From patchwork Wed Nov 7 10:36:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 10672137 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8978A13A4 for ; Wed, 7 Nov 2018 10:36:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74F462B7C4 for ; Wed, 7 Nov 2018 10:36:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6615F2B7BC; Wed, 7 Nov 2018 10:36:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 198362B7BC for ; Wed, 7 Nov 2018 10:36:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=yFB5I+7Qs/S+sjSQkBLgqu+Y5WZuj9tL+yVnniwjUUc=; b=c6z3qGNnlPs4MH rC9VAE2+R3Z1Bj0lO5jwgYC1opSHBSq3Y4c8DmRHvTOtqxeWPAqE6c8gFYaKrQzGKXgu/cG9T8KeJ 3rVTjZhHU1rYXB6myjz9xFStd0oWSTmfcLS65ogxU0Vnlz0XsDE5SkbozyjACIYx3rKFtY7NIH/H6 HN7GfskEFnDr7W2W2SJB05hdL5xg/jrqdivtasDw3LPNUCJuuOT7R5hL1r2xmxekM8VkPOcRgWn+s /fJUoq5dvAk1KNA2/IkTnqhZYf6dUxrXdUQwK6jwOA5sN7z2ZVqMCh1YhRWn/Aor0d2n6DVQzrtQF +ERH9YwFfjIF2uDhB9Ww==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gKLCa-00078V-9O; Wed, 07 Nov 2018 10:36:48 +0000 Received: from mail-wr1-x442.google.com ([2a00:1450:4864:20::442]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gKLCR-0006zx-CC for linux-arm-kernel@lists.infradead.org; Wed, 07 Nov 2018 10:36:40 +0000 Received: by mail-wr1-x442.google.com with SMTP id z16-v6so16835310wrv.2 for ; Wed, 07 Nov 2018 02:36:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=U7OEJlVhIZDISv9Zi2qsSLfjSJ1jD2lTvAoXgGG2pP0=; b=VYQRSTzGuG8Iu4ZIPw0xOybhxgCxhUT1ljVkHkVEKfDttG3aXlw2rijGgBf56dM8Rk eQdkCMXeLoS7Go6LlNqx0J2wvwS9HuBsqi1mGxChKMDd35DuDKuM6isJg0gLwI+Ce6Mk qmz8XyDdyQHpVyLfHMeQWrhekSno9GhK/4gAA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=U7OEJlVhIZDISv9Zi2qsSLfjSJ1jD2lTvAoXgGG2pP0=; b=Jm6J9ZUvv3pqzQG9Ype89ACX3MWfwz+CaexREXbzWaI/O11Mqno5SJaDcdkusWGETC DQccbFs5CORufBcdvDU1ckubXAcvyXgw1Syyx7RLQmUXKLlwmTkBKycowrAJPxazT0Cj M6JjACjEAaWDtIPI8MYRn3aKH4s/crpROillfmEr5fDtmT0hh+ysJBJZujUZRRUvgc5M Img90jddkvjB/iJz6/KF2DoR4Oy4D0c9GMU60hGZVwgV846S9M26dtRJ3/87XO4DTnKT PBdyrimE7ZzAeaTu+K+z05c7ii2RkQ5B17QZCClwoTaI4zE7ZUtfrj1VOQLiFXShWKMC TcWA== X-Gm-Message-State: AGRZ1gIePqQoFSZFpmGAvDDZaQoNjguK/7kGc/KfwCtlIO4dD1ZdKgcY 8peX1jwX2la11/tmbZmUKQLQVJzHsjY= X-Google-Smtp-Source: AJdET5dF0virhes/qmJKHM2Ikdp1l/ExRtBxLheh/qDuP/2yfhFZ37qoK4GY3IbdGdM94ZWH/fE3UQ== X-Received: by 2002:adf:d1c6:: with SMTP id m6-v6mr1338695wri.138.1541586987637; Wed, 07 Nov 2018 02:36:27 -0800 (PST) Received: from localhost.localdomain (laubervilliers-657-1-83-120.w92-154.abo.wanadoo.fr. [92.154.90.120]) by smtp.gmail.com with ESMTPSA id o9-v6sm346648wra.42.2018.11.07.02.36.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Nov 2018 02:36:26 -0800 (PST) From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Subject: [PATCH v4 1/2] arm64: mm: purge lazily unmapped vm regions before changing permissions Date: Wed, 7 Nov 2018 11:36:19 +0100 Message-Id: <20181107103620.16054-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181107103620.16054-1-ard.biesheuvel@linaro.org> References: <20181107103620.16054-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181107_023639_408781_D4D43F25 X-CRM114-Status: GOOD ( 11.63 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mark.rutland@arm.com, Ard Biesheuvel , keescook@chromium.org, jannh@google.com, catalin.marinas@arm.com, kernel-hardening@lists.openwall.com, will.deacon@arm.com, james.morse@arm.com, labbott@redhat.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Call vm_unmap_aliases() every time we apply any changes to permission attributes of mappings in the vmalloc region. This avoids any potential issues resulting from lingering writable or executable aliases of mappings that should be read-only or non-executable, respectively. Acked-by: Will Deacon Signed-off-by: Ard Biesheuvel --- arch/arm64/mm/pageattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index a56359373d8b..787f9e385e6d 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -93,6 +93,12 @@ static int change_memory_common(unsigned long addr, int numpages, if (!numpages) return 0; + /* + * Get rid of potentially aliasing lazily unmapped vm areas that may + * have permissions set that deviate from the ones we are setting here. + */ + vm_unmap_aliases(); + return __change_memory_common(start, size, set_mask, clear_mask); } From patchwork Wed Nov 7 10:36:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 10672143 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E120613BF for ; Wed, 7 Nov 2018 10:37:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D08092B7C4 for ; Wed, 7 Nov 2018 10:37:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C46062B7E0; Wed, 7 Nov 2018 10:37:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 49BAC2B7C4 for ; Wed, 7 Nov 2018 10:37:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=m7uYBrtn8eQqQFtkohkfG4lAtGQb9yzWfBJtSmH4sgQ=; b=f7fD8ip+OzGEBr ijD3bw+pCUmcBkEF+J/WQjhuLpbX2oeb2nDZT/KkaLnLXh/kAcu6DZMyCC/lcnljcBlxO0qK6EwZm zRiQKJhaiuZqMWHx0pOJff5PVOinTSjfLn/OuOZeazdj7ht/O5VeITMX/3rSl3XWz4LF5eCWi4v28 LA9Y9LnibHkhvwROZF2bTOyaipC5oZlOZvX4nWuFJ7UNKK+PnJucCWhWW3sOabDLniTXCBbo9wzvz y2G9+226cxjaHuZih7SUqVjoiYDoYIoPd4e8Qj+nmwYrDi0cxnpsECv2K9Kog7LvDAexflAtsVA18 DnI1GuCTsp1Xi7ZvlcrQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gKLCk-0007NY-Gi; Wed, 07 Nov 2018 10:36:58 +0000 Received: from mail-wm1-x344.google.com ([2a00:1450:4864:20::344]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gKLCS-000701-Sf for linux-arm-kernel@lists.infradead.org; Wed, 07 Nov 2018 10:36:42 +0000 Received: by mail-wm1-x344.google.com with SMTP id f19-v6so11067291wmb.0 for ; Wed, 07 Nov 2018 02:36:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AVCvXlYCuH2nrO7yB1o0TT2WUFgHZ0A09ZkNSgFBkj4=; b=N0hfnHFxEq2jJ7tF9dBXxnjuc8IBQ6OLQlUgaEEefIstHx6sLyUIHa//ifdxatQHKl iXG6i1vCa72Olh0kfsD/L8VxptTbebeZjTrCxaljoiQmw+82RV+UMwTBmZkbAA0Wyhd/ s4Lje9CmupdOXQk7HopwZu1ogNv6clWPf6Otc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AVCvXlYCuH2nrO7yB1o0TT2WUFgHZ0A09ZkNSgFBkj4=; b=BoYEzymcZS1mGs0vfXOf8F2W5NbfzouOZL9Veo5vOnJQiIS/jcj6d/ucplgViK9fbZ BKXTPfzsWbMZ7RtqePZIaq/3OP1I11BI1iMQUQuHHqW/ys8xIHGZvBhmGv4eSb9/GtM3 7SHBLXydzRh5v0/AQVWbzUx3yNNQHampVZkPY+jqkfOnAIwbcrbqUKt60NZVMocZl/uZ aPIx9nD1eey1UShZvc4P80khGscd9go3ncj6FQRA+ShBuhgwdm10GdmnWfxul+7h7XD5 ezilG1UMsuSfXGlaGDPbRONv8YhI0Rw726vBzfT1QnrV9VFEe+UT4s0eSmr8tFki5Tw0 o7Xw== X-Gm-Message-State: AGRZ1gLvc+okJ4xnzdxl9DWQiRSgSwntqWHUtKkB+siHcvDO5WiFsJY+ HhCH9c80wEwD619x8n7hVF4q1GSmoIM= X-Google-Smtp-Source: AJdET5ftQ/P5rmskWDLIJ6AFguGCk4Qi7R1G7UDQwPYYLL4lXe8IT7QiYbPdcPxRbf3jsK+2HMucFQ== X-Received: by 2002:a1c:ef15:: with SMTP id n21-v6mr1385905wmh.151.1541586988885; Wed, 07 Nov 2018 02:36:28 -0800 (PST) Received: from localhost.localdomain (laubervilliers-657-1-83-120.w92-154.abo.wanadoo.fr. [92.154.90.120]) by smtp.gmail.com with ESMTPSA id o9-v6sm346648wra.42.2018.11.07.02.36.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Nov 2018 02:36:28 -0800 (PST) From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Subject: [PATCH v4 2/2] arm64: mm: apply r/o permissions of VM areas to its linear alias as well Date: Wed, 7 Nov 2018 11:36:20 +0100 Message-Id: <20181107103620.16054-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181107103620.16054-1-ard.biesheuvel@linaro.org> References: <20181107103620.16054-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181107_023640_919631_7C30C88C X-CRM114-Status: GOOD ( 22.77 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mark.rutland@arm.com, Ard Biesheuvel , keescook@chromium.org, jannh@google.com, catalin.marinas@arm.com, kernel-hardening@lists.openwall.com, will.deacon@arm.com, james.morse@arm.com, labbott@redhat.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP On arm64, we use block mappings and contiguous hints to map the linear region, to minimize the TLB footprint. However, this means that the entire region is mapped using read/write permissions, which we cannot modify at page granularity without having to take intrusive measures to prevent TLB conflicts. This means the linear aliases of pages belonging to read-only mappings (executable or otherwise) in the vmalloc region are also mapped read/write, and could potentially be abused to modify things like module code, bpf JIT code or other read-only data. So let's fix this, by extending the set_memory_ro/rw routines to take the linear alias into account. The consequence of enabling this is that we can no longer use block mappings or contiguous hints, so in cases where the TLB footprint of the linear region is a bottleneck, performance may be affected. Therefore, allow this feature to be runtime en/disabled, by setting rodata=full (or 'on' to disable just this enhancement, or 'off' to disable read-only mappings for code and r/o data entirely) on the kernel command line. Also, allow the default value to be set via a Kconfig option. Signed-off-by: Ard Biesheuvel Acked-by: Will Deacon Tested-by: Laura Abbott --- arch/arm64/Kconfig | 14 ++++++++++++++ arch/arm64/include/asm/mmu_context.h | 2 ++ arch/arm64/mm/mmu.c | 16 ++++++++++++++-- arch/arm64/mm/pageattr.c | 15 +++++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 787d7850e064..bf57c48c77df 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -958,6 +958,20 @@ config ARM64_SSBD If unsure, say Y. +config RODATA_FULL_DEFAULT_ENABLED + bool "Apply r/o permissions of VM areas also to their linear aliases" + default y + help + Apply read-only attributes of VM areas to the linear alias of + the backing pages as well. This prevents code or read-only data + from being modified (inadvertently or intentionally) via another + mapping of the same memory page. This additional enhancement can + be turned off at runtime by passing rodata=[off|on] (and turned on + with rodata=full if this option is set to 'n') + + This requires the linear region to be mapped down to pages, + which may adversely affect performance in some cases. + menuconfig ARMV8_DEPRECATED bool "Emulate deprecated/obsolete ARMv8 instructions" depends on COMPAT diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h index 1e58bf58c22b..dfcfeffd2080 100644 --- a/arch/arm64/include/asm/mmu_context.h +++ b/arch/arm64/include/asm/mmu_context.h @@ -35,6 +35,8 @@ #include #include +extern bool rodata_full; + static inline void contextidr_thread_switch(struct task_struct *next) { if (!IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR)) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index d1d6601b385d..e1b2d58a311a 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -451,7 +451,7 @@ static void __init map_mem(pgd_t *pgdp) struct memblock_region *reg; int flags = 0; - if (debug_pagealloc_enabled()) + if (rodata_full || debug_pagealloc_enabled()) flags = NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS; /* @@ -552,7 +552,19 @@ static void __init map_kernel_segment(pgd_t *pgdp, void *va_start, void *va_end, static int __init parse_rodata(char *arg) { - return strtobool(arg, &rodata_enabled); + int ret = strtobool(arg, &rodata_enabled); + if (!ret) { + rodata_full = false; + return 0; + } + + /* permit 'full' in addition to boolean options */ + if (strcmp(arg, "full")) + return -EINVAL; + + rodata_enabled = true; + rodata_full = true; + return 0; } early_param("rodata", parse_rodata); diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index 787f9e385e6d..6cd645edcf35 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -25,6 +25,8 @@ struct page_change_data { pgprot_t clear_mask; }; +bool rodata_full __ro_after_init = IS_ENABLED(CONFIG_RODATA_FULL_DEFAULT_ENABLED); + static int change_page_range(pte_t *ptep, pgtable_t token, unsigned long addr, void *data) { @@ -64,6 +66,7 @@ static int change_memory_common(unsigned long addr, int numpages, unsigned long size = PAGE_SIZE*numpages; unsigned long end = start + size; struct vm_struct *area; + int i; if (!PAGE_ALIGNED(addr)) { start &= PAGE_MASK; @@ -93,6 +96,18 @@ static int change_memory_common(unsigned long addr, int numpages, if (!numpages) return 0; + /* + * If we are manipulating read-only permissions, apply the same + * change to the linear mapping of the pages that back this VM area. + */ + if (rodata_full && (pgprot_val(set_mask) == PTE_RDONLY || + pgprot_val(clear_mask) == PTE_RDONLY)) { + for (i = 0; i < area->nr_pages; i++) { + __change_memory_common((u64)page_address(area->pages[i]), + PAGE_SIZE, set_mask, clear_mask); + } + } + /* * Get rid of potentially aliasing lazily unmapped vm areas that may * have permissions set that deviate from the ones we are setting here.