All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Tim Harvey <tharvey@gateworks.com>
Cc: Shawn Guo <shawnguo@kernel.org>,
	Fabio Estevam <festevam@gmail.com>,
	Pengutronix Kernel Team <kernel@pengutronix.de>,
	Linux ARM Mailing List <linux-arm-kernel@lists.infradead.org>,
	Lee Jones <lee.jones@linaro.org>,
	Robin Murphy <robin.murphy@arm.com>
Subject: Re: arm32 insecure W+X mapping
Date: Tue, 7 Sep 2021 20:22:39 +0100	[thread overview]
Message-ID: <YTe7/1OXxyWv8RMc@shell.armlinux.org.uk> (raw)
In-Reply-To: <CAJ+vNU09ux-aoohB1TpdnPesg8MHzH=ZZDEvAHsajX7+UDRQ0g@mail.gmail.com>

On Tue, Sep 07, 2021 at 10:48:49AM -0700, Tim Harvey wrote:
> On Fri, Aug 20, 2021 at 11:41 AM Tim Harvey <tharvey@gateworks.com> wrote:
> > # uname -r
> > 5.13.12
> > # cat /proc/cmdline
> > console=ttymxc1,115200 no_hash_pointers
> > # echo 1 > /proc/sys/kernel/kptr_restrict
> > # dmesg | grep insecure
> > [   13.247957] arm/mm: Found insecure W+X mapping at address 0xf087d000
> > # cat /proc/vmallocinfo | grep 0xf087d000
> > 0xf0878000-0xf087d000   20480 of_iomap+0x44/0x68 phys=0x021b0000 ioremap
> > 0xf087d000-0xf087f000    8192 imx6_pm_common_init+0x118/0x36c
> > phys=0x00900000 ioremap
> >
> > Some debugging showed me that 0xf087d000 is 'suspend_ocram_base'
> > remapped from imx6q_suspend_init() (called form imx6_pm_common_init()
> > [1]
> > suspend_ocram_base = __arm_ioremap_exec(ocram_pbase,
> > MX6Q_SUSPEND_OCRAM_SIZE, false);
> >
> > This should be throwing 'Checked W+X mappings: FAILED, 1 W+X pages
> > found' messages for all IMX6 users that have CONFIG_SUSPEND and
> > CONFIG_DEBUG_WX enabled so I'm adding the IMX6 players to the thread
> > to see if they know why this happens.
> >
> 
> Shawn, Fabio and Pengutronix Kernel team,
> 
> Do you know why we get 'Checked W+X mappings: FAILED, 1 W+X pages
> found' messages for IMX6 with CONFIG_SUSPEND and CONFIG_DEBUG_WX
> enabled due to to __arm_ioremap_exec call remapping ocram? [1]

The current situation looks like the OCRAM is used to store some
suspend/resume code (see arch/arm/mach-imx/suspend-imx6.S), along
with some data.

It looks like once the code has been copied and the data has been
written, the mapping is left as-is - it isn't changed to be
read-only-execute. However, I don't think we have any APIs to do
that on iomem.

set_memory_ro() could be leveraged to do it _if_ we are certain
the memory is not mapped using a section mapping, but that would
depend on the size and alignment of the mapping.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2021-09-07 19:26 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-19 17:19 arm32 insecure W+X mapping Tim Harvey
2021-08-19 21:28 ` Russell King (Oracle)
2021-08-19 23:59   ` Tim Harvey
2021-08-20  0:16     ` Russell King (Oracle)
2021-08-20 16:06       ` Tim Harvey
2021-08-20 17:48         ` Robin Murphy
2021-08-20 18:41           ` Tim Harvey
2021-09-07 17:48             ` Tim Harvey
2021-09-07 19:22               ` Russell King (Oracle) [this message]
2021-09-15  9:44               ` Fabio Estevam
2021-09-15 15:07                 ` Tim Harvey
2021-09-20 16:22                 ` Russell King (Oracle)
2021-09-20 20:56                   ` Tim Harvey
2021-09-20 21:13                     ` Russell King (Oracle)
2021-09-20 22:53                       ` Tim Harvey
2021-09-20 23:12                         ` Fabio Estevam
2021-09-20 23:19                         ` Russell King (Oracle)
2021-09-21  0:21                           ` Fabio Estevam
2021-09-21 15:13                             ` Russell King (Oracle)
2021-09-22  3:37                           ` Shawn Guo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YTe7/1OXxyWv8RMc@shell.armlinux.org.uk \
    --to=linux@armlinux.org.uk \
    --cc=festevam@gmail.com \
    --cc=kernel@pengutronix.de \
    --cc=lee.jones@linaro.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=robin.murphy@arm.com \
    --cc=shawnguo@kernel.org \
    --cc=tharvey@gateworks.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.