From patchwork Fri Feb 14 01:04:10 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 3649131
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 1F6C99F1EE
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri, 14 Feb 2014 01:44:48 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2F9BD2015A
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri, 14 Feb 2014 01:44:47 +0000 (UTC)
Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 32DAD20107
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Fri, 14 Feb 2014 01:44:46 +0000 (UTC)
Received: from merlin.infradead.org ([2001:4978:20e::2])
	by casper.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WE7p2-0005z7-Uu; Fri, 14 Feb 2014 01:44:09 +0000
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WE7kA-0003PT-FD; Fri, 14 Feb 2014 01:39:06 +0000
Received: from smtp.outflux.net ([2001:19d0:2:6:c0de:0:736d:7470])
	by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WE7jx-0003Nt-FD for linux-arm-kernel@lists.infradead.org;
	Fri, 14 Feb 2014 01:38:54 +0000
Received: from www.outflux.net (serenity.outflux.net [10.2.0.2])
	by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP id
	s1E14JUc005973; Thu, 13 Feb 2014 17:04:19 -0800
From: Kees Cook <keescook@chromium.org>
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 2/2] ARM: mm: keep rodata non-executable
Date: Thu, 13 Feb 2014 17:04:10 -0800
Message-Id: <1392339850-18686-3-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1392339850-18686-1-git-send-email-keescook@chromium.org>
References: <1392339850-18686-1-git-send-email-keescook@chromium.org>
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140213_203853_643767_956701FA 
X-CRM114-Status: GOOD (  12.75  )
X-Spam-Score: 0.5 (/)
Cc: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>,
	Larry Bassel <lbassel@codeaurora.org>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	Russell King <linux@arm.linux.org.uk>,
	Nicolas Pitre <nico@linaro.org>, Ben Dooks <ben.dooks@codethink.co.uk>,
	=?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>,
	Grant Likely <grant.likely@linaro.org>,
	Dave Martin <Dave.Martin@arm.com>,
	Jiang Liu <liuj97@gmail.com>, Christoffer Dall <cdall@cs.columbia.edu>,
	Laura Abbott <lauraa@codeaurora.org>, keescook@chromium.org,
	Marc Zyngier <marc.zyngier@arm.com>,
	Rob Herring <rob.herring@calxeda.com>,
	Vitaly Andrianov <vitalya@ti.com>,
	Jonathan Austin <jonathan.austin@arm.com>,
	Simon Baatz <gmbnomis@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org,
	Santosh Shilimkar <santosh.shilimkar@ti.com>,
	Andrew Morton <akpm@linux-foundation.org>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,KHOP_BIG_TO_CC,
	RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Introduce "CONFIG_DEBUG_RODATA" to mostly match the x86 config, though
the behavior is different: it depends on STRICT_KERNMEM_PERMS, which
sets rodata read-only (but executable), where as this option additionally
splits rodata from the kernel text (resulting in potentially more memory
lost to padding) and sets it non-executable as well. The end result is
that on builds with CONFIG_DEBUG_RODATA=y (like x86) the rodata with be
marked purely read-only.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/include/asm/cacheflush.h |    5 +++++
 arch/arm/kernel/vmlinux.lds.S     |    3 +++
 arch/arm/mm/Kconfig               |   12 ++++++++++++
 arch/arm/mm/init.c                |    8 ++++++++
 4 files changed, 28 insertions(+)

diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
index e9a49fe0284e..2b058fc7a188 100644
--- a/arch/arm/include/asm/cacheflush.h
+++ b/arch/arm/include/asm/cacheflush.h
@@ -486,4 +486,9 @@ int set_memory_rw(unsigned long addr, int numpages);
 int set_memory_x(unsigned long addr, int numpages);
 int set_memory_nx(unsigned long addr, int numpages);
 
+#ifdef CONFIG_DEBUG_RODATA
+/* This has already happened during free_initmem. */
+static inline void mark_rodata_ro(void) { }
+#endif
+
 #endif
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index 08fa667ef2f1..ec79e7268e09 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -120,6 +120,9 @@ SECTIONS
 			ARM_CPU_KEEP(PROC_INFO)
 	}
 
+#ifdef CONFIG_DEBUG_RODATA
+	. = ALIGN(1<<SECTION_SHIFT);
+#endif
 	RO_DATA(PAGE_SIZE)
 
 	. = ALIGN(4);
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 999eb505faee..7c8bbe7e2769 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -968,3 +968,15 @@ config ARM_KERNMEM_PERMS
 	  region is padded to section-size (1MiB) boundaries (because their
 	  permissions are different and splitting the 1M pages into 4K ones
 	  causes TLB performance problems), wasting memory.
+
+config DEBUG_RODATA
+	bool "Split rodata from text and set it read-only/non-executable"
+	depends on ARM_KERNMEM_PERMS
+	default y
+	help
+	  If this is set, rodata will be split from kernel text and made
+	  non-executable. (This option already depends on the option
+	  CONFIG_STRICT_KERNMEM_PERMS which makes rodata read-only, though
+	  still executable.) This creates another section-size padded
+	  region, so it can waste more memory space while gaining a pure
+	  read-only rodata region.
diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
index f0b1df53f436..5b1b049501b9 100644
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -656,6 +656,14 @@ struct section_perm __initdata section_perms[] = {
 		.prot	= PMD_SECT_APX | PMD_SECT_AP_WRITE,
 #endif
 	},
+#ifdef CONFIG_DEBUG_RODATA
+	/* Make rodata RO (set NX). */
+	{
+		.start	= (unsigned long)__start_rodata,
+		.end	= (unsigned long)__init_begin,
+		.prot	= PMD_SECT_XN,
+	}
+#endif
 };
 
 static inline void section_update(unsigned long addr, pmdval_t prot)