From: "Christopher M. Riedl" <cmr@codefail.de>
To: linuxppc-dev@lists.ozlabs.org
Cc: kernel-hardening@lists.openwall.com
Subject: [PATCH v3 5/6] powerpc: Initialize a temporary mm for code patching
Date: Thu, 27 Aug 2020 00:26:58 -0500 [thread overview]
Message-ID: <20200827052659.24922-6-cmr@codefail.de> (raw)
In-Reply-To: <20200827052659.24922-1-cmr@codefail.de>
When code patching a STRICT_KERNEL_RWX kernel the page containing the
address to be patched is temporarily mapped with permissive memory
protections. Currently, a per-cpu vmalloc patch area is used for this
purpose. While the patch area is per-cpu, the temporary page mapping is
inserted into the kernel page tables for the duration of the patching.
The mapping is exposed to CPUs other than the patching CPU - this is
undesirable from a hardening perspective.
Use the `poking_init` init hook to prepare a temporary mm and patching
address. Initialize the temporary mm by copying the init mm. Choose a
randomized patching address inside the temporary mm userspace address
portion. The next patch uses the temporary mm and patching address for
code patching.
Based on x86 implementation:
commit 4fc19708b165
("x86/alternatives: Initialize temporary mm for patching")
Signed-off-by: Christopher M. Riedl <cmr@codefail.de>
---
arch/powerpc/lib/code-patching.c | 40 ++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
index 89b37ece6d2f..051d7ae6d8ee 100644
--- a/arch/powerpc/lib/code-patching.c
+++ b/arch/powerpc/lib/code-patching.c
@@ -11,6 +11,8 @@
#include <linux/cpuhotplug.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
+#include <linux/sched/task.h>
+#include <linux/random.h>
#include <asm/tlbflush.h>
#include <asm/page.h>
@@ -109,6 +111,44 @@ static inline void unuse_temporary_mm(struct temp_mm *temp_mm)
}
}
+static struct mm_struct *patching_mm __ro_after_init;
+static unsigned long patching_addr __ro_after_init;
+
+void __init poking_init(void)
+{
+ spinlock_t *ptl; /* for protecting pte table */
+ pte_t *ptep;
+
+ /*
+ * Some parts of the kernel (static keys for example) depend on
+ * successful code patching. Code patching under STRICT_KERNEL_RWX
+ * requires this setup - otherwise we cannot patch at all. We use
+ * BUG_ON() here and later since an early failure is preferred to
+ * buggy behavior and/or strange crashes later.
+ */
+ patching_mm = copy_init_mm();
+ BUG_ON(!patching_mm);
+
+ /*
+ * Choose a randomized, page-aligned address from the range:
+ * [PAGE_SIZE, DEFAULT_MAP_WINDOW - PAGE_SIZE]
+ * The lower address bound is PAGE_SIZE to avoid the zero-page.
+ * The upper address bound is DEFAULT_MAP_WINDOW - PAGE_SIZE to stay
+ * under DEFAULT_MAP_WINDOW in hash.
+ */
+ patching_addr = PAGE_SIZE + ((get_random_long() & PAGE_MASK)
+ % (DEFAULT_MAP_WINDOW - 2 * PAGE_SIZE));
+
+ /*
+ * PTE allocation uses GFP_KERNEL which means we need to pre-allocate
+ * the PTE here. We cannot do the allocation during patching with IRQs
+ * disabled (ie. "atomic" context).
+ */
+ ptep = get_locked_pte(patching_mm, patching_addr, &ptl);
+ BUG_ON(!ptep);
+ pte_unmap_unlock(ptep, ptl);
+}
+
static DEFINE_PER_CPU(struct vm_struct *, text_poke_area);
#ifdef CONFIG_LKDTM
--
2.28.0
next prev parent reply other threads:[~2020-08-27 5:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 5:26 [PATCH v3 0/6] Use per-CPU temporary mappings for patching Christopher M. Riedl
2020-08-27 5:26 ` [PATCH v3 1/6] powerpc: Add LKDTM accessor for patching addr Christopher M. Riedl
2020-08-27 5:26 ` [PATCH v3 2/6] x86: " Christopher M. Riedl
2020-08-27 5:26 ` [PATCH v3 3/6] Add LKDTM test to hijack a patch mapping (powerpc,x86_64) Christopher M. Riedl
2020-08-27 5:26 ` [PATCH v3 3/6] Add LKDTM test to hijack a patch mapping (powerpc, x86_64) Christopher M. Riedl
2020-08-27 10:11 ` kernel test robot
2020-08-27 10:11 ` kernel test robot
2020-08-27 18:10 ` kernel test robot
2020-08-27 18:10 ` kernel test robot
2020-08-27 5:26 ` [PATCH v3 4/6] powerpc: Introduce temporary mm Christopher M. Riedl
2020-08-27 14:15 ` Jann Horn
2020-09-07 0:15 ` Christopher M. Riedl
2020-09-07 0:15 ` Christopher M. Riedl
2020-08-27 5:26 ` Christopher M. Riedl [this message]
2020-08-27 5:26 ` [PATCH v3 6/6] powerpc: Use a temporary mm for code patching Christopher M. Riedl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200827052659.24922-6-cmr@codefail.de \
--to=cmr@codefail.de \
--cc=kernel-hardening@lists.openwall.com \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.