From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757481AbbI1OME (ORCPT ); Mon, 28 Sep 2015 10:12:04 -0400 Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]:63477 "EHLO emvm-gh1-uea09.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755837AbbI1OMB (ORCPT ); Mon, 28 Sep 2015 10:12:01 -0400 X-TM-IMSS-Message-ID: <2d1b136d0004e4fe@nsa.gov> Subject: Re: rwx mapping between ex_table and rodata To: Kees Cook References: <56045BC4.7000604@tycho.nsa.gov> <56045C8A.50102@tycho.nsa.gov> Cc: "x86@kernel.org" , lkml From: Stephen Smalley X-Enigmail-Draft-Status: N1110 Organization: National Security Agency Message-ID: <56094A89.1010703@tycho.nsa.gov> Date: Mon, 28 Sep 2015 10:11:21 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/24/2015 06:25 PM, Kees Cook wrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >> Hi, >> >> With the attached config and 4.3-rc2 on x86_64, I see the following in /sys/kernel/debug/kernel_page_tables: >> ... >> ---[ High Kernel Mapping ]--- >> 0xffffffff80000000-0xffffffff81000000 16M pmd >> 0xffffffff81000000-0xffffffff81600000 6M ro PSE GLB x pmd >> 0xffffffff81600000-0xffffffff81775000 1492K ro GLB x pte >> 0xffffffff81775000-0xffffffff81800000 556K RW GLB x pte >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> 0xffffffff81800000-0xffffffff81a00000 2M ro PSE GLB NX pmd >> 0xffffffff81a00000-0xffffffff81b43000 1292K ro GLB NX pte >> 0xffffffff81b43000-0xffffffff82000000 4852K RW GLB NX pte >> 0xffffffff82000000-0xffffffff82200000 2M RW PSE GLB NX pmd >> 0xffffffff82200000-0xffffffffa0000000 478M pmd >> ... >> >> This region seems to be between the end of ex_table and the start of rodata, >> $ objdump -x vmlinux | sort >> ... >> ffffffff817728b0 g __ex_table 0000000000000000 __start___ex_table >> ffffffff817728b0 l d __ex_table 0000000000000000 __ex_table >> ffffffff81774998 g __ex_table 0000000000000000 __stop___ex_table >> ffffffff81800000 g .rodata 0000000000000000 __start_rodata >> ffffffff81800000 l d .rodata 0000000000000000 .rodata >> ... >> >> $ readelf -a vmlinux >> ... >> Section Headers: >> [Nr] Name Type Address Offset >> Size EntSize Flags Link Info Align >> ... >> [ 3] __ex_table PROGBITS ffffffff817728b0 009728b0 >> 00000000000020e8 0000000000000000 A 0 0 8 >> [ 4] .rodata PROGBITS ffffffff81800000 00a00000 >> 00000000002eefd2 0000000000000000 A 0 0 64 >> ... >> >> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it isn't new to 4.3. > > To me it looks like another alignment/padding issue like got fixed > before. The space between __ex_table and rodata is (seems?) unused, so > the default page table permissions end up being W+X. Can we fix the > default to be NX instead? It'll make these bugs stay gone. Not sure where that would get fixed (or the ramifications), but is there a reason we can't just do the following to fix this particular case? diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 30564e2..df48430 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) * has been zapped already via cleanup_highmem(). */ all_end = roundup((unsigned long)_brk_end, PMD_SIZE); - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); rodata_test();