From patchwork Mon Feb 11 23:27:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806995 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 588E21390 for ; Mon, 11 Feb 2019 23:29:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4942A2A823 for ; Mon, 11 Feb 2019 23:29:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3CDD92A84E; Mon, 11 Feb 2019 23:29:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5A7142A823 for ; Mon, 11 Feb 2019 23:29:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727696AbfBKX2L (ORCPT ); Mon, 11 Feb 2019 18:28:11 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:55621 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727132AbfBKX2K (ORCPT ); Mon, 11 Feb 2019 18:28:10 -0500 Received: by mail-wm1-f68.google.com with SMTP id r17so990382wmh.5; Mon, 11 Feb 2019 15:28:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=wwet/Q5nK1jaWJoGHMR0JRbL8eZ4TUVn/3KeiBKAqsE=; b=o4AsfiwKL8uP6vCfhfBSMLyt0b/8pK4aPNm+I6vX8+5SScqpZX5+KySYVQUQ9LSw3m UC5RAPtu6G4auOPaX6osXzHudAhjAJIulwHiEIwhFIkkO4bpFmnhJ824qLXvmoPuBIu/ uJ32HlSZ16snVWzBDlSHMe8ASTbCBVWviBDnnLU3KnPHPzT2hyQSSwxAUFqHAOj63SlG HSenbzVUMUgtTdEvAxNPLWG/+xtF/mO1AoxNMCCFAdUZ8Q6fDvxsq5PNI3ScvnAZ/K2F 3QKm8n9ikOOzK6GXgMm1V7iXzW33doDJOnDgPcFROIp/M0MvSV5DGzApmVtDUGN/qi8H JRcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=wwet/Q5nK1jaWJoGHMR0JRbL8eZ4TUVn/3KeiBKAqsE=; b=GwSB8Of5oYN35/f/GtLYFrLm4V/ExGOP6+fCnFXHfN2jZ/xbATNXs/AqhodqAiLbdZ lB12u0pjPmp+dAEuWEi/6gldRQ5+e7ImM/SPypBQVVSGmsLX7+l15kgxp239exiEG/Io m3bCN/ILCcYobaX4iDIBAJqH2gw2rKWBkmF2+nTATa5iIYioANeXWcy2VvM/rwXSAwzz r8tCBKqRRbSjYic81BOY8RXRLxBi5zvqg4nLpii4VNoQOrls/N0UBM8GINKzltMQO8mq /IQbbQMs5f+sJLRjZn9ZgFAKHUzYphgGN3pbTSUy6BRMRW2M6JKkXIUDWjlUk/8TGhoQ mKSg== X-Gm-Message-State: AHQUAubLt4nPk/jd7uAZXeGaKz1jNWJqGiM+9EOuoWtAeCJlaTnvy0aa 1N84swVFCvolNDLFr9HvECw= X-Google-Smtp-Source: AHgI3IamOL48gPVRuSSuco75tzIoBaq0tGv6MdC6vEna43DbDNCsUFMY/ZZlKkEsF0xEPZX54CWe8A== X-Received: by 2002:a1c:96ce:: with SMTP id y197mr536195wmd.36.1549927688025; Mon, 11 Feb 2019 15:28:08 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:07 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 01/12] __wr_after_init: Core and default arch Date: Tue, 12 Feb 2019 01:27:38 +0200 Message-Id: <9d03ef9d09446da2dd92c357aa39af6cd071d7c4.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The patch provides: - the core functionality for write-rare after init for statically allocated data, based on code from Matthew Wilcox - the default implementation for generic architecture A specific architecture can override one or more of the default functions. The core (API) functions are: - wr_memset(): write rare counterpart of memset() - wr_memcpy(): write rare counterpart of memcpy() - wr_assign(): write rare counterpart of the assignment ('=') operator - wr_rcu_assign_pointer(): write rare counterpart of rcu_assign_pointer() In case either the selected architecture doesn't support write rare after init, or the functionality is disabled, the write rare functions will resolve into their non-write rare counterpart: - memset() - memcpy() - assignment operator - rcu_assign_pointer() For code that can be either link as module or as built-in (ex: device driver init function), it is not possible to tell upfront what will be the case. For this scenario if the functions are called during system init, they will automatically choose, at runtime, to go through the fast path of non-write rare. Should they be invoked later, during module init, they will use the write-rare path. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/Kconfig | 7 ++ include/linux/prmem.h (new) | 71 +++++++++++++++ mm/Makefile | 1 + mm/prmem.c (new) | 179 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 258 insertions(+) diff --git a/arch/Kconfig b/arch/Kconfig index b0b6d176f1c1..0380d4a64681 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -814,6 +814,13 @@ config ARCH_HAS_PRMEM architecture specific symbol stating that the architecture provides a back-end function for the write rare operation. +config ARCH_HAS_PRMEM_HEADER + def_bool n + depends on ARCH_HAS_PRMEM + help + architecture specific symbol stating that the architecture provides + own specific header back-end for the write rare operation. + config PRMEM bool "Write protect critical data that doesn't need high write speed." depends on ARCH_HAS_PRMEM diff --git a/include/linux/prmem.h b/include/linux/prmem.h new file mode 100644 index 000000000000..0e4683c503b9 --- /dev/null +++ b/include/linux/prmem.h @@ -0,0 +1,71 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * prmem.h: Header for memory protection library - generic part + * + * (C) Copyright 2018-2019 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa + */ + +#ifndef _LINUX_PRMEM_H +#define _LINUX_PRMEM_H + +#include +#include + +#ifndef CONFIG_PRMEM + +static inline void *wr_memset(void *p, int c, __kernel_size_t n) +{ + return memset(p, c, n); +} + +static inline void *wr_memcpy(void *p, const void *q, __kernel_size_t n) +{ + return memcpy(p, q, n); +} + +#define wr_assign(var, val) ((var) = (val)) +#define wr_rcu_assign_pointer(p, v) rcu_assign_pointer(p, v) + +#else + +#include + +void *wr_memset(void *p, int c, __kernel_size_t n); +void *wr_memcpy(void *p, const void *q, __kernel_size_t n); + +/** + * wr_assign() - sets a write-rare variable to a specified value + * @var: the variable to set + * @val: the new value + * + * Returns: the variable + */ + +#define wr_assign(dst, val) ({ \ + typeof(dst) tmp = (typeof(dst))val; \ + \ + wr_memcpy(&dst, &tmp, sizeof(dst)); \ + dst; \ +}) + +/** + * wr_rcu_assign_pointer() - initialize a pointer in rcu mode + * @p: the rcu pointer - it MUST be aligned to a machine word + * @v: the new value + * + * Returns the value assigned to the rcu pointer. + * + * It is provided as macro, to match rcu_assign_pointer() + * The rcu_assign_pointer() is implemented as equivalent of: + * + * smp_mb(); + * WRITE_ONCE(); + */ +#define wr_rcu_assign_pointer(p, v) ({ \ + smp_mb(); \ + wr_assign(p, v); \ + p; \ +}) +#endif +#endif diff --git a/mm/Makefile b/mm/Makefile index d210cc9d6f80..ef3867c16ce0 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -58,6 +58,7 @@ obj-$(CONFIG_SPARSEMEM) += sparse.o obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o obj-$(CONFIG_SLOB) += slob.o obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o +obj-$(CONFIG_PRMEM) += prmem.o obj-$(CONFIG_KSM) += ksm.o obj-$(CONFIG_PAGE_POISONING) += page_poison.o obj-$(CONFIG_SLAB) += slab.o diff --git a/mm/prmem.c b/mm/prmem.c new file mode 100644 index 000000000000..9383b7d6951e --- /dev/null +++ b/mm/prmem.c @@ -0,0 +1,179 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * prmem.c: Memory Protection Library + * + * (C) Copyright 2018-2019 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa + */ + +#include +#include + +/* + * In case an architecture needs a different declaration of struct + * wr_state, it can select ARCH_HAS_PRMEM_HEADER and provide its own + * version, accompanied by matching __wr_enable() and __wr_disable() + */ +#ifdef CONFIG_ARCH_HAS_PRMEM_HEADER +#include +#else + +struct wr_state { + struct mm_struct *prev; +}; + +#endif + + +__ro_after_init struct mm_struct *wr_mm; +__ro_after_init unsigned long wr_base; + +/* + * Default implementation of arch-specific functionality. + * Each arch can override the parts that require special handling. + */ +unsigned long __init __weak __init_wr_base(void) +{ + return 0UL; +} + +void * __weak __wr_addr(void *addr) +{ + return (void *)(wr_base + (unsigned long)addr); +} + +void __weak __wr_enable(struct wr_state *state) +{ + lockdep_assert_irqs_disabled(); + state->prev = current->active_mm; + switch_mm_irqs_off(NULL, wr_mm, current); +} + +void __weak __wr_disable(struct wr_state *state) +{ + lockdep_assert_irqs_disabled(); + switch_mm_irqs_off(NULL, state->prev, current); +} + +bool __init __weak __wr_map_address(unsigned long addr) +{ + spinlock_t *ptl; + pte_t pte; + pte_t *ptep; + unsigned long wr_addr; + struct page *page = virt_to_page(addr); + + if (unlikely(!page)) + return false; + wr_addr = (unsigned long)__wr_addr((void *)addr); + + /* The lock is not needed, but avoids open-coding. */ + ptep = get_locked_pte(wr_mm, wr_addr, &ptl); + if (unlikely(!ptep)) + return false; + + pte = mk_pte(page, PAGE_KERNEL); + set_pte_at(wr_mm, wr_addr, ptep, pte); + spin_unlock(ptl); + return true; +} + +void * __weak __wr_memset(void *p, int c, __kernel_size_t n) +{ + return (void *)memset_user((void __user *)p, (u8)c, n); +} + +void * __weak __wr_memcpy(void *p, const void *q, __kernel_size_t n) +{ + return (void *)copy_to_user((void __user *)p, q, n); +} + +/* + * The following two variables are statically allocated by the linker + * script at the boundaries of the memory region (rounded up to + * multiples of PAGE_SIZE) reserved for __wr_after_init. + */ +extern long __start_wr_after_init; +extern long __end_wr_after_init; +static unsigned long start = (unsigned long)&__start_wr_after_init; +static unsigned long end = (unsigned long)&__end_wr_after_init; +static inline bool is_wr_after_init(void *p, __kernel_size_t n) +{ + unsigned long low = (unsigned long)p; + unsigned long high = low + n; + + return likely(start <= low && high <= end); +} + +#define wr_mem_is_writable() (system_state == SYSTEM_BOOTING) + +/** + * wr_memcpy() - copies n bytes from q to p + * @p: beginning of the memory to write to + * @q: beginning of the memory to read from + * @n: amount of bytes to copy + * + * Returns pointer to the destination + */ +void *wr_memcpy(void *p, const void *q, __kernel_size_t n) +{ + struct wr_state state; + void *wr_addr; + + if (WARN_ONCE(!is_wr_after_init(p, n), "Invalid WR range.")) + return p; + + if (unlikely(wr_mem_is_writable())) + return memcpy(p, q, n); + + wr_addr = __wr_addr(p); + local_irq_disable(); + __wr_enable(&state); + __wr_memcpy(wr_addr, q, n); + __wr_disable(&state); + local_irq_enable(); + return p; +} + +/** + * wr_memset() - sets n bytes of the destination p to the c value + * @p: beginning of the memory to write to + * @c: byte to replicate + * @n: amount of bytes to copy + * + * Returns pointer to the destination + */ +void *wr_memset(void *p, int c, __kernel_size_t n) +{ + struct wr_state state; + void *wr_addr; + + if (WARN_ONCE(!is_wr_after_init(p, n), "Invalid WR range.")) + return p; + + if (unlikely(wr_mem_is_writable())) + return memset(p, c, n); + + wr_addr = __wr_addr(p); + local_irq_disable(); + __wr_enable(&state); + __wr_memset(wr_addr, c, n); + __wr_disable(&state); + local_irq_enable(); + return p; +} + +struct mm_struct *copy_init_mm(void); +void __init wr_init(void) +{ + unsigned long addr; + + wr_mm = copy_init_mm(); + BUG_ON(!wr_mm); + + wr_base = __init_wr_base(); + + /* Create alternate mapping for the entire wr_after_init range. */ + for (addr = start; addr < end; addr += PAGE_SIZE) + BUG_ON(!__wr_map_address(addr)); +} From patchwork Mon Feb 11 23:27:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D07561390 for ; Mon, 11 Feb 2019 23:28:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BFDC529A5C for ; Mon, 11 Feb 2019 23:28:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B213B29E90; Mon, 11 Feb 2019 23:28:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27B6E29A5C for ; Mon, 11 Feb 2019 23:28:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727901AbfBKX2O (ORCPT ); Mon, 11 Feb 2019 18:28:14 -0500 Received: from mail-wr1-f67.google.com ([209.85.221.67]:41186 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727132AbfBKX2N (ORCPT ); Mon, 11 Feb 2019 18:28:13 -0500 Received: by mail-wr1-f67.google.com with SMTP id x10so650007wrs.8; Mon, 11 Feb 2019 15:28:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=ENlTYT6F8yKSgZtSKFAMRVhy2HT+kX2kAlJukSMyeJE=; b=SKFOea9clX8kUXjGvLOkAz78zIlXk2l9cAAdszRgpu1WF9+EGlYZ09jCNchdkbmaC2 8XMzc6EJ4es6RG4yfh8iz6ilF2S8pczy501Lmx3sA+5GTPr5jyKxupxht3iJJYNzHPRS dO1Oa2gDPDloNIEL1xoGnm/CWJGTqTk1SNhdetFi8dolnrUHFwi/G35FNwjA4uv5Gq6P lQIguAmqnvp87zrCaSOSlTQeiVXRq6JEBjr/N+0tXSKavkX6Ny/HsOH/xnab0RoGwCxf 2KKeYRqX32cxYQVHhTMaY3YMwATRdRiYfiIA4uI0CuPSdMythsBD+LWEu2/dIFo1YPUL MQUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=ENlTYT6F8yKSgZtSKFAMRVhy2HT+kX2kAlJukSMyeJE=; b=UMMfF+7/hdijXVYn6v6vcPqmY5tjIfbcMLfTnQYvGUKc7Kxr6OK1E2x3u3ZezxwSeC WUjBv4n8qWcGoh48YeKTkPN7XheH7QVZO6+03PwW8qN0FOlTy5+86t9CNpLLaWBILDJ/ K2jidMF47MuUnpxHG9uDgCTJpDtGS7UgjaJ4kljrHsN5djWrNoC3QFV5zL0ep9qTZErp /mF1S5OvcPjA3Qoe+YY7lY/zOMemcSoIVf51etfxa+INLPSTC30vaSFnYs80GIz/CGbA gcp0IcHhJa4Zt7+bxXvwlSixG9b0XVDHbQctMDFm2Df253pIajftEcJmP23q+TPzBgIH rQBg== X-Gm-Message-State: AHQUAuZCdZCGgMNv6mjm/3gN83TAgsOIzCBL/HS7v8/vlEFMNLeZA/G7 DRYRwbkViVOW1vlkRFslCbQ= X-Google-Smtp-Source: AHgI3Ib9SM/GU3OSZIUw9Ef85LumnojTRalWrCht9QSJZfsd1LMbft46iDmaDh0LxziZQABUjeSKgA== X-Received: by 2002:adf:e290:: with SMTP id v16mr532903wri.100.1549927691315; Mon, 11 Feb 2019 15:28:11 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:10 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 02/12] __wr_after_init: x86_64: memset_user() Date: Tue, 12 Feb 2019 01:27:39 +0200 Message-Id: X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP x86_64 specific version of memset() for user space, memset_user() In the __wr_after_init scenario, write-rare variables have: - a primary read-only mapping in kernel memory space - an alternate, writable mapping, implemented as user-space mapping The write rare implementation expects the arch code to privide a memset_user() function, which is currently missing. clear_user() is the base for memset_user() Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/x86/include/asm/uaccess_64.h | 6 ++++ arch/x86/lib/usercopy_64.c | 51 +++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h index a9d637bc301d..f194bfce4866 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -213,4 +213,10 @@ copy_user_handle_tail(char *to, char *from, unsigned len); unsigned long mcsafe_handle_tail(char *to, char *from, unsigned len); +unsigned long __must_check +memset_user(void __user *mem, int c, unsigned long len); + +unsigned long __must_check +__memset_user(void __user *mem, int c, unsigned long len); + #endif /* _ASM_X86_UACCESS_64_H */ diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c index ee42bb0cbeb3..e61963585354 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -9,6 +9,57 @@ #include #include +/* + * Memset Userspace + */ + +unsigned long __memset_user(void __user *addr, int c, unsigned long size) +{ + long __d0; + unsigned long pattern = 0x0101010101010101UL * (0xFFUL & c); + + might_fault(); + /* no memory constraint: gcc doesn't know about this memory */ + stac(); + asm volatile( + " movq %[pattern], %%rdx\n" + " testq %[size8],%[size8]\n" + " jz 4f\n" + "0: mov %%rdx,(%[dst])\n" + " addq $8,%[dst]\n" + " decl %%ecx ; jnz 0b\n" + "4: movq %[size1],%%rcx\n" + " testl %%ecx,%%ecx\n" + " jz 2f\n" + "1: movb %%dl,(%[dst])\n" + " incq %[dst]\n" + " decl %%ecx ; jnz 1b\n" + "2:\n" + ".section .fixup,\"ax\"\n" + "3: lea 0(%[size1],%[size8],8),%[size8]\n" + " jmp 2b\n" + ".previous\n" + _ASM_EXTABLE_UA(0b, 3b) + _ASM_EXTABLE_UA(1b, 2b) + : [size8] "=&c"(size), [dst] "=&D" (__d0) + : [size1] "r" (size & 7), "[size8]" (size / 8), + "[dst]" (addr), [pattern] "r" (pattern) + : "rdx"); + + clac(); + return size; +} +EXPORT_SYMBOL(__memset_user); + +unsigned long memset_user(void __user *to, int c, unsigned long n) +{ + if (access_ok(to, n)) + return __memset_user(to, c, n); + return n; +} +EXPORT_SYMBOL(memset_user); + + /* * Zero Userspace */ From patchwork Mon Feb 11 23:27:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806993 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5681C1399 for ; Mon, 11 Feb 2019 23:29:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 480342A823 for ; Mon, 11 Feb 2019 23:29:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C1542A84E; Mon, 11 Feb 2019 23:29:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C6E382A823 for ; Mon, 11 Feb 2019 23:29:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727916AbfBKX2U (ORCPT ); Mon, 11 Feb 2019 18:28:20 -0500 Received: from mail-wm1-f66.google.com ([209.85.128.66]:55624 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727132AbfBKX2Q (ORCPT ); Mon, 11 Feb 2019 18:28:16 -0500 Received: by mail-wm1-f66.google.com with SMTP id r17so990536wmh.5; Mon, 11 Feb 2019 15:28:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=ziJEcxmH0HELRYpJ/Cx0XBIGaICt7y2RQVCxbSTmAUA=; b=Tt9djI+4tIxxQ5z9XBIXZPNsKwfr142LlXK+hQ65M9C24x2lFzeG66B1tVAsCYEHD5 lxkyRPZQ0d7NehS988SjU2aK0I7kZPVft7Vc+W/HY8bQPsWnifAgKghB7n90aodLDrnl lVPXX7q9YjeS2ulbNmlLXl6NtFYB5XvJEEgxMNocbquz7/szDVHN5yBdzXWilnSUIWV6 5lZKYRyJD3C9KP0rHanJWixPBBH9nGwy+o8iMGvBhmhP+XMzEYm2EF0bhpt1taB4s4z5 8y1TXoBB0V0MwKaVVuakzCSGEEpvjN4D1GunNHN9QYNv1W875CyqAi3osNxWduqQBsDv RurA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=ziJEcxmH0HELRYpJ/Cx0XBIGaICt7y2RQVCxbSTmAUA=; b=Qo6D65L0heKrgIIR6QcXBs2aVxSkj0lfj0HmukNXvh2C4XNmZk0sB9nRR2FU9cPsJ8 0oHl0kzPYIGv+DOCZvO4mYoQLQt2lUmhIhZfTnvZnWSPErjtjS4h8oaI+RF/M7aGdC1G NeytCU8BD553i8spvyhSJOACN9s1OFcnfwqqghcyT3jf/N3Mf/1S3EAmc9eWOrtHZlHN I3XT1Vxw5HOxS4lXlmD5Y/o5sOzEJCNzLfIs/QmR4N7Om65nwoUUtN3IEmpaNp5HPYbO li1345t9RnAO0kBJwtCuobxIolLh9xjfi5YvSaXU/16bLHK//EvWj0tpdTEYVT2FQxOy NhIg== X-Gm-Message-State: AHQUAuZNear/hkBImOBbs2kz0Cc9iv6r4XHBeyLTOTPZqAhLR+SqHXlA hlHvoBnGX6nC7QLIkTU+JJg= X-Google-Smtp-Source: AHgI3IYd7Ah0YVUADfwQ9vu0EMe24Nxeh6S4B8+ipAqvagFO0quTn9x8ysqtHCmL+w/wBQ5gyDPMFA== X-Received: by 2002:a1c:f50a:: with SMTP id t10mr493561wmh.126.1549927694511; Mon, 11 Feb 2019 15:28:14 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:13 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 03/12] __wr_after_init: x86_64: randomize mapping offset Date: Tue, 12 Feb 2019 01:27:40 +0200 Message-Id: <378ee1e7e4c17e3bf6e49e1fb6c7cd9abd18ccfe.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP x86_64 specialized way of defining the base address for the alternate mapping used by write-rare. Since the kernel address space spans across 64TB and it is mapped into a used address space of 128TB, the kernel address space can be shifted by a random offset that is up to 64TB and page aligned. This is accomplished by providing arch-specific version of the function __init_wr_base() Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/x86/mm/Makefile | 2 ++ arch/x86/mm/prmem.c (new) | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index 4b101dd6e52f..66652de1e2c7 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -53,3 +53,5 @@ obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_identity.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o + +obj-$(CONFIG_PRMEM) += prmem.o diff --git a/arch/x86/mm/prmem.c b/arch/x86/mm/prmem.c new file mode 100644 index 000000000000..b04fc03f92fb --- /dev/null +++ b/arch/x86/mm/prmem.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * prmem.c: Memory Protection Library - x86_64 backend + * + * (C) Copyright 2018-2019 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa + */ + +#include +#include + +unsigned long __init __init_wr_base(void) +{ + /* + * Place 64TB of kernel address space within 128TB of user address + * space, at a random page aligned offset. + */ + return (((unsigned long)kaslr_get_random_long("WR Poke")) & + PAGE_MASK) % (64 * _BITUL(40)); +} From patchwork Mon Feb 11 23:27:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806991 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9E6561399 for ; Mon, 11 Feb 2019 23:29:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 901112A823 for ; Mon, 11 Feb 2019 23:29:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8498F2A84E; Mon, 11 Feb 2019 23:29:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2CA8A2A823 for ; Mon, 11 Feb 2019 23:29:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727922AbfBKX2U (ORCPT ); Mon, 11 Feb 2019 18:28:20 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:40175 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727550AbfBKX2T (ORCPT ); Mon, 11 Feb 2019 18:28:19 -0500 Received: by mail-wm1-f65.google.com with SMTP id q21so1011905wmc.5; Mon, 11 Feb 2019 15:28:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=ktrl99/4+i4VLz6USppssXo49kPq9nmcbGTF0KLoSBQ=; b=ERfk6YwVVFsD4gpa86J3tNvUf/jRxA7negb6JBcQ5PSR0xZZvMMbnqTZ+wRrS2Husj Ggd8+h/Q6iGpIBl92FmkpdpssV2xt9w6MiuQS2cXjMtk96NDjzsy/uEnc/s7yXVpuL6c mpoDNWR+cp0zbAXtobA5UoCkq+orGEc1HmBwrLmgLHRuHzaFQ/+tRBnFd/U7BP3qfbPV ln/K1BHTqeaHXoV9cT0aGU+M7Xa55XRzuBeoCYotqmiST1osgENBFvz37ywgrYEko+pv OnWJ8Rdek3QLL7gzQPr7kKm7jyZ28jH2jgCwj74BAERzhEIIn+YrVvRGcUeyx16kqW+P hxEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=ktrl99/4+i4VLz6USppssXo49kPq9nmcbGTF0KLoSBQ=; b=lHJWLCeHp0lGdGBygwPydCBfhtHc1dc0YGDyDvXbjbE92y3GMEYLvPp9UChlAqNpK2 7tGdQQHBeKFkrAjep/uR/aMvB8OsxxncSIZlgkabTQauao0sUIZ5z96UB/JCaYJ2ikA+ 8Ajwzs7LkB16+O0MuMTK+aW/x6p+eHJATlct1o/DwBoUo8e4SQAeaG0iJHaKDDEahpoI HtAJsZ8tlDDKWtOnpbZFut7m9qAtpFY7wLwBRf8gF+j1dr3oOF4Rpj6gb1v8eRNrE2Cz bsuCBh8qtmfG4lc6iRBTNKjXI6mi0SMjuN5Wk6yyl1IVSkzMhCOdL9fgoUdHgo4N4GSW 3eDg== X-Gm-Message-State: AHQUAuZBwEwTP65o5Ut/LLtwzuFMMW7sj4YdCTjZxXNwTSH4Jw7fF1Ko Q/lBd1FRdJt0WRSZfaqwAws= X-Google-Smtp-Source: AHgI3IaPnxVvWxLjhqm0PsH5iF2NiueH7C1Z1h4hq25QVvV24PnbiOHB8xirGOEnJlaL7jk97tS8SA== X-Received: by 2002:a1c:7719:: with SMTP id t25mr513964wmi.7.1549927697736; Mon, 11 Feb 2019 15:28:17 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:17 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 04/12] __wr_after_init: x86_64: enable Date: Tue, 12 Feb 2019 01:27:41 +0200 Message-Id: <38307f2c7ae982478d33f55f7a7b827de489cdf3.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Set ARCH_HAS_PRMEM to Y for x86_64 Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/x86/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 68261430fe6e..7392b53b12c2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -32,6 +32,7 @@ config X86_64 select SWIOTLB select X86_DEV_DMA_OPS select ARCH_HAS_SYSCALL_WRAPPER + select ARCH_HAS_PRMEM # # Arch settings From patchwork Mon Feb 11 23:27:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806989 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 08EEE1390 for ; Mon, 11 Feb 2019 23:29:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB5EC2A823 for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF8E82A842; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3BAEF2A8AC for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727515AbfBKX2Z (ORCPT ); Mon, 11 Feb 2019 18:28:25 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:50952 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727940AbfBKX2X (ORCPT ); Mon, 11 Feb 2019 18:28:23 -0500 Received: by mail-wm1-f67.google.com with SMTP id x7so1023571wmj.0; Mon, 11 Feb 2019 15:28:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=ZdMEqkaTdkU9cQtnyBwyKsKlsrmvMKKieThBtq30bZY=; b=Gqq17HZaZ6nYNJ2Waw8C45/pT84leeq75yxS8fGSjHCrkQFeSHGV6+O/G32DVn0ZPW LRntTc/gWGiCzbHknpYD0WIGdPBsxF48Pi2Eqezr+FYqE5EmvTh3gCPWTYFSLfM9T3S4 BuGCmH14QZYFnQPwRp0pjsUno0lKnQ68bBnb4VDLucg0jV9j8RZusWMJ6QcjhNcdNBeC Ud9mamr/FU72AoO/EsCppelcnPqu7/6ZEELqCQRUybUL7VLnarMjsDuTrtKoX/Uuclke S1yE7MCcTW62lyFf8XSPh0C8fTcP7AG+sX97NdgWIG8QKtRNmwZABW2W7CFA8P6s6CRg aDhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=ZdMEqkaTdkU9cQtnyBwyKsKlsrmvMKKieThBtq30bZY=; b=Bm8z8wK8NHeXzKXthmwhj2JPswmDNqa/WMsj6XC9oBTOA41a+l3I3XbjtjFxVJwpHI 8CFI+903cOkxbrCiFP1NMD9TSx3Td1/tAr3RFPVs9Q1SRBjo3Z8j57I8AsMQrinRIszt go7fHIPtvY8Hv+dj004GXnlxfzZtSW2bEADvj+NBIFVQ38g2g8zOJjL3PPwhBmD2Zt1X x9uVvHrYSjU1tVTDeLM/3TCTewkeRxt4f422ea5c1vyEmmG9qlhNuycotZO+gy/bTpUQ XSsjQCHsZ0jViynox1YgepQC7OlJGMKC7AOA15sZbhOF1CFJj3usRriuM5lBiL9Cp0Vu zlVA== X-Gm-Message-State: AHQUAubBkvmPefLlhJ/Xkc6HFPm8iPQIaosdhODW+eP1cW+B4HVOu0T1 QbUhVSaa4bS8QrJe/Wfij+0= X-Google-Smtp-Source: AHgI3IaRbYzOvYY9aR2Sas9wiYW3Vep8Wn7Wc3iPNf+FO4IJVM9hmiyDf+hkZLdGHUnUWgdhWnBgeQ== X-Received: by 2002:a1c:f916:: with SMTP id x22mr488708wmh.87.1549927701124; Mon, 11 Feb 2019 15:28:21 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:20 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 05/12] __wr_after_init: arm64: memset_user() Date: Tue, 12 Feb 2019 01:27:42 +0200 Message-Id: <165661e29f9a2a6aa36e51ae79a06f03b7c8718e.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP arm64 specific version of memset() for user space, memset_user() In the __wr_after_init scenario, write-rare variables have: - a primary read-only mapping in kernel memory space - an alternate, writable mapping, implemented as user-space mapping The write rare implementation expects the arch code to privide a memset_user() function, which is currently missing. clear_user() is the base for memset_user() Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/arm64/include/asm/uaccess.h | 9 +++++ arch/arm64/lib/Makefile | 2 +- arch/arm64/lib/memset_user.S (new) | 63 ++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 547d7a0c9d05..0094f92a8f1b 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -415,6 +415,15 @@ extern unsigned long __must_check __arch_copy_in_user(void __user *to, const voi #define INLINE_COPY_TO_USER #define INLINE_COPY_FROM_USER +extern unsigned long __must_check __arch_memset_user(void __user *to, int c, unsigned long n); +static inline unsigned long __must_check __memset_user(void __user *to, int c, unsigned long n) +{ + if (access_ok(to, n)) + n = __arch_memset_user(__uaccess_mask_ptr(to), c, n); + return n; +} +#define memset_user __memset_user + extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n); static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n) { diff --git a/arch/arm64/lib/Makefile b/arch/arm64/lib/Makefile index 5540a1638baf..614b090888de 100644 --- a/arch/arm64/lib/Makefile +++ b/arch/arm64/lib/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -lib-y := clear_user.o delay.o copy_from_user.o \ +lib-y := clear_user.o memset_user.o delay.o copy_from_user.o \ copy_to_user.o copy_in_user.o copy_page.o \ clear_page.o memchr.o memcpy.o memmove.o memset.o \ memcmp.o strcmp.o strncmp.o strlen.o strnlen.o \ diff --git a/arch/arm64/lib/memset_user.S b/arch/arm64/lib/memset_user.S new file mode 100644 index 000000000000..1bfbda3d112b --- /dev/null +++ b/arch/arm64/lib/memset_user.S @@ -0,0 +1,63 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * memset_user.S - memset for userspace on arm64 + * + * (C) Copyright 2018 Huawey Technologies Co. Ltd. + * Author: Igor Stoppa + * + * Based on arch/arm64/lib/clear_user.S + */ + +#include + +#include + + .text + +/* Prototype: int __arch_memset_user(void *addr, int c, size_t n) + * Purpose : set n bytes of user memory at "addr" to the value "c" + * Params : x0 - addr, user memory address to set + * : x1 - c, byte value + * : x2 - n, number of bytes to set + * Returns : number of bytes NOT set + * + * Alignment fixed up by hardware. + */ +ENTRY(__arch_memset_user) + uaccess_enable_not_uao x3, x4, x5 + // replicate the byte to the whole register + and x1, x1, 0xff + lsl x3, x1, 8 + orr x1, x3, x1 + lsl x3, x1, 16 + orr x1, x3, x1 + lsl x3, x1, 32 + orr x1, x3, x1 + mov x3, x2 // save the size for fixup return + subs x2, x2, #8 + b.mi 2f +1: +uao_user_alternative 9f, str, sttr, x1, x0, 8 + subs x2, x2, #8 + b.pl 1b +2: adds x2, x2, #4 + b.mi 3f +uao_user_alternative 9f, str, sttr, x1, x0, 4 + sub x2, x2, #4 +3: adds x2, x2, #2 + b.mi 4f +uao_user_alternative 9f, strh, sttrh, w1, x0, 2 + sub x2, x2, #2 +4: adds x2, x2, #1 + b.mi 5f +uao_user_alternative 9f, strb, sttrb, w1, x0, 0 +5: mov x0, #0 + uaccess_disable_not_uao x3, x4 + ret +ENDPROC(__arch_memset_user) + + .section .fixup,"ax" + .align 2 +9: mov x0, x3 // return the original size + ret + .previous From patchwork Mon Feb 11 23:27:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6717A1575 for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 58E8F2A823 for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4CA3C2A842; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D28E52A84E for ; Mon, 11 Feb 2019 23:29:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727940AbfBKX23 (ORCPT ); Mon, 11 Feb 2019 18:28:29 -0500 Received: from mail-wr1-f66.google.com ([209.85.221.66]:38965 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727550AbfBKX20 (ORCPT ); Mon, 11 Feb 2019 18:28:26 -0500 Received: by mail-wr1-f66.google.com with SMTP id t27so665771wra.6; Mon, 11 Feb 2019 15:28:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=hnmNnr9YQbwfaI93UrUGE24zBu/XKqtY3CcuY5KmkdU=; b=uYEaYUBOjZ1m5B6He86ZkAdxBgB6xG90lpl13Gk1Hrdiy2liTU2fpge+1cP7+Qcn6P emp1I3cfdW/eFM5ehGcXia7aD5KRIrcUO5KLp3y0d03SJnHlYa9M1Nrk/j9WlOBZd5vM NPhVHQ5yjo3jg+IdDZgstra/VE5OEv5TkKDW60i2fCnhn1M3rHve7RRlJI3pwQX0i2oO nzXQ3Y1hVyuu7hiWSI6AAJ/iJgoifRyEzUCYAW/WTwTbuJ/c3kKLtIYUUXTTl2s4MABn myO9A78iPisLHHaZdLR9c6eEk1EQBlg6qs5wdKYl6B1b1EbFoU++Ygll3gD7Mvu2THwr kJMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=hnmNnr9YQbwfaI93UrUGE24zBu/XKqtY3CcuY5KmkdU=; b=M7iLd4toG6iL3Bl54kQbvpDvJse06WaZVgo5Cr7a6RyylljZugvFv6HF3HUwONDBX5 iUsqVD4Dzn88htOdOa8Gq0G7Mx/l2ZYKStSsZ2hvwblsSwCodQraP9etvKI1PSjFiUAG tN8Q5QLostvvFFIlr+syKRxFpTnZa07vJhIpq92GWQOXPWZLZZAXM5b4V5uXWxVeDGVz WDapwMIqUd42gbDgJcHZ6AyDMVdMKanbKu0dz32+C89TkNfPMKlDlu4RE/K0CP783oPN 3tzZCaner+574kQ6eHiI4FgAcKORhNtYklWScoHblQT1sHk0GnnsKRTykrJnyDGNNnrJ Fwew== X-Gm-Message-State: AHQUAuail8AFCcEbqREG8UPoFpNlg2cAkAVJkvdz+luj38HIE/G54Ucz URXwqELpFgiCoTR6X7nGZno= X-Google-Smtp-Source: AHgI3IZ5giTTjGoZ5V4UEH/aAowb6QbzDCVtz5Ak4aVSloW6V3hsGpwN/xytbf9yxR8h2JyjNIwF9Q== X-Received: by 2002:adf:9f48:: with SMTP id f8mr488678wrg.151.1549927704399; Mon, 11 Feb 2019 15:28:24 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:23 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 06/12] __wr_after_init: arm64: enable Date: Tue, 12 Feb 2019 01:27:43 +0200 Message-Id: <3aa3892bcef3aa8613df74c911c56a3d07599630.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Set ARCH_HAS_PRMEM to Y for arm64 Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a4168d366127..7cbb2c133ed7 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -66,6 +66,7 @@ config ARM64 select ARCH_WANT_COMPAT_IPC_PARSE_VERSION select ARCH_WANT_FRAME_POINTERS select ARCH_HAS_UBSAN_SANITIZE_ALL + select ARCH_HAS_PRMEM select ARM_AMBA select ARM_ARCH_TIMER select ARM_GIC From patchwork Mon Feb 11 23:27:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806981 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A829C1390 for ; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 943C22A823 for ; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8837E2A8A0; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0DD302A842 for ; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727991AbfBKX2e (ORCPT ); Mon, 11 Feb 2019 18:28:34 -0500 Received: from mail-wm1-f66.google.com ([209.85.128.66]:55210 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727762AbfBKX23 (ORCPT ); Mon, 11 Feb 2019 18:28:29 -0500 Received: by mail-wm1-f66.google.com with SMTP id a62so1002821wmh.4; Mon, 11 Feb 2019 15:28:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=y4zotDQYnZoXB9lfg1fC2W7czb+qE54ZRjKDYZQbGrM=; b=RiIwOk4Yh3oZElR1xL4cASyYj7D6BXihLz4aCG/v4xszt7i6uSqsxIV7ytYwftyfcc uTuXGibwTiA/aj+YnMYCpkiM2z6kfso+3dbhiW9YSOHBl6nP1RszYI63KB8K2NsBpdrq 0O12+xpEmBDUqkUXAPxb8OuavppC4Jr2y/PKJY27TEuHaKKz0cs5qLr1lY41XPnz7Zxl sA5IfuG6fAjiZmtxt25Ed0yZ2F0YDSgON1s7dC59J6yvzTcBnm5YPJLSt9XplPkdVRWQ K3g6xJSwVQiZphYA66q/CfA/tFG9bpv0/xDVALdXoiSGfJj+EbFGKE64OBFZr0dgUItK w5sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=y4zotDQYnZoXB9lfg1fC2W7czb+qE54ZRjKDYZQbGrM=; b=kZNR7RfWg8EyhuaAfQYIClVK6h0MJ4qN6U9JHjiVBruZjZ66djNWxLB+d8ITMeMGX8 iC9pStpyqHIZY4Gr4L4/XbjpIhNwsD1ZrFqgyhHAv2OEMDT+JtLrqiar4iNxznCYYGTz 372yHPbi64J6TqukS+dbjlXJQCwn85BHiaj8YcnX2B+1p2u3Sj51wsyy74Vqluf94+NM MofXmFc0d10P/WDY61J4pDOVffqqBrw8zrAEXbEnoJGaGUkd9EX2tX6ckmM68zgkhe4H GwTgStX8ReNXI1WRyztrn2OOG7yOXJ6tuKNio78m7zjSuDrlOoeV1bLPk50Hl4WU7ywX MoiQ== X-Gm-Message-State: AHQUAua7rXOs5wdIbrNDIGboeJGQ/vOxtVJ+tt4qTZF51tsskoFXTL5M qYJYWmsM9ZPuVy0CPAAZ1nZjisb1NJ8= X-Google-Smtp-Source: AHgI3IYPC5M3Lyg22y71g2LtAl1fvg/0Ej4pQcQ/hIiBIm9wNMef0twZh8pcHX4//0/AZscOz8ApJw== X-Received: by 2002:a1c:2804:: with SMTP id o4mr502017wmo.150.1549927707535; Mon, 11 Feb 2019 15:28:27 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:26 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 07/12] __wr_after_init: Documentation: self-protection Date: Tue, 12 Feb 2019 01:27:44 +0200 Message-Id: X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Update the self-protection documentation, to mention also the use of the __wr_after_init attribute. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- Documentation/security/self-protection.rst | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst index f584fb74b4ff..df2614bc25b9 100644 --- a/Documentation/security/self-protection.rst +++ b/Documentation/security/self-protection.rst @@ -84,12 +84,14 @@ For variables that are initialized once at ``__init`` time, these can be marked with the (new and under development) ``__ro_after_init`` attribute. -What remains are variables that are updated rarely (e.g. GDT). These -will need another infrastructure (similar to the temporary exceptions -made to kernel code mentioned above) that allow them to spend the rest -of their lifetime read-only. (For example, when being updated, only the -CPU thread performing the update would be given uninterruptible write -access to the memory.) +Others, which are statically allocated, but still need to be updated +rarely, can be marked with the ``__wr_after_init`` attribute. + +The update mechanism must avoid exposing the data to rogue alterations +during the update. For example, only the CPU thread performing the update +would be given uninterruptible write access to the memory. + +Currently there is no protection available for data allocated dynamically. Segregation of kernel memory from userspace memory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From patchwork Mon Feb 11 23:27:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806985 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3E2E21399 for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FCEA2A823 for ; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 23C7F2A876; Mon, 11 Feb 2019 23:29:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B98C2A823 for ; Mon, 11 Feb 2019 23:29:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728039AbfBKX3D (ORCPT ); Mon, 11 Feb 2019 18:29:03 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:55215 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727550AbfBKX2e (ORCPT ); Mon, 11 Feb 2019 18:28:34 -0500 Received: by mail-wm1-f67.google.com with SMTP id a62so1002900wmh.4; Mon, 11 Feb 2019 15:28:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=FDryqu5ur4j9ePg/wc9MnpTPYVkBg8AjJFLLJs3gfA8=; b=h0Rzbxd5vn6TVM2F2wuqMENuqEgutSdwfh3qz1lUYLLEMfzzzFr+9FKaWiM0SL7W/l PMFr/LndNJVr8UlZOHtY8hVVLm1ymPo6bBVirh1KqTOo1QuyQ10b8dyw6Up5cQgDaCI1 MqMBnExiZM6pKTNfcEJSMM6f+AP7TnRUhahb1YCl/NAT19yR8i9SdJIdijWHiJAsJHOH rA/m0TBUELlebS6i3BK6rYJIqveTENGDdz52jo5px/scN6ruwhzpSOrXXFX86fD/rg/U DWtGaSmXDyNtXRrLF30Q6TRcElVr7wnfYYgwhiq9Pjo/v/ZbTPeSEW/poumVo6sQ/JpM tlNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=FDryqu5ur4j9ePg/wc9MnpTPYVkBg8AjJFLLJs3gfA8=; b=Bs9fmlM4KP1sp6K3TIPQkMy1wO9uRNH749IY4ntUWbAdUr05Cpj+qKcEmrqXsNcFjy TH9Q9O9108+cUnlzLgixsfqYES6Nq0e0N0yRQ44BOtJqWSpnMHduUu5WY4ZYaTvGM5HL UN0p7r6WzqwNDzad3x28aWQNCDvDWTGEVZRMsn0AZyb38hp4DVHspVPaxgcZ1YbMnsIs lymcwy1tooplCRQNz3n2Uh0QcbxAXszdpJEgC6nCIAUf6z7BYhebc8wJ23MMvkbmj5Bd ZXuLf5iLbIE3+41OE/qYS8oQe1Y4vT2bStNgyhOg1VMHVnmI8Xa9BmhcLT0ZyCXvGMyk ihMw== X-Gm-Message-State: AHQUAuavb6O69K7nMG77ATFY9Qzd6ZkdVEmw3TEb+DrNYmhixvojQxpU w52WAPJS+S9ZLPwtwhnbBmNlMVKbO7g= X-Google-Smtp-Source: AHgI3IbtlJdoliv99+hxRUZolITpfcILFWmzZayl1QjTtb4jAfcYq8ZcflEbQCEsF264j4rFm1ARKw== X-Received: by 2002:a1c:4044:: with SMTP id n65mr477987wma.85.1549927710788; Mon, 11 Feb 2019 15:28:30 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:30 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 08/12] __wr_after_init: lkdtm test Date: Tue, 12 Feb 2019 01:27:45 +0200 Message-Id: <8708f8d2c541ce803072acec153f38011b271e90.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Verify that trying to modify a variable with the __wr_after_init attribute will cause a crash. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- drivers/misc/lkdtm/core.c | 3 +++ drivers/misc/lkdtm/lkdtm.h | 3 +++ drivers/misc/lkdtm/perms.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index 2837dc77478e..73c34b17c433 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(ACCESS_USERSPACE), CRASHTYPE(WRITE_RO), CRASHTYPE(WRITE_RO_AFTER_INIT), +#ifdef CONFIG_PRMEM + CRASHTYPE(WRITE_WR_AFTER_INIT), +#endif CRASHTYPE(WRITE_KERN), CRASHTYPE(REFCOUNT_INC_OVERFLOW), CRASHTYPE(REFCOUNT_ADD_OVERFLOW), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 3c6fd327e166..abba2f52ffa6 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -38,6 +38,9 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void __init lkdtm_perms_init(void); void lkdtm_WRITE_RO(void); void lkdtm_WRITE_RO_AFTER_INIT(void); +#ifdef CONFIG_PRMEM +void lkdtm_WRITE_WR_AFTER_INIT(void); +#endif void lkdtm_WRITE_KERN(void); void lkdtm_EXEC_DATA(void); void lkdtm_EXEC_STACK(void); diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c index 53b85c9d16b8..f681730aa652 100644 --- a/drivers/misc/lkdtm/perms.c +++ b/drivers/misc/lkdtm/perms.c @@ -9,6 +9,7 @@ #include #include #include +#include #include /* Whether or not to fill the target memory area with do_nothing(). */ @@ -27,6 +28,10 @@ static const unsigned long rodata = 0xAA55AA55; /* This is marked __ro_after_init, so it should ultimately be .rodata. */ static unsigned long ro_after_init __ro_after_init = 0x55AA5500; +/* This is marked __wr_after_init, so it should be in .rodata. */ +static +unsigned long wr_after_init __wr_after_init = 0x55AA5500; + /* * This just returns to the caller. It is designed to be copied into * non-executable memory regions. @@ -104,6 +109,28 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) *ptr ^= 0xabcd1234; } +#ifdef CONFIG_PRMEM + +void lkdtm_WRITE_WR_AFTER_INIT(void) +{ + unsigned long *ptr = &wr_after_init; + + /* + * Verify we were written to during init. Since an Oops + * is considered a "success", a failure is to just skip the + * real test. + */ + if ((*ptr & 0xAA) != 0xAA) { + pr_info("%p was NOT written during init!?\n", ptr); + return; + } + + pr_info("attempting bad wr_after_init write at %p\n", ptr); + *ptr ^= 0xabcd1234; +} + +#endif + void lkdtm_WRITE_KERN(void) { size_t size; @@ -200,4 +227,6 @@ void __init lkdtm_perms_init(void) /* Make sure we can write to __ro_after_init values during __init */ ro_after_init |= 0xAA; + /* Make sure we can write to __wr_after_init during __init */ + wr_after_init |= 0xAA; } From patchwork Mon Feb 11 23:27:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806979 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5123B1399 for ; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4307F2A823 for ; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 32C0A2A876; Mon, 11 Feb 2019 23:29:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C66F2A823 for ; Mon, 11 Feb 2019 23:29:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727762AbfBKX2h (ORCPT ); Mon, 11 Feb 2019 18:28:37 -0500 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36254 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728004AbfBKX2g (ORCPT ); Mon, 11 Feb 2019 18:28:36 -0500 Received: by mail-wr1-f67.google.com with SMTP id o17so685486wrw.3; Mon, 11 Feb 2019 15:28:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=vgb7J+uzu72a1nLgAIDJQpmIZYI0IWGcwJEvrx3eHk8=; b=VmiIU8pXfiJ8oLtorDhULSxsmh+YjuTJjvlq8YuRiNowB4/1UqpCrVw5BosEBTfL6V lQbb1zyKnf0f37rNuOWdB/36I0sBvIypEXOaJlidU+6cLxaed7X4JobdhlwNv7l2ZOgr CLcpjJ/DKikqWa2/di7U6WvgXoxM13L73BBHmEh+vVp+7fBOqFY3BuY7Dsv3OewGcQn7 wx+umnTSpRY8mM+athafH9jgbBlDHfGt5caNxzNx1BFVa2rsre/0TI78tes3g2BD6/u6 dID0vUXju22Zkh/Kep+vSEP2+NHeXyAdLybiLgP8GoWTcJfJRcKIg6pEbmyXmkESLdcX RvPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=vgb7J+uzu72a1nLgAIDJQpmIZYI0IWGcwJEvrx3eHk8=; b=ITjH4AAoFHvaUirll3xOa1NHJbGZd+Q4B+w1ww8VNMJS5YZAPQiB3eVs7w5H476uoX +uRzSDV192t5afaMQVziLlwjjM6WC88+OvbPBR29dpTouJULGrrDD2j5GsEiSDBr5fpi CUZBvnIOsJRKNXiyKtJhQYJXrVEoUg4FAWOPCaKx+LVcb1oLK+xCRXgWzTB1VW/txIh0 dawMtsz9YyLCFxnuXIO6n59480SztoTqCWEtrX7gJ2NVMtNvX2pIcN8jp92ADlYtJVVi PEx53u1SakBZpP7qXki1dfEgJ5sPEmQYNccTdV6I2qo5fxzOUFxktoONMhZdWm5wRHcW IiYA== X-Gm-Message-State: AHQUAuYo0p2HoTAGbWekz43Ore2wV65qXsHaqchNxESbhrgRpaJGc0Mf I5nLAv9Htek69EsEb6QjbWY= X-Google-Smtp-Source: AHgI3IbQwu8eTmjbJnx/2r01oGyJDgWGHUAAfDPRDsTqvehJCmHsCuN42bxdkY5qB2bklveZMh0xdg== X-Received: by 2002:adf:f410:: with SMTP id g16mr517807wro.246.1549927714236; Mon, 11 Feb 2019 15:28:34 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:33 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 09/12] __wr_after_init: rodata_test: refactor tests Date: Tue, 12 Feb 2019 01:27:46 +0200 Message-Id: X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Refactor the test cases, in preparation for using them also for testing __wr_after_init memory, when available. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- mm/rodata_test.c | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/mm/rodata_test.c b/mm/rodata_test.c index d908c8769b48..e1349520b436 100644 --- a/mm/rodata_test.c +++ b/mm/rodata_test.c @@ -14,44 +14,52 @@ #include #include -static const int rodata_test_data = 0xC3; +#define INIT_TEST_VAL 0xC3 -void rodata_test(void) +static const int rodata_test_data = INIT_TEST_VAL; + +static bool test_data(char *data_type, const int *data, + unsigned long start, unsigned long end) { - unsigned long start, end; int zero = 0; /* test 1: read the value */ /* If this test fails, some previous testrun has clobbered the state */ - if (!rodata_test_data) { - pr_err("test 1 fails (start data)\n"); - return; + if (*data != INIT_TEST_VAL) { + pr_err("%s: test 1 fails (init data value)\n", data_type); + return false; } /* test 2: write to the variable; this should fault */ - if (!probe_kernel_write((void *)&rodata_test_data, - (void *)&zero, sizeof(zero))) { - pr_err("test data was not read only\n"); - return; + if (!probe_kernel_write((void *)data, (void *)&zero, sizeof(zero))) { + pr_err("%s: test data was not read only\n", data_type); + return false; } /* test 3: check the value hasn't changed */ - if (rodata_test_data == zero) { - pr_err("test data was changed\n"); - return; + if (*data != INIT_TEST_VAL) { + pr_err("%s: test data was changed\n", data_type); + return false; } /* test 4: check if the rodata section is PAGE_SIZE aligned */ - start = (unsigned long)__start_rodata; - end = (unsigned long)__end_rodata; if (start & (PAGE_SIZE - 1)) { - pr_err("start of .rodata is not page size aligned\n"); - return; + pr_err("%s: start of data is not page size aligned\n", + data_type); + return false; } if (end & (PAGE_SIZE - 1)) { - pr_err("end of .rodata is not page size aligned\n"); - return; + pr_err("%s: end of data is not page size aligned\n", + data_type); + return false; } + pr_info("%s tests were successful", data_type); + return true; +} - pr_info("all tests were successful\n"); +void rodata_test(void) +{ + test_data("rodata", &rodata_test_data, + (unsigned long)&__start_rodata, + (unsigned long)&__end_rodata); } From patchwork Mon Feb 11 23:27:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806977 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E8A01399 for ; Mon, 11 Feb 2019 23:29:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F0512A823 for ; Mon, 11 Feb 2019 23:29:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 635B72A84E; Mon, 11 Feb 2019 23:29:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA1C52A823 for ; Mon, 11 Feb 2019 23:28:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728028AbfBKX2l (ORCPT ); Mon, 11 Feb 2019 18:28:41 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:53564 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728011AbfBKX2j (ORCPT ); Mon, 11 Feb 2019 18:28:39 -0500 Received: by mail-wm1-f67.google.com with SMTP id d15so1006172wmb.3; Mon, 11 Feb 2019 15:28:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=hKpBmvKhY62YcE+qk2JyFeoOHJdEVTVCpq3mJ7wKHeo=; b=BGYDAnDXfWDwMeK5eSKfBJYIRnmsh1oPx2ZOf8HcWXdmwBIgDVTpuqYUB3KvmHH93e CQ/pUVW9gaxkff/ISmJHvCx/y1ksn3D2ZB0Zl1e1iyNKsyURJCuhYe/XfMWhILPIoQX+ sOSNtcaEc0fNOG4tGaK9bLqGDsUMwDS9dEo/h/3lAczrR4Z9kaLfBvB7RrPofGWyd07Z 87HJ77tPwwo/7W13RnoDCQDElfKTZPRyDBFxrJ719qY6wqsZ65fePWfguFZ20wyR1vzj 2ALjxTWAWngGdiNowfrT+LbQ993RGtjwSm7r04Cwz+BFeQhqMsf1ODGAgbq7iaAYEptt Yxig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=hKpBmvKhY62YcE+qk2JyFeoOHJdEVTVCpq3mJ7wKHeo=; b=AofIbnMSLmu2FSbRhz+sbuyHv+rjaccxJczLp4XwYycUMRLEKDN0MY1FHWxnQU/UtA xMuvbHO08czzOa3nZGHc81B3X7Vilx+r5qoSwTPjKHaZjEA9C/aOaR4N44Y4QqimDgZt R8qYg/Ll8KmMeEos0Zwa2CKdR0lEVONFYTQzsq4mnuTrawIxwsmIZMNhpiGHwPV4enNR Gp/VrmgM0tdKWrcFL7ytT2ii5WB7m5VSmNHiiWYGWWZ4XaUhlHfnXYGYEIulDqhGrWMn G/jSvByvtcpACElIRxEPmIRNtVXTvYSBJ7vj1rINmNDS8eixvpS8cx2uA3GONxjDZcrH wIuQ== X-Gm-Message-State: AHQUAubhXg8u3IHb1ODI38SQo0xI/d7BJyw4P6yty8GhoWXcdTz+Tpf3 nb7H1fV+ckbiORt66QFkaXE= X-Google-Smtp-Source: AHgI3IaFcGvUdEZKnlRNCrjUqMaXRhiVC7YxDFcfeCy5/2TwxwLp1XrgFxFOCYbNVyOvJEbUKa2RjA== X-Received: by 2002:a7b:ce84:: with SMTP id q4mr490431wmj.105.1549927717395; Mon, 11 Feb 2019 15:28:37 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:36 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 10/12] __wr_after_init: rodata_test: test __wr_after_init Date: Tue, 12 Feb 2019 01:27:47 +0200 Message-Id: <5b674df65263831006ea27edce2c08fd70ddd6b1.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The write protection of the __wr_after_init data can be verified with the same methodology used for const data. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- mm/rodata_test.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/mm/rodata_test.c b/mm/rodata_test.c index e1349520b436..a669cf9f5a61 100644 --- a/mm/rodata_test.c +++ b/mm/rodata_test.c @@ -16,8 +16,23 @@ #define INIT_TEST_VAL 0xC3 +/* + * Note: __ro_after_init data is, for every practical effect, equivalent to + * const data, since they are even write protected at the same time; there + * is no need for separate testing. + * __wr_after_init data, otoh, is altered also after the write protection + * takes place and it cannot be exploitable for altering more permanent + * data. + */ + static const int rodata_test_data = INIT_TEST_VAL; +#ifdef CONFIG_PRMEM +static int wr_after_init_test_data __wr_after_init = INIT_TEST_VAL; +extern long __start_wr_after_init; +extern long __end_wr_after_init; +#endif + static bool test_data(char *data_type, const int *data, unsigned long start, unsigned long end) { @@ -59,7 +74,13 @@ static bool test_data(char *data_type, const int *data, void rodata_test(void) { - test_data("rodata", &rodata_test_data, - (unsigned long)&__start_rodata, - (unsigned long)&__end_rodata); + if (!test_data("rodata", &rodata_test_data, + (unsigned long)&__start_rodata, + (unsigned long)&__end_rodata)) + return; +#ifdef CONFIG_PRMEM + test_data("wr after init data", &wr_after_init_test_data, + (unsigned long)&__start_wr_after_init, + (unsigned long)&__end_wr_after_init); +#endif } From patchwork Mon Feb 11 23:27:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806975 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 17C441390 for ; Mon, 11 Feb 2019 23:28:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 080D52A823 for ; Mon, 11 Feb 2019 23:28:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F07462A84E; Mon, 11 Feb 2019 23:28:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49BB72A823 for ; Mon, 11 Feb 2019 23:28:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728011AbfBKX2o (ORCPT ); Mon, 11 Feb 2019 18:28:44 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:45417 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728004AbfBKX2n (ORCPT ); Mon, 11 Feb 2019 18:28:43 -0500 Received: by mail-wr1-f68.google.com with SMTP id w17so632224wrn.12; Mon, 11 Feb 2019 15:28:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=z2wBXeZpdgS2whrOf1GfxoMk6jA5R7ZT/5qYfN3QkBU=; b=Zbh6m5Zrmm+VHGJ2ULclwxxHyG6ftZXov0BIoqLCRCUDGFRFYOa+lc9EQX6MwTSph4 SZTPzgeaijGSBTtX3Lx/J3NIoKr0ZNUT3fNnTvYL45vxrtWPE3ZU0L/VXgvh1NNdBTRm else8gozkwQFQhjYHAOeDynf11VjS2XGUJKDOJfrz1GxdoMO2birYoU4tZ5ykfp2TQhv jy3MYKWOK86RKIHQiHypKlcYncXysEX0xWtZPebS1EswWwY/n5CyCq9pX1wd8QQB0tQz nTv2dej89BxSfee7e6JU83FBZgvZ2y/Lg1h6DpAwo0jkykSpUx6RXyJskr1ys5NZ3bAb 83yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=z2wBXeZpdgS2whrOf1GfxoMk6jA5R7ZT/5qYfN3QkBU=; b=DXkoowZwatknyRJf0rY0488PJAR+5bMLww7ZmEWMdb9kwgG8E41TVtYvcFlcwbaZIl GktzCiHAHs/BkZQCrB2kK1RCVc1p4cZhKqSYutWDmOjEZai/yxMRsohVfY7GNxGhMdXm Jo7X/5ktDl6wGCOoG7XIkOX56bj4oTPp78RsmFmnlTOIV9g49Z45H2X+8xnuV+ZvZX2r zQRx9nPVoF9R+aJk678Iv/z9o2O18vszm8kyj4ewoZixybL4xSFtQxjvuI9j9Ld1oN2L M8N46jNAqawzBgR9n321mceR3bncDvObkbV2ZuqMOfcs60XHsYhE+0F+wcz/jlzNur5Q bzdw== X-Gm-Message-State: AHQUAubtBYwHb9MsMOTkHmtYFg3OsYPNJroTw2RkK0ZxWcmQ2HYU0hFV DUZ2yL2LWFRS/GAKQfahESw= X-Google-Smtp-Source: AHgI3IZy4G/4e2saYx+CEztdSuW7qvUMx60+naYXdTjvjWygEiGkF8VDSetOvwTz4ZeilENVWIwR+A== X-Received: by 2002:adf:f9c4:: with SMTP id w4mr516008wrr.218.1549927720856; Mon, 11 Feb 2019 15:28:40 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:40 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 11/12] __wr_after_init: test write rare functionality Date: Tue, 12 Feb 2019 01:27:48 +0200 Message-Id: <3a5bbfcf067bbbf03b04c70a1b57eef114f2f192.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Set of test cases meant to confirm that the write rare functionality works as expected. It can be optionally compiled as module. Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- mm/Kconfig.debug | 8 +++ mm/Makefile | 1 + mm/test_write_rare.c (new) | 136 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 145 insertions(+) diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug index 9a7b8b049d04..a62c31901fea 100644 --- a/mm/Kconfig.debug +++ b/mm/Kconfig.debug @@ -94,3 +94,11 @@ config DEBUG_RODATA_TEST depends on STRICT_KERNEL_RWX ---help--- This option enables a testcase for the setting rodata read-only. + +config DEBUG_PRMEM_TEST + tristate "Run self test for statically allocated protected memory" + depends on PRMEM + default n + help + Tries to verify that the protection for statically allocated memory + works correctly and that the memory is effectively protected. diff --git a/mm/Makefile b/mm/Makefile index ef3867c16ce0..8de1d468f4e7 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -59,6 +59,7 @@ obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o obj-$(CONFIG_SLOB) += slob.o obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o obj-$(CONFIG_PRMEM) += prmem.o +obj-$(CONFIG_DEBUG_PRMEM_TEST) += test_write_rare.o obj-$(CONFIG_KSM) += ksm.o obj-$(CONFIG_PAGE_POISONING) += page_poison.o obj-$(CONFIG_SLAB) += slab.o diff --git a/mm/test_write_rare.c b/mm/test_write_rare.c new file mode 100644 index 000000000000..dd2a0e2d6024 --- /dev/null +++ b/mm/test_write_rare.c @@ -0,0 +1,136 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * test_write_rare.c + * + * (C) Copyright 2018 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa + */ + +#include +#include +#include +#include +#include +#include + +#ifdef pr_fmt +#undef pr_fmt +#endif + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +extern long __start_wr_after_init; +extern long __end_wr_after_init; + +static __wr_after_init int scalar = '0'; +static __wr_after_init u8 array[PAGE_SIZE * 3] __aligned(PAGE_SIZE); + +/* The section must occupy a non-zero number of whole pages */ +static bool test_alignment(void) +{ + unsigned long pstart = (unsigned long)&__start_wr_after_init; + unsigned long pend = (unsigned long)&__end_wr_after_init; + + if (WARN((pstart & ~PAGE_MASK) || (pend & ~PAGE_MASK) || + (pstart >= pend), "Boundaries test failed.")) + return false; + pr_info("Boundaries test passed."); + return true; +} + +static bool test_pattern(void) +{ + return (memchr_inv(array, '0', PAGE_SIZE / 2) || + memchr_inv(array + PAGE_SIZE / 2, '1', PAGE_SIZE * 3 / 4) || + memchr_inv(array + PAGE_SIZE * 5 / 4, '0', PAGE_SIZE / 2) || + memchr_inv(array + PAGE_SIZE * 7 / 4, '1', PAGE_SIZE * 3 / 4) || + memchr_inv(array + PAGE_SIZE * 5 / 2, '0', PAGE_SIZE / 2)); +} + +static bool test_wr_memset(void) +{ + int new_val = '1'; + + wr_memset(&scalar, new_val, sizeof(scalar)); + if (WARN(memchr_inv(&scalar, new_val, sizeof(scalar)), + "Scalar write rare memset test failed.")) + return false; + + pr_info("Scalar write rare memset test passed."); + + wr_memset(array, '0', PAGE_SIZE * 3); + if (WARN(memchr_inv(array, '0', PAGE_SIZE * 3), + "Array write rare memset test failed.")) + return false; + + wr_memset(array + PAGE_SIZE / 2, '1', PAGE_SIZE * 2); + if (WARN(memchr_inv(array + PAGE_SIZE / 2, '1', PAGE_SIZE * 2), + "Array write rare memset test failed.")) + return false; + + wr_memset(array + PAGE_SIZE * 5 / 4, '0', PAGE_SIZE / 2); + if (WARN(memchr_inv(array + PAGE_SIZE * 5 / 4, '0', PAGE_SIZE / 2), + "Array write rare memset test failed.")) + return false; + + if (WARN(test_pattern(), "Array write rare memset test failed.")) + return false; + + pr_info("Array write rare memset test passed."); + return true; +} + +static u8 array_1[PAGE_SIZE * 2]; +static u8 array_2[PAGE_SIZE * 2]; + +static bool test_wr_memcpy(void) +{ + int new_val = 0x12345678; + + wr_assign(scalar, new_val); + if (WARN(memcmp(&scalar, &new_val, sizeof(scalar)), + "Scalar write rare memcpy test failed.")) + return false; + pr_info("Scalar write rare memcpy test passed."); + + wr_memset(array, '0', PAGE_SIZE * 3); + memset(array_1, '1', PAGE_SIZE * 2); + memset(array_2, '0', PAGE_SIZE * 2); + wr_memcpy(array + PAGE_SIZE / 2, array_1, PAGE_SIZE * 2); + wr_memcpy(array + PAGE_SIZE * 5 / 4, array_2, PAGE_SIZE / 2); + + if (WARN(test_pattern(), "Array write rare memcpy test failed.")) + return false; + + pr_info("Array write rare memcpy test passed."); + return true; +} + +static __wr_after_init int *dst; +static int reference = 0x54; + +static bool test_wr_rcu_assign_pointer(void) +{ + wr_rcu_assign_pointer(dst, &reference); + return dst == &reference; +} + +static int __init test_static_wr_init_module(void) +{ + pr_info("static write rare test"); + if (WARN(!(test_alignment() && + test_wr_memset() && + test_wr_memcpy() && + test_wr_rcu_assign_pointer()), + "static write rare test failed")) + return -EFAULT; + pr_info("static write rare test passed"); + return 0; +} + +module_init(test_static_wr_init_module); + +MODULE_LICENSE("GPL v2"); +MODULE_AUTHOR("Igor Stoppa "); +MODULE_DESCRIPTION("Test module for static write rare."); From patchwork Mon Feb 11 23:27:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Stoppa X-Patchwork-Id: 10806971 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C3001399 for ; Mon, 11 Feb 2019 23:28:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 896EC2A823 for ; Mon, 11 Feb 2019 23:28:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 795602A873; Mon, 11 Feb 2019 23:28:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_WEB autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EED1D2A823 for ; Mon, 11 Feb 2019 23:28:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728004AbfBKX2r (ORCPT ); Mon, 11 Feb 2019 18:28:47 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:55653 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728054AbfBKX2q (ORCPT ); Mon, 11 Feb 2019 18:28:46 -0500 Received: by mail-wm1-f68.google.com with SMTP id r17so991238wmh.5; Mon, 11 Feb 2019 15:28:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=VlNzKepo585QEAzr1PoW4dWwLybStReaiWjN7bcxj8g=; b=BI2AisEr9GW64YlypsEsgzISrsfXnzkEjXKfspuUjubyPjQUZeYyTJsNWfamyXpj28 CgpAScsAf8IZ1P4wcgWzrKhfDOZpJKvDiiSA1Gv0AKtGLp9Pr7+QJvlRkwrHQydw9YXJ ras/v8CRf+ug8I2VtFx/txAEkoyDb2GFIydZ3Z70vOkH6vXAgc7rcUYlKmbRJDUojLE6 EPEbI25rqik5A1usnzwzAAmQfHxjH/Rhl6eR8jA4jOBebaR4/w8+alWM05wleyXmZdc4 ENHs8fK+3TEpKW3p/CyPVjpuBNdt/+LnYDPo5TCRizbKgOHwgwBB6g4/ozhOWVUJc6am cN3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=VlNzKepo585QEAzr1PoW4dWwLybStReaiWjN7bcxj8g=; b=ocRYv/c9s55YI6f4JQP1EuaeGeEhpRAmQ5Xmojw5iAWOFMnURIRnxi3TmnYP3JC7eq zetGSy4Ld8VOeO7MemRbfhmcyZaDHEKraej/Wj26GQhcOUZi4gA7TweWOuML5sdvdfpp HMayOam2AzEufYT592Ca3GPvUneNwyfPXu/nC+GdqAeJIRaC58fWLHPhKZTG3gZAh9K0 Av+WgfQFG6xQkEzBfp7tW+RCLCqttlfuLcmcoC7EsPqMvrx/ocMuREn8UXz2GroGWn18 AuY5MaqAXA37QqIyJ0/cJWygzFqD5e/jJEP9sGWQOGmj6rUVU7kXx/8VZi0YwQjqFaUF QGfw== X-Gm-Message-State: AHQUAuaX01Q80Z+X8ZsSGj9NyPZMvvbSia9c9i4niJbZJRVhNLTKjJqp iCPwSNwgLnhFDapjqji/NHk= X-Google-Smtp-Source: AHgI3IYAStsHXTbFOi9toTUJa7sYc2xWbjGcnPdHeaXJGeDxn/CbffDpZEeCBK0xVjj3LAdOW97ZlA== X-Received: by 2002:a1c:f707:: with SMTP id v7mr528939wmh.18.1549927724197; Mon, 11 Feb 2019 15:28:44 -0800 (PST) Received: from localhost.localdomain (bba134232.alshamil.net.ae. [217.165.113.120]) by smtp.gmail.com with ESMTPSA id e67sm1470295wmg.1.2019.02.11.15.28.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 15:28:43 -0800 (PST) From: Igor Stoppa X-Google-Original-From: Igor Stoppa Cc: Igor Stoppa , Andy Lutomirski , Nadav Amit , Matthew Wilcox , Peter Zijlstra , Kees Cook , Dave Hansen , Mimi Zohar , Thiago Jung Bauermann , Ahmed Soliman , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v4 12/12] IMA: turn ima_policy_flags into __wr_after_init Date: Tue, 12 Feb 2019 01:27:49 +0200 Message-Id: <93a44c8854b914fb9558fd37b7c4c9ee6051c20c.1549927666.git.igor.stoppa@huawei.com> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: Reply-To: Igor Stoppa MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_policy.c | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..d49c545b9cfb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -48,7 +48,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -460,12 +460,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -651,7 +652,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; /*