From patchwork Wed Feb 17 22:41:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 62133 Delivered-To: patch@linaro.org Received: by 10.112.43.199 with SMTP id y7csp264094lbl; Wed, 17 Feb 2016 14:43:42 -0800 (PST) X-Received: by 10.98.66.138 with SMTP id h10mr5715047pfd.89.1455749022243; Wed, 17 Feb 2016 14:43:42 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ah10si4661209pad.118.2016.02.17.14.43.41; Wed, 17 Feb 2016 14:43:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dkim=pass header.i=@chromium.org; dmarc=pass (p=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424349AbcBQWnZ (ORCPT + 30 others); Wed, 17 Feb 2016 17:43:25 -0500 Received: from mail-pa0-f47.google.com ([209.85.220.47]:32912 "EHLO mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1424018AbcBQWl0 (ORCPT ); Wed, 17 Feb 2016 17:41:26 -0500 Received: by mail-pa0-f47.google.com with SMTP id fl4so18728621pad.0 for ; Wed, 17 Feb 2016 14:41:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=NwOyH/XHZhM+dDU/IgXx4EswLGaDNlsZYkaO3HrF3wk=; b=e1RDdsFlVPC2mmLZTcfzYpanfFx4gHJfxhW3r7wj1SFkavypeBGfC3vKkhuXycNZ7f 8kbyrVaSJwnLFQ5pMUr8H3izHDYw7819yNxUwbniEUaJ8t5TahkA+5rhpxzQPFcVKwUg EgKn2lcKKDgdGn69hiYe0So5EvMA5WY/EQQiA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=NwOyH/XHZhM+dDU/IgXx4EswLGaDNlsZYkaO3HrF3wk=; b=h+2sCbewdRDVmstyH3ahJytKFXGZc5ZbSX5UGINgB/bxoNB+52eJrHUm8ZqL64WMnT E+I+prxt6rjkvXgAweZFmQ5cf76OX4kj1ofZSSphzkJr2xn5QuAx8D/0rClwwkonj6Yp XvH3dhevUi62B7/AIovVrlb7SPXykgvbqS2joNWAwK+lNb3+zGrKSjVFPKPX70r7NurD rDPQc6jw5LFcNFBySRLyqIN9GpR0LNp+UV3BDnUkHmXfX/0vLtuMj9c4XjETEQEdT2nj W7H4z1KAZlkv5VA4cxuo3ZRrz55KSCE2wQas/OF+8yl0aOK+uBZuKmyv56PZWLYqnamQ CnKw== X-Gm-Message-State: AG10YOSCSls6eX8KaAfCg5cbxfTHiePLAEU0x+CNj+m2E/2kXqbgBU1qf5MF/wIBM/cooQ== X-Received: by 10.66.139.166 with SMTP id qz6mr5594251pab.3.1455748886083; Wed, 17 Feb 2016 14:41:26 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s23sm5077830pfi.12.2016.02.17.14.41.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Feb 2016 14:41:25 -0800 (PST) From: Kees Cook To: Ingo Molnar Cc: Kees Cook , David Brown , Andy Lutomirski , "H. Peter Anvin" , Michael Ellerman , Mathias Krause , Thomas Gleixner , x86@kernel.org, Arnd Bergmann , PaX Team , Emese Revfy , kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-arch Subject: [PATCH v5 7/7] ARM: vdso: Mark vDSO code as read-only Date: Wed, 17 Feb 2016 14:41:18 -0800 Message-Id: <1455748879-21872-8-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.6.3 In-Reply-To: <1455748879-21872-1-git-send-email-keescook@chromium.org> References: <1455748879-21872-1-git-send-email-keescook@chromium.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Brown Although the arm vDSO is cleanly separated by code/data with the code being read-only in userspace mappings, the code page is still writable from the kernel. There have been exploits (such as http://itszn.com/blog/?p=21) that take advantage of this on x86 to go from a bad kernel write to full root. Prevent this specific exploit on arm by putting the vDSO code page in post-init read-only memory as well. Before: vdso: 1 text pages at base 80927000 root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables ---[ Modules ]--- ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80600000 5M ro x SHD 0x80600000-0x80800000 2M ro NX SHD 0x80800000-0xbe000000 984M RW NX SHD After: vdso: 1 text pages at base 8072b000 root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables ---[ Modules ]--- ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80600000 5M ro x SHD 0x80600000-0x80800000 2M ro NX SHD 0x80800000-0xbe000000 984M RW NX SHD Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the PaX Team, Brad Spengler, and Kees Cook. Signed-off-by: David Brown Acked-by: Kees Cook --- arch/arm/vdso/vdso.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.6.3 diff --git a/arch/arm/vdso/vdso.S b/arch/arm/vdso/vdso.S index b2b97e3e7bab..a62a7b64f49c 100644 --- a/arch/arm/vdso/vdso.S +++ b/arch/arm/vdso/vdso.S @@ -23,9 +23,8 @@ #include #include - __PAGE_ALIGNED_DATA - .globl vdso_start, vdso_end + .section .data..ro_after_init .balign PAGE_SIZE vdso_start: .incbin "arch/arm/vdso/vdso.so"