From patchwork Tue Feb 16 21:36:59 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Brown X-Patchwork-Id: 8332541 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 8FB6B9F6E7 for ; Tue, 16 Feb 2016 21:38:50 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B82F8202E6 for ; Tue, 16 Feb 2016 21:38:49 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D71E5202BE for ; Tue, 16 Feb 2016 21:38:48 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1aVnJH-0004Fu-7O; Tue, 16 Feb 2016 21:37:27 +0000 Received: from mail-io0-x233.google.com ([2607:f8b0:4001:c06::233]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1aVnJD-0004AF-Mr for linux-arm-kernel@lists.infradead.org; Tue, 16 Feb 2016 21:37:24 +0000 Received: by mail-io0-x233.google.com with SMTP id g203so704399iof.2 for ; Tue, 16 Feb 2016 13:37:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=KoXaNLV/4pLLmg+wC24DC/rwWyQ/JDwp8dXigSCeWg0=; b=OBTRsA+btgFVAdfGMAwo8U6OKz3mXFtiJpiy88ov8Bu4a6d+jk9mpA9kaCYrOmDI4d fVx2HTg72CsUnEuYPZA5UTHah/4n05KNUUKrY/gzFs+Ufr1WrCTUSfeqcp9DwOKj2kYz 3zPf2q/3HSY8anP1a5v8oQuWR+c3rLWxjuNgk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=KoXaNLV/4pLLmg+wC24DC/rwWyQ/JDwp8dXigSCeWg0=; b=NoRlJ1dfojpGBiioIhpeW3olz8T49DrPNiCot4frUIG9h1pfOV+WYbG5HxYdxWl74b yxKN6pYOlt7HnGCH4YW2ksS2o8sjhUWusvpx7M0e4AONpByn7emShN3ijDgYTH/13Od0 W6Xb2AJ7/5G6AU4hNLJLRIFfapoWDsQNTTptmNXZNIL/+NL6BY+6n+rTl2y8IpxeBalY aEy3N8+IAuIsfzEWvc2f9oapZz8g20tVN5g6Y9iqH7KxB/4Ih3xBpLpYA5CmtXB4/3YB 5660jZK/mQtLV1fRMsL+5OuXuqnuO476Ltloj7Um/C6hPZIHk/f+Y5UIWACjr8ahRk/E oBqw== X-Gm-Message-State: AG10YORfycef9qbnb2mo1S84ndBzicbA/5Q0vevI3F8lA32X/Er0Rmnmo0IGjp/TBfbS4NUu X-Received: by 10.182.153.10 with SMTP id vc10mr18665515obb.10.1455658622120; Tue, 16 Feb 2016 13:37:02 -0800 (PST) Received: from davidb.org ([2601:282:500:b612:93d7:b302:84b6:3dff]) by smtp.gmail.com with ESMTPSA id tu11sm18671731oec.13.2016.02.16.13.37.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Feb 2016 13:37:01 -0800 (PST) Date: Tue, 16 Feb 2016 14:36:59 -0700 From: David Brown To: Russell King Subject: [PATCH] ARM: vdso: Mark vDSO code as read-only Message-ID: <20160216213659.GA47194@davidb.org> References: <1453226922-16831-1-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1453226922-16831-1-git-send-email-keescook@chromium.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160216_133723_798742_559B7B1E X-CRM114-Status: GOOD ( 13.10 ) X-Spam-Score: -2.7 (--) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-arch , Kees Cook , Arnd Bergmann , kernel-hardening@lists.openwall.com, Michael Ellerman , x86@kernel.org, linux-kernel@vger.kernel.org, Andy Lutomirski , Ingo Molnar , "H. Peter Anvin" , PaX Team , Emese Revfy , Thomas Gleixner , Mathias Krause , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Although the arm vDSO is cleanly separated by code/data with the code being read-only in userspace mappings, the code page is still writable from the kernel. There have been exploits (such as http://itszn.com/blog/?p=21) that take advantage of this on x86 to go from a bad kernel write to full root. Prevent this specific exploit on arm by putting the vDSO code page in post-init read-only memory as well. Before: vdso: 1 text pages at base 80927000 root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables ---[ Modules ]--- ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80600000 5M ro x SHD 0x80600000-0x80800000 2M ro NX SHD 0x80800000-0xbe000000 984M RW NX SHD After: vdso: 1 text pages at base 8072b000 root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables ---[ Modules ]--- ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80600000 5M ro x SHD 0x80600000-0x80800000 2M ro NX SHD 0x80800000-0xbe000000 984M RW NX SHD Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the PaX Team, Brad Spengler, and Kees Cook. Signed-off-by: David Brown --- This patch depends on Kees Cook's series https://lkml.org/lkml/2016/1/19/497 which adds the ro_after_init section. arch/arm/vdso/vdso.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm/vdso/vdso.S b/arch/arm/vdso/vdso.S index b2b97e3..a62a7b6 100644 --- a/arch/arm/vdso/vdso.S +++ b/arch/arm/vdso/vdso.S @@ -23,9 +23,8 @@ #include #include - __PAGE_ALIGNED_DATA - .globl vdso_start, vdso_end + .section .data..ro_after_init .balign PAGE_SIZE vdso_start: .incbin "arch/arm/vdso/vdso.so"