| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <980069339b23a6cc4ae6d605d188338467a5b08b.1682673543.git.houwenlong.hwl@antgroup.com>
Date: Fri, 28 Apr 2023 17:51:05 +0800
From: "Hou Wenlong" <houwenlong.hwl@...group.com>
To: linux-kernel@...r.kernel.org
Cc: "Thomas Garnier" <thgarnie@...omium.org>,
"Lai Jiangshan" <jiangshan.ljs@...group.com>,
"Kees Cook" <keescook@...omium.org>,
"Hou Wenlong" <houwenlong.hwl@...group.com>,
"Thomas Gleixner" <tglx@...utronix.de>,
"Ingo Molnar" <mingo@...hat.com>, "Borislav Petkov" <bp@...en8.de>,
"Dave Hansen" <dave.hansen@...ux.intel.com>, <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>, "Arnd Bergmann" <arnd@...db.de>,
"Peter Zijlstra" <peterz@...radead.org>,
"Josh Poimboeuf" <jpoimboe@...nel.org>,
"Juergen Gross" <jgross@...e.com>,
"Brian Gerst" <brgerst@...il.com>, <linux-arch@...r.kernel.org>
Subject: [PATCH RFC 25/43] x86/mm: Make the x86 GOT read-only
From: Thomas Garnier <thgarnie@...omium.org>
From: Thomas Garnier <thgarnie@...omium.org>
The GOT is changed during early boot when relocations are applied. Make
it read-only directly. This table exists only for PIE binary. Since weak
symbol reference would always be GOT reference, there are 8 entries in
GOT, but only one entry for __fentry__() is in use. Other GOT
references have been optimized by linker.
[Hou Wenlong: Change commit message and skip GOT size check]
Signed-off-by: Thomas Garnier <thgarnie@...omium.org>
Signed-off-by: Hou Wenlong <houwenlong.hwl@...group.com>
Cc: Lai Jiangshan <jiangshan.ljs@...group.com>
Cc: Kees Cook <keescook@...omium.org>
---
arch/x86/kernel/vmlinux.lds.S | 2 ++
include/asm-generic/vmlinux.lds.h | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index f02dcde9f8a8..fa4c6582663f 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -462,6 +462,7 @@ SECTIONS
#endif
"Unexpected GOT/PLT entries detected!")
+#ifndef CONFIG_X86_PIE
/*
* Sections that should stay zero sized, which is safer to
* explicitly check instead of blindly discarding.
@@ -470,6 +471,7 @@ SECTIONS
*(.got) *(.igot.*)
}
ASSERT(SIZEOF(.got) == 0, "Unexpected GOT entries detected!")
+#endif
.plt : {
*(.plt) *(.plt.*) *(.iplt)
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index d1f57e4868ed..438ed8b39896 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -441,6 +441,17 @@
__end_ro_after_init = .;
#endif
+#ifdef CONFIG_X86_PIE
+#define RO_GOT_X86 \
+ .got : AT(ADDR(.got) - LOAD_OFFSET) { \
+ __start_got = .; \
+ *(.got) *(.igot.*); \
+ __end_got = .; \
+ }
+#else
+#define RO_GOT_X86
+#endif
+
/*
* .kcfi_traps contains a list KCFI trap locations.
*/
@@ -486,6 +497,7 @@
BOUNDED_SECTION_PRE_LABEL(.pci_fixup_suspend_late, _pci_fixups_suspend_late, __start, __end) \
} \
\
+ RO_GOT_X86 \
FW_LOADER_BUILT_IN_DATA \
TRACEDATA \
\
--
2.31.1
Powered by blists - more mailing lists