Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set
From: Linus Torvalds
Date: Thu Jan 11 2018 - 13:36:21 EST
On Thu, Jan 11, 2018 at 10:32 AM, Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:
> On Thu, Jan 11, 2018 at 10:21:49AM -0800, Alexei Starovoitov wrote:
>>
>> hmm. Exposing cr3 to user space will make it trivial for user process
>> to know whether kpti is active. Not sure how exploitable such
>> information leak.
>
> It's already trivial to detect PTI from user space.
I agree. I don't think the whole "is PTI on" is all that much of a secret.
But exposing all of %cr3 to user space is completely unacceptable.
That's just about *the* best attack vector information you could give
to somebody, and would make KASLR almost totally uninteresting. If you
have access to the page directory pointer, and some other weakness
that allows you to access it, you're golden. You can do anything.
Linus