Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership

From: Julian Stecklina
Date: Wed Jan 16 2019 - 10:00:03 EST

Next message: Andrew Lunn: "Re: [PATCH 1/3] net: dsa: lantiq_gswip: fix use-after-free on failed probe"
Previous message: Tony Lindgren: "Re: WIP Droid 4 voice calls, GNSS & PM with a TS 27.010 serdev driver"
Next in thread: Khalid Aziz: "Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Khalid Aziz <khalid.aziz@xxxxxxxxxx> writes:

> I am continuing to build on the work Juerg, Tycho and Julian have done
> on XPFO.

Awesome!

> A rogue process can launch a ret2dir attack only from a CPU that has
> dual mapping for its pages in physmap in its TLB. We can hence defer
> TLB flush on a CPU until a process that would have caused a TLB flush
> is scheduled on that CPU.

Assuming the attacker already has the ability to execute arbitrary code
in userspace, they can just create a second process and thus avoid the
TLB flush. Am I getting this wrong?

Julian

Next message: Andrew Lunn: "Re: [PATCH 1/3] net: dsa: lantiq_gswip: fix use-after-free on failed probe"
Previous message: Tony Lindgren: "Re: WIP Droid 4 voice calls, GNSS & PM with a TS 27.010 serdev driver"
Next in thread: Khalid Aziz: "Re: [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]