| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Apr 2020 19:08:50 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: jeyu@...nel.org, linux-kernel@...r.kernel.org,
Thomas Gleixner <tglx@...utronix.de>, keescook@...omium.org,
Miroslav Benes <mbenes@...e.cz>
Subject: Re: [PATCH] module: Harden STRICT_MODULE_RWX
On Fri, Apr 03, 2020 at 11:56:31AM -0500, Josh Poimboeuf wrote:
> On Fri, Apr 03, 2020 at 06:37:16PM +0200, Peter Zijlstra wrote:
> >
> > We're very close to enforcing W^X memory, refuse to load modules that
> > violate this principle per construction.
> >
> > Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> > Cc: Jessica Yu <jeyu@...nel.org>
> > Cc: Kees Cook <keescook@...omium.org>
> > ---
> > kernel/module.c | 24 ++++++++++++++++++++++++
> > 1 file changed, 24 insertions(+)
> >
> > --- a/kernel/module.c
> > +++ b/kernel/module.c
> > @@ -2044,9 +2044,28 @@ static void module_enable_x(const struct
> > frob_text(&mod->core_layout, set_memory_x);
> > frob_text(&mod->init_layout, set_memory_x);
> > }
> > +
> > +static int module_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
> > + char *secstrings, struct module *mod)
>
> A verb would be nice: "module_enforce_rwx_sections"?
>
> Shouldn't this be under STRICT_MODULE_RWX instead of
> ARCH_HAS_STRICT_MODULE_RWX?
>
> > +{
> > + int i;
> > +
> > + for (i = 0; i < hdr->e_shnum; i++) {
> > + if (sechdrs[i].sh_flags & (SHF_EXECINSTR|SHF_WRITE))
> > + return -ENOEXEC;
>
> I think you only want the error when both are set?
>
> if (sechdrs[i].sh_flags & (SHF_EXECINSTR|SHF_WRITE) == (SHF_EXECINSTR|SHF_WRITE))
>
Duh. yes. Let me respin.
Powered by blists - more mailing lists