On Wed, Jan 4, 2017 at 2:16 PM, Thomas Garnier <thgar...@google.com> wrote: > Each processor holds a GDT in its per-cpu structure. The sgdt > instruction gives the base address of the current GDT. This address can > be used to bypass KASLR memory randomization. With another bug, an > attacker could target other per-cpu structures or deduce the base of the > main memory section (PAGE_OFFSET). > > In this change, a space is reserved at the end of the memory range > available for KASLR memory randomization. The space is big enough to hold > the maximum number of CPUs (as defined by setup_max_cpus). Each GDT is > mapped at specific offset based on the target CPU. Note that if there is > not enough space available, the GDTs are not remapped.
Can we remap it read-only? I.e. use PAGE_KERNEL_RO instead of PAGE_KERNEL. After all, the ability to modify the GDT is instant root.