| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Dec 2015 13:26:14 -0800 From: Laura Abbott <labbott@...hat.com> To: Russell King - ARM Linux <linux@....linux.org.uk>, Kees Cook <keescook@...omium.org> Cc: Laura Abbott <labbott@...oraproject.org>, Catalin Marinas <catalin.marinas@....com>, linux-arm-kernel@...ts.infradead.org, LKML <linux-kernel@...r.kernel.org>, Linux-MM <linux-mm@...ck.org>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Will Deacon <will.deacon@....com>, Nicolas Pitre <nico@...aro.org>, Arnd Bergmann <arnd@...db.de>, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH v2] ARM: mm: flip priority of CONFIG_DEBUG_RODATA On 12/23/2015 12:15 PM, Russell King - ARM Linux wrote: > On Wed, Dec 02, 2015 at 12:27:25PM -0800, Kees Cook wrote: >> The use of CONFIG_DEBUG_RODATA is generally seen as an essential part of >> kernel self-protection: >> http://www.openwall.com/lists/kernel-hardening/2015/11/30/13 >> Additionally, its name has grown to mean things beyond just rodata. To >> get ARM closer to this, we ought to rearrange the names of the configs >> that control how the kernel protects its memory. What was called >> CONFIG_ARM_KERNMEM_PERMS is really doing the work that other architectures >> call CONFIG_DEBUG_RODATA. > > Kees, > > There is a subtle problem with the kernel memory permissions and the > DMA debugging. > > DMA debugging checks whether we're trying to do DMA from the kernel > mappings (text, rodata, data etc). It checks _text.._etext. However, > when RODATA is enabled, we have about one section between _text and > _stext which are freed into the kernel's page pool, and then become > available for allocation and use for DMA. > > This then causes the DMA debugging sanity check to fire. > > So, I think I'll revert this change for the time being as it seems to > be causing many people problems, and having this enabled is creating > extra warnings when kernel debug options are enabled along with it. > > Sorry. > in include/asm-generic/sections.h: /* * Usage guidelines: * _text, _data: architecture specific, don't use them in arch-independent code * [_stext, _etext]: contains .text.* sections, may also contain .rodata.* * and/or .init.* sections So based on that comment it seems like the dma-debug should be checking for _stext not _text since only _stext is guaranteed across all architectures. I'll submit a patch to dma-debug.c if this seems appropriate or if you haven't done so already. Thanks, Laura -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists