lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 14:49:43 +0100 From: Catalin Marinas <catalin.marinas@....com> To: Andrew Morton <akpm@...ux-foundation.org>, Christoph Hellwig <hch@...radead.org>, Lennart Poettering <lennart@...ttering.net>, Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl> Cc: Will Deacon <will@...nel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Eric Biederman <ebiederm@...ssion.com>, Kees Cook <keescook@...omium.org>, Szabolcs Nagy <szabolcs.nagy@....com>, Mark Brown <broonie@...nel.org>, Jeremy Linton <jeremy.linton@....com>, Topi Miettinen <toiwoton@...il.com>, linux-mm@...ck.org, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-abi-devel@...ts.sourceforge.net Subject: [PATCH RFC 1/4] mm: Track previously writeable vma permission In order to support a memory-deny-write-execute policy for mprotect() and prevent a previously writeable mapping from being made executable, track the past VM_WRITE permission via a new VM_WAS_WRITE flag that is not cleared on permission change. VM_WAS_WRITE is a high VMA flag and since not all architectures may want this feature, only define it if CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC is selected, otherwise it is VM_NONE (zero). Note that the new VM_WAS_WRITE flag would prevent merging of an always read-only vma with a previously writeable vma that was made read-only. I don't consider this a common case and even if we somehow allow such merging, it would be confusing for the user if a read-only vma inherits a VM_WAS_WRITE flag or the VM_WAS_WRITE flag is dropped. Signed-off-by: Catalin Marinas <catalin.marinas@....com> Cc: Andrew Morton <akpm@...ux-foundation.org> --- include/linux/mm.h | 6 ++++++ include/linux/mman.h | 8 +++++++- mm/Kconfig | 4 ++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index e34edb775334..bec37abc0773 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -317,6 +317,12 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ +#ifdef CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC +#define VM_WAS_WRITE BIT(37) /* only with ARCH_USES_HIGH_VMA_FLAGS */ +#else +#define VM_WAS_WRITE VM_NONE +#endif + #ifdef CONFIG_ARCH_HAS_PKEYS # define VM_PKEY_SHIFT VM_HIGH_ARCH_BIT_0 # define VM_PKEY_BIT0 VM_HIGH_ARCH_0 /* A protection key is a 4-bit value */ diff --git a/include/linux/mman.h b/include/linux/mman.h index b66e91b8176c..2d841ddae2aa 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -141,10 +141,16 @@ static inline bool arch_validate_flags(unsigned long flags) static inline unsigned long calc_vm_prot_bits(unsigned long prot, unsigned long pkey) { - return _calc_vm_trans(prot, PROT_READ, VM_READ ) | + unsigned long vm_flags = + _calc_vm_trans(prot, PROT_READ, VM_READ ) | _calc_vm_trans(prot, PROT_WRITE, VM_WRITE) | _calc_vm_trans(prot, PROT_EXEC, VM_EXEC) | arch_calc_vm_prot_bits(prot, pkey); + + if (vm_flags & VM_WRITE) + vm_flags |= VM_WAS_WRITE; + + return vm_flags; } /* diff --git a/mm/Kconfig b/mm/Kconfig index 034d87953600..f140109f2a1e 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -822,6 +822,10 @@ config ARCH_USES_HIGH_VMA_FLAGS config ARCH_HAS_PKEYS bool +config ARCH_ENABLE_DENY_WRITE_EXEC + bool + depends on ARCH_USES_HIGH_VMA_FLAGS + config PERCPU_STATS bool "Collect percpu memory statistics" help
Powered by blists - more mailing lists