Re: rwx mapping between ex_table and rodata

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Kees Cook <keescook@chromium.org>
Cc: "x86@kernel.org" <x86@kernel.org>, lkml <linux-kernel@vger.kernel.org>
Subject: Re: rwx mapping between ex_table and rodata
Date: Mon, 28 Sep 2015 10:11:21 -0400	[thread overview]
Message-ID: <56094A89.1010703@tycho.nsa.gov> (raw)
In-Reply-To: <CAGXu5j+tTR=x9RTOFvqQP7+W7DFR6N+GUP__uvAicrfTBU1B7w@mail.gmail.com>

On 09/24/2015 06:25 PM, Kees Cook wrote:
> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Hi,
>>
>> With the attached config and 4.3-rc2 on x86_64, I see the following in /sys/kernel/debug/kernel_page_tables:
>> ...
>> ---[ High Kernel Mapping ]---
>> 0xffffffff80000000-0xffffffff81000000          16M                               pmd
>> 0xffffffff81000000-0xffffffff81600000           6M     ro         PSE     GLB x  pmd
>> 0xffffffff81600000-0xffffffff81775000        1492K     ro                 GLB x  pte
>> 0xffffffff81775000-0xffffffff81800000         556K     RW                 GLB x  pte
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> 0xffffffff81800000-0xffffffff81a00000           2M     ro         PSE     GLB NX pmd
>> 0xffffffff81a00000-0xffffffff81b43000        1292K     ro                 GLB NX pte
>> 0xffffffff81b43000-0xffffffff82000000        4852K     RW                 GLB NX pte
>> 0xffffffff82000000-0xffffffff82200000           2M     RW         PSE     GLB NX pmd
>> 0xffffffff82200000-0xffffffffa0000000         478M                               pmd
>> ...
>>
>> This region seems to be between the end of ex_table and the start of rodata,
>> $ objdump -x vmlinux | sort
>> ...
>> ffffffff817728b0 g       __ex_table     0000000000000000 __start___ex_table
>> ffffffff817728b0 l    d  __ex_table     0000000000000000 __ex_table
>> ffffffff81774998 g       __ex_table     0000000000000000 __stop___ex_table
>> ffffffff81800000 g       .rodata        0000000000000000 __start_rodata
>> ffffffff81800000 l    d  .rodata        0000000000000000 .rodata
>> ...
>>
>> $ readelf -a vmlinux
>> ...
>> Section Headers:
>>   [Nr] Name              Type             Address           Offset
>>        Size              EntSize          Flags  Link  Info  Align
>> ...
>>   [ 3] __ex_table        PROGBITS         ffffffff817728b0  009728b0
>>        00000000000020e8  0000000000000000   A       0     0     8
>>   [ 4] .rodata           PROGBITS         ffffffff81800000  00a00000
>>        00000000002eefd2  0000000000000000   A       0     0     64
>> ...
>>
>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it isn't new to 4.3.
> 
> To me it looks like another alignment/padding issue like got fixed
> before. The space between __ex_table and rodata is (seems?) unused, so
> the default page table permissions end up being W+X. Can we fix the
> default to be NX instead? It'll make these bugs stay gone.

Not sure where that would get fixed (or the ramifications), but is there
a reason we can't just do the following to fix this particular case?

diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 30564e2..df48430 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
 	 * has been zapped already via cleanup_highmem().
 	 */
 	all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
-	set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
+	set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
 
 	rodata_test();

next prev parent reply	other threads:[~2015-09-28 14:12 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-24 20:23 rwx mapping between ex_table and rodata Stephen Smalley
2015-09-24 20:26 ` Fwd: " Stephen Smalley
2015-09-24 22:25   ` Kees Cook
2015-09-25  7:22     ` Ingo Molnar
2015-09-26 16:49       ` Kees Cook
2015-09-28 21:16       ` H. Peter Anvin
2015-09-28 22:05         ` Kees Cook
2015-09-28 22:20           ` H. Peter Anvin
2015-09-25  7:25     ` Ingo Molnar
2015-09-28 14:11     ` Stephen Smalley [this message]
2015-09-28 18:27       ` Kees Cook
2015-10-01  7:09         ` Ingo Molnar
2015-10-01  9:03         ` Thomas Gleixner
2015-10-01  9:12           ` Ingo Molnar
2015-10-01 17:45             ` Kees Cook
2015-10-02  7:19               ` Ingo Molnar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:30564e2 dfblob:df48430 )
 OR (
bs:"Re: rwx mapping between ex_table and rodata" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56094A89.1010703@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.