Discussion:
[oss-security] Linux kernel: "Meltdown leaks with Global kernel mapping"
Solar Designer
2018-10-09 11:41:26 UTC
Permalink
Hi,

I didn't look into this closely, but I think it needs to be brought in
here. Back in August, Dave Hansen reported what may be ways to bypass
PTI protection in the Linux kernel in some cases. Dave's fixes got into
Linux 4.18.5, but maybe not into any other releases nor into distros,
except for those that updated to 4.18.5 (apparently, some SUSE branch
and some Yocto branch?)

Start of a relevant thread:

https://lists.openwall.net/linux-kernel/2018/08/02/976

The Subject says "close two Meltdown leaks with Global kernel mapping",
but it isn't immediately clear to me what "two" leaks there are. Only
one appears to be clearly described:

https://lists.openwall.net/linux-kernel/2018/08/02/979

The corresponding commit:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti-urgent&id=c40a56a7818cfe735fc93a69e1875f8bba834483

There are mentions of "r/w kernel text issue" and "unused hole" issue -
is this why "two"? But "r/w kernel text" feels irrelevant to Meltdown.

I've attached the two LKML postings above for archival on oss-security
as well.

Alexander
Dave Hansen
2018-10-11 20:30:33 UTC
Permalink
Post by Solar Designer
There are mentions of "r/w kernel text issue" and "unused hole" issue -
is this why "two"? But "r/w kernel text" feels irrelevant to Meltdown.
The current PTI code leaves the entire area of the kernel binary
between '_text' and '_end' as Global (on non-PCID hardware).
However, that range contains both read-write kernel data, and two
"unused" holes in addition to text.
I said two issues because I saw two distinct problems:

1. 'read-write kernel data'
2. '"unused" holes'

Does that clear it up?

Loading...