| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190206112213.2ec9dd5c@gandalf.local.home>
Date: Wed, 6 Feb 2019 11:22:13 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Rick Edgecombe <rick.p.edgecombe@...el.com>
Cc: Andy Lutomirski <luto@...nel.org>, Ingo Molnar <mingo@...hat.com>,
linux-kernel@...r.kernel.org, x86@...nel.org, hpa@...or.com,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>,
Nadav Amit <nadav.amit@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>, linux_dti@...oud.com,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, akpm@...ux-foundation.org,
kernel-hardening@...ts.openwall.com, linux-mm@...ck.org,
will.deacon@....com, ard.biesheuvel@...aro.org,
kristen@...ux.intel.com, deneen.t.dock@...el.com,
Nadav Amit <namit@...are.com>
Subject: Re: [PATCH 08/17] x86/ftrace: set trampoline pages as executable
On Wed, 16 Jan 2019 16:32:50 -0800
Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
> From: Nadav Amit <namit@...are.com>
>
> Since alloc_module() will not set the pages as executable soon, we need
> to do so for ftrace trampoline pages after they are allocated.
>
> For the time being, we do not change ftrace to use the text_poke()
> interface. As a result, ftrace breaks still breaks W^X.
>
> Cc: Steven Rostedt <rostedt@...dmis.org>
> Signed-off-by: Nadav Amit <namit@...are.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
> ---
> arch/x86/kernel/ftrace.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
> index 8257a59704ae..eb4a1937e72c 100644
> --- a/arch/x86/kernel/ftrace.c
> +++ b/arch/x86/kernel/ftrace.c
> @@ -742,6 +742,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
> unsigned long end_offset;
> unsigned long op_offset;
> unsigned long offset;
> + unsigned long npages;
> unsigned long size;
> unsigned long retq;
> unsigned long *ptr;
> @@ -774,6 +775,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
> return 0;
>
> *tramp_size = size + RET_SIZE + sizeof(void *);
> + npages = DIV_ROUND_UP(*tramp_size, PAGE_SIZE);
>
> /* Copy ftrace_caller onto the trampoline memory */
> ret = probe_kernel_read(trampoline, (void *)start_offset, size);
> @@ -818,6 +820,13 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
> /* ALLOC_TRAMP flags lets us know we created it */
> ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
>
> + /*
> + * Module allocation needs to be completed by making the page
> + * executable. The page is still writable, which is a security hazard,
> + * but anyhow ftrace breaks W^X completely.
> + */
Perhaps we should set the page to non writable after the page is
updated? And set it to writable only when we need to update it.
As for this patch:
Reviewed-by: Steven Rostedt (VMware) <rostedt@...dmis.org>
-- Steve
> + set_memory_x((unsigned long)trampoline, npages);
> +
> return (unsigned long)trampoline;
> fail:
> tramp_free(trampoline, *tramp_size);
Powered by blists - more mailing lists