objections from me to the principle, but I get some bad vibes
from the naming here: seeing that kernel_randomize_smp() actually makes things
less random.
Also, don't we want to do this unconditionally and not allow remapping failures?
The GDT is fairly small, plus making the SGDT instruction expose fewer kernel
internals would be (marginally) useful on non-randomized kernels as well.
It also makes the code more common, more predictable, more debuggable and less
complex overall - which is pretty valuable in terms of long term security as well.
Thanks,
Ingo