From patchwork Mon Jun 25 22:39:12 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 10488315
Return-Path: 
 <kernel-hardening-return-13674-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	16D74602B3 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 26 Jun 2018 08:46:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06218287E2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 26 Jun 2018 08:46:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EF29E287E7; Tue, 26 Jun 2018 08:46:46 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 2E8B1287E2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Tue, 26 Jun 2018 08:46:46 +0000 (UTC)
Received: (qmail 30369 invoked by uid 550); 26 Jun 2018 08:40:16 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 13495 invoked from network); 25 Jun 2018 22:42:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:in-reply-to:message-id:references:subject:from:to
	:cc; bh=nKsGAuVdENM/7FYnrmfj+wQvtZVRbdNj5W4MbHllG9I=;
	b=QMgWnPrY0FFp2tJsT9SpkGQ82hDem+ZHwbejjYLcLXBtfJvsWa8nEzaMHwO93NuWPP
	sqV66kWo1fs3yLJhX1h18JPJUKpsHVNrO91UeUF+AuU/0JXL6u/CrsF0s6DULn4UXXkk
	Yg+o+SiV/Hv1q/6K80SNuvGE77D1ZEdmHXHuduU5BcRf/vE4SlATXdCS2N0E91+nSktS
	bel5ChH2VXqYUsLH4LY6hWbf89WEdDP7KmtvjvNXvuCeaZooJTAdQfR3vytzfUhSWNoG
	S8AbFs8lbm6y+zBuquCBXmMiYFswnGXvt8y/kQSSUiCwybSn9neSBq55no6ilXlrp5QC
	l9SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:in-reply-to:message-id
	:references:subject:from:to:cc;
	bh=nKsGAuVdENM/7FYnrmfj+wQvtZVRbdNj5W4MbHllG9I=;
	b=BybYjDqeqiaepiFIph2GtmD66Oo6p2rR86fgV8Loqngs6+pZqy9GtKqEXdRzyQHigS
	nB1Obvw48laMAuGCJBkTjBf+i4jIfwAf3r4eDxm+d3AmgxbWmxUqrmGDkmbCseP2xJ4G
	G8vYM+EbM6lV9BWdOf6nQSbSa3jASvEVdhbpGswbECoIKpyNM8jrTc4nl+JuYsnnFstr
	PlEnxMQVHehnxDN8KqmoUe2dysG5GojjQ7Jxd3aKge346RP89U35Bg2AQEJ/zYCCP0VV
	rXpzESu8ighoPZuQj3xGge+XN7RCDyFHhOt/9r8J5FB+N1h/8PghuUPg8yKmg9LYknPc
	6P7A==
X-Gm-Message-State: APt69E2J1yFNnkkWJU2LCcT4vVraVseZbkKXKoCfaAbjVMR8PbH58VMP
	mEGVpV5W5LZzfnKyXEgMwVovNW1LAFFQHbcPuDLFDUk+ebxC8Jpjvfa7T4fFHjHGc8iq0d4uOVQ
	h2Hj6Er7S7ILyk4GZ0jGpiZMGg1u3RsjzSgsKnCalysxEXD22ieB7L1XD60BJfpujo7S/eY4o4S
	jd9IT09sKl
X-Google-Smtp-Source: 
 AAOMgpefgEA80eL72T9HTtbgOdbzF2Q0O2xJtYxdVw5C4n1qa+2Z4QJzD0telcd8GxXR8bDNHkm9/XwOGPhOIQ==
MIME-Version: 1.0
X-Received: by 2002:a0c:f751:: with SMTP id
	e17-v6mr8240108qvo.29.1529966563900;
	Mon, 25 Jun 2018 15:42:43 -0700 (PDT)
Date: Mon, 25 Jun 2018 15:39:12 -0700
In-Reply-To: <20180625224014.134829-1-thgarnie@google.com>
Message-Id: <20180625224014.134829-25-thgarnie@google.com>
References: <20180625224014.134829-1-thgarnie@google.com>
X-Mailer: git-send-email 2.18.0.rc2.346.g013aa6912e-goog
Subject: [PATCH v5 24/27] x86/mm: Make the x86 GOT read-only
From: Thomas Garnier <thgarnie@google.com>
To: kernel-hardening@lists.openwall.com
Cc: Thomas Garnier <thgarnie@google.com>, Arnd Bergmann <arnd@arndb.de>,
	linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The GOT is changed during early boot when relocations are applied. Make
it read-only directly. This table exists only for PIE binary.

Position Independent Executable (PIE) support will allow to extend the
KASLR randomization range 0xffffffff80000000.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
 include/asm-generic/vmlinux.lds.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index e373e2e10f6a..e5b0710fe693 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -314,6 +314,17 @@
 	__end_ro_after_init = .;
 #endif
 
+#ifdef CONFIG_X86_PIE
+#define RO_GOT_X86							\
+	.got        : AT(ADDR(.got) - LOAD_OFFSET) {			\
+		VMLINUX_SYMBOL(__start_got) = .;			\
+		*(.got);						\
+		VMLINUX_SYMBOL(__end_got) = .;				\
+	}
+#else
+#define RO_GOT_X86
+#endif
+
 /*
  * Read only Data
  */
@@ -370,6 +381,7 @@
 		__end_builtin_fw = .;					\
 	}								\
 									\
+	RO_GOT_X86							\
 	TRACEDATA							\
 									\
 	/* Kernel symbol table: Normal symbols */			\