From: arnd@arndb.de (Arnd Bergmann)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 2/2] arm: apply more __ro_after_init
Date: Wed, 10 Aug 2016 21:41:23 +0200 [thread overview]
Message-ID: <2760702.46Rp2Juk5b@wuerfel> (raw)
In-Reply-To: <CAGXu5j+9saxwnKTK_vdnLCuXdbvUqQWXkbxOu8QrzB9SHmQGYA@mail.gmail.com>
On Wednesday, August 10, 2016 11:32:07 AM CEST Kees Cook wrote:
> On Wed, Aug 10, 2016 at 2:43 AM, Russell King - ARM Linux
> <linux@armlinux.org.uk> wrote:
> > On Fri, Jun 03, 2016 at 11:40:24AM -0700, Kees Cook wrote:
> >> @@ -1309,16 +1309,11 @@ void __init arm_mm_memblock_reserve(void)
> >> * Any other function or debugging method which may touch any device _will_
> >> * crash the kernel.
> >> */
> >> +static char vectors[PAGE_SIZE * 2] __ro_after_init __aligned(PAGE_SIZE);
> >> static void __init devicemaps_init(const struct machine_desc *mdesc)
> >> {
> >> struct map_desc map;
> >> unsigned long addr;
> >> - void *vectors;
> >> -
> >> - /*
> >> - * Allocate the vector page early.
> >> - */
> >> - vectors = early_alloc(PAGE_SIZE * 2);
> >
> > This one is not appropriate. We _do_ write to these pages after init
> > for FIQ handler updates. See set_fiq_handler().
>
> Ah, interesting. I guess none of that hardware is being tested on
> linux-next.
Right. The OMAP1 Amstrad Delta is a somewhat obscure machine, and that
would be the most likely candidate to run into this.
RiscPC also has FIQ support, but I have not heard of anyone other
than Russell still using one with a modern kernel, and I doubt he
tests linux-next on it.
The s3c24xx and imx machines that could use FIQ probably don't
use it in practice, last time I checked, I didn't see any DTS file
or platform data definition in the kernel that activated that
code path.
> I'll drop that chunk and resubmit.
Good enough for now, but it may be worth revisiting this, as the
vector page might be a good target for an attack if you have a
way to overwrite a few bytes in the kernel.
Note that there are two mappings for the pages, and as Russell
mentioned, the TLS emulation writes to the other one that is
at a fixed virtual address.
It might be better to start by making the fixed mapping readonly,
as KASLR doesn't protect that one at all, and change the TLS
code accordingly.
Arnd
next prev parent reply other threads:[~2016-08-10 19:41 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-03 18:40 [PATCH 0/2] expand use of __ro_after_init Kees Cook
2016-06-03 18:40 ` [PATCH 1/2] x86: apply more __ro_after_init and const Kees Cook
2016-06-03 18:40 ` [PATCH 2/2] arm: apply more __ro_after_init Kees Cook
2016-06-03 18:51 ` [kernel-hardening] " Greg KH
2016-06-03 21:26 ` Kees Cook
2016-06-03 21:54 ` Greg KH
2016-06-03 22:01 ` Kees Cook
2016-08-10 9:43 ` Russell King - ARM Linux
2016-08-10 10:00 ` Arnd Bergmann
2016-08-10 10:12 ` Russell King - ARM Linux
2016-08-10 19:31 ` Arnd Bergmann
2016-08-10 23:02 ` Russell King - ARM Linux
2016-08-11 16:02 ` Arnd Bergmann
2016-08-12 11:34 ` Daniel Thompson
2016-08-10 17:06 ` [kernel-hardening] " Daniel Micay
2016-08-10 18:32 ` Kees Cook
2016-08-10 19:41 ` Arnd Bergmann [this message]
2016-08-10 21:40 ` Kees Cook
2016-08-10 23:06 ` Russell King - ARM Linux
2016-08-11 15:54 ` Arnd Bergmann
2016-08-11 22:16 ` Kees Cook
2016-08-12 16:24 ` Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2760702.46Rp2Juk5b@wuerfel \
--to=arnd@arndb.de \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox