Linux 6.2 Addresses Another "Tasty Target For Attackers"
The tasty target for attackers now being addressed is finally randomizing the per-CPU entry area. Peter Zijlstra of Intel worked on the per-CPU entry area randomization and explained in the prior patch posting:
[Seth Jenkins of Google] found that the CPU-entry-area; the piece of per-cpu data that is mapped into the userspace page-tables for kPTI [Kernel Page Table Isolation] is not subject to any randomization -- irrespective of kASLR [Kernel Address Space Layout Randomization] settings.
On x86_64 a whole P4D (512 GB) of virtual address space is reserved for this structure, which is plenty large enough to randomize things a little.
As such, use a straightforward randomization scheme that avoids duplicates to spread the existing CPUs over the available space.
This makes it harder to find the addresses of important structures in the cpu entry areas like the entry stacks.
The per-CPU entry area randomization is now ready to go with Linux 6.2. Dave Hansen of Intel commented in the x86/mm pull request, "This includes some new randomization of the per-cpu entry areas from Peter Z. Without it, these areas are a tasty target for attackers. The entry code and mappings are especially tricky code and this has caused some issues along the way, but they have settled down."
This pull request also includes Intel's work on enabling Linear Address Masking (LAM) for use with upcoming processors. Intel Linear Address Masking (LAM) allows software to make use of untranslated address bits of 64-bit linear addresses for metadata. Linear addresses use either 48-bits (4-level paging) or 57-bits (5-level paging) while LAM allows the remaining space of the 64-bit linear addresses to be used for metadata.
This prior article has more background information on LAN and possible application use-cases for those upper-bits in addresses. The x86/mm pull request also notes it can be useful too for user-space memory sanitizers to have less overhead.