Re: [PATCH 0/2] Donât leave executable TLB entries to freed pages

From: Nadav Amit
Date: Tue Nov 27 2018 - 20:06:14 EST


> On Nov 27, 2018, at 4:07 PM, Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx> wrote:
>
> Sometimes when memory is freed via the module subsystem, an executable
> permissioned TLB entry can remain to a freed page. If the page is re-used to
> back an address that will receive data from userspace, it can result in user
> data being mapped as executable in the kernel. The root of this behavior is
> vfree lazily flushing the TLB, but not lazily freeing the underlying pages.
>
> There are sort of three categories of this which show up across modules, bpf,
> kprobes and ftrace:
>
> 1. When executable memory is touched and then immediatly freed
>
> This shows up in a couple error conditions in the module loader and BPF JIT
> compiler.

Interesting!

Note that this may cause conflict with "x86: avoid W^X being broken during
modules loadingâ, which I recently submitted.