Modify CR4 and CR0 directly using mov

Posted Nov 15, 2019 14:49 UTC (Fri) by zainryan (guest, #131584)
Parent article: Cook: Security things in Linux v5.3

How about if the attacker directly execute "mov %0,%%cr4" rather than calling functions like native_write_cr4, then there is really no way to "pin", right?

Modify CR4 and CR0 directly using mov

Posted Nov 15, 2019 15:16 UTC (Fri) by farnz (subscriber, #17727) [Link]

If the attacker can execute arbitrary code in ring 0, they have full control of the kernel, and nothing done in kernel code can protect against them.

The point of pinning here is that there are techniques like ROP that allow you to call your choice of kernel code with your choice of arguments. By teaching native_write_cr4 to never unset some security-relevant bits, you've forced the attacker to find a harder route to arbitrary code execution than just "call native_write_cr4 to disable SMEP and then branch to my formerly userspace code". This, in turn, makes it less likely that any given bug will be actively exploited - it becomes harder to write a reliable exploit - and gives the kernel developers more time between "this bug permits ROP" and "this bug is being exploited in the wild".