From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Brown Subject: Re: [PATCH] ARM: vdso: Mark vDSO code as read-only Date: Tue, 16 Feb 2016 22:20:10 -0700 Message-ID: <20160217052010.GA49233@davidb.org> References: <1453226922-16831-1-git-send-email-keescook@chromium.org> <20160216213659.GA47194@davidb.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Return-path: Received: from mail-io0-f169.google.com ([209.85.223.169]:35610 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751583AbcBQFUO (ORCPT ); Wed, 17 Feb 2016 00:20:14 -0500 Received: by mail-io0-f169.google.com with SMTP id g203so24133380iof.2 for ; Tue, 16 Feb 2016 21:20:13 -0800 (PST) Content-Disposition: inline In-Reply-To: Sender: linux-arch-owner@vger.kernel.org List-ID: To: Kees Cook Cc: Russell King , "linux-arm-kernel@lists.infradead.org" , "kernel-hardening@lists.openwall.com" , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Michael Ellerman , Mathias Krause , Thomas Gleixner , "x86@kernel.org" , Arnd Bergmann , PaX Team , Emese Revfy , LKML , linux-arch On Tue, Feb 16, 2016 at 01:52:33PM -0800, Kees Cook wrote: >On Tue, Feb 16, 2016 at 1:36 PM, David Brown wrote: >> Although the arm vDSO is cleanly separated by code/data with the code >> being read-only in userspace mappings, the code page is still writable >> from the kernel. There have been exploits (such as >> http://itszn.com/blog/?p=21) that take advantage of this on x86 to go >> from a bad kernel write to full root. >> >> Prevent this specific exploit on arm by putting the vDSO code page in >> post-init read-only memory as well. > >Is the vdso dynamically built at init time like on x86, or can this >just use .rodata directly? On ARM, it is patched during init. Arm64's is just plain read-only. David