| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <5DFA1E3C-A335-4C4B-A86F-904A6CF6D871@gmail.com>
Date: Wed, 6 Feb 2019 09:33:35 -0800
From: Nadav Amit <nadav.amit@...il.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Rick Edgecombe <rick.p.edgecombe@...el.com>,
Andy Lutomirski <luto@...nel.org>,
Ingo Molnar <mingo@...hat.com>,
LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>,
Damian Tometzki <linux_dti@...oud.com>,
linux-integrity <linux-integrity@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux-MM <linux-mm@...ck.org>, Will Deacon <will.deacon@....com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Kristen Carlson Accardi <kristen@...ux.intel.com>,
deneen.t.dock@...el.com
Subject: Re: [PATCH 08/17] x86/ftrace: set trampoline pages as executable
> On Feb 6, 2019, at 8:22 AM, Steven Rostedt <rostedt@...dmis.org> wrote:
>
> On Wed, 16 Jan 2019 16:32:50 -0800
> Rick Edgecombe <rick.p.edgecombe@...el.com> wrote:
>
>> From: Nadav Amit <namit@...are.com>
>>
>> Since alloc_module() will not set the pages as executable soon, we need
>> to do so for ftrace trampoline pages after they are allocated.
>>
>> For the time being, we do not change ftrace to use the text_poke()
>> interface. As a result, ftrace breaks still breaks W^X.
>>
>> Cc: Steven Rostedt <rostedt@...dmis.org>
>> Signed-off-by: Nadav Amit <namit@...are.com>
>> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
>> ---
>> arch/x86/kernel/ftrace.c | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
>> index 8257a59704ae..eb4a1937e72c 100644
>> --- a/arch/x86/kernel/ftrace.c
>> +++ b/arch/x86/kernel/ftrace.c
>> @@ -742,6 +742,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
>> unsigned long end_offset;
>> unsigned long op_offset;
>> unsigned long offset;
>> + unsigned long npages;
>> unsigned long size;
>> unsigned long retq;
>> unsigned long *ptr;
>> @@ -774,6 +775,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
>> return 0;
>>
>> *tramp_size = size + RET_SIZE + sizeof(void *);
>> + npages = DIV_ROUND_UP(*tramp_size, PAGE_SIZE);
>>
>> /* Copy ftrace_caller onto the trampoline memory */
>> ret = probe_kernel_read(trampoline, (void *)start_offset, size);
>> @@ -818,6 +820,13 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
>> /* ALLOC_TRAMP flags lets us know we created it */
>> ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
>>
>> + /*
>> + * Module allocation needs to be completed by making the page
>> + * executable. The page is still writable, which is a security hazard,
>> + * but anyhow ftrace breaks W^X completely.
>> + */
>
> Perhaps we should set the page to non writable after the page is
> updated? And set it to writable only when we need to update it.
You remember that I sent you a patch that changed all these writes into
text_poke() and you said that I should defer it until this series is merged?
> As for this patch:
>
> Reviewed-by: Steven Rostedt (VMware) <rostedt@...dmis.org>
Thanks!
Powered by blists - more mailing lists