Linux Kernel To Better Fend Off Exploits That Disable SMAP / SMEP / UMIP Protections
Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP) are security features of recent generations of Intel CPUs to prevent the kernel from accessing unintended user-space memory and in turn helping fend off various exploits. But some exploits have been calling the Linux kernel's native_write_cr4 function to disable SMEP/SMAP, since the status of these security options are controlled through bits in the CR4 control register.
With a new patch now pending in the tip tree ahead of the Linux 5.1 kernel cycle, the bits for SMEP and SMAP as well as UMIP are pinned so they can no longer be easily altered. UMIP meanwhile is the User-Mode Instruction Prevention feature to prevent execution of certain instructions in higher privilege levels and its behavior too is controlled via a CR4 bit.
Google's Project Zero previously demonstrated an exploit path via using this CR4 kernel function to disable SMAP/SMEP protection before proceeding on to its nefarious activities. Now thanks to Google engineers, these SMAP/SMEP/UMIP bits are pinned within the native_write_cr4 function so they can't be trivially disabled from that call on supported CPUs.