lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 7 Dec 2015 12:54:32 -0800
From:	Kees Cook <keescook@...omium.org>
To:	labbott@...oraproject.org
Cc:	Russell King <linux@....linux.org.uk>,
	Will Deacon <will.deacon@....com>,
	Catalin Marinas <catalin.marinas@....com>,
	Victor Kamensky <victor.kamensky@...aro.org>,
	Vladimir Murzin <vladimir.murzin@....com>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [PATCH] ARM: mm: mark section-aligned portion of rodata NX

When rodata is large enough that it crosses a section boundary after the
kernel text, mark the rest NX. This is as close to full NX of rodata as
we can get without splitting page tables or doing section alignment via
CONFIG_DEBUG_ALIGN_RODATA.

Signed-off-by: Kees Cook <keescook@...omium.org>
---
I am baffled why I can't put the ALIGN in the ".start = " initializer.
GCC seems to think it's non-static, but only because of the "&" operator.
Does anyone see a way to do this that doesn't require the runtime ALIGN?
---
 arch/arm/mm/init.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
index 321d3683dc7c..b40a0536ef60 100644
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -579,6 +579,8 @@ struct section_perm {
 	pmdval_t clear;
 };
 
+#define RODATA_IDX	0
+
 static struct section_perm nx_perms[] = {
 	/* Make pages tables, etc before _stext RW (set NX). */
 	{
@@ -596,16 +598,14 @@ static struct section_perm nx_perms[] = {
 		.mask	= ~PMD_SECT_XN,
 		.prot	= PMD_SECT_XN,
 	},
-#ifdef CONFIG_DEBUG_ALIGN_RODATA
 	/* Make rodata NX (set RO in ro_perms below). */
-	{
+	[RODATA_IDX] = {
 		.name	= "rodata NX",
 		.start  = (unsigned long)__start_rodata,
 		.end    = (unsigned long)__init_begin,
 		.mask   = ~PMD_SECT_XN,
 		.prot   = PMD_SECT_XN,
 	},
-#endif
 };
 
 static struct section_perm ro_perms[] = {
@@ -709,6 +709,9 @@ int __fix_kernmem_perms(void *unused)
 
 void fix_kernmem_perms(void)
 {
+	/* rodata may not be section aligned, so cover as much as we can. */
+	nx_perms[RODATA_IDX].start = ALIGN(nx_perms[RODATA_IDX].start,
+					   SECTION_SIZE);
 	stop_machine(__fix_kernmem_perms, NULL, NULL);
 }
 
-- 
1.9.1


-- 
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ