From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756738AbbJATlZ (ORCPT ); Thu, 1 Oct 2015 15:41:25 -0400 Received: from mail.skyhub.de ([78.46.96.112]:59768 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755306AbbJATlY (ORCPT ); Thu, 1 Oct 2015 15:41:24 -0400 Date: Thu, 1 Oct 2015 21:41:21 +0200 From: Borislav Petkov To: Kees Cook Cc: Stephen Smalley , "x86@kernel.org" , LKML Subject: Re: [RFC][PATCH] x86/mm: warn on W+x mappings Message-ID: <20151001194121.GC3764@pd.tnic> References: <1443716923-6072-1-git-send-email-sds@tycho.nsa.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 01, 2015 at 12:24:25PM -0700, Kees Cook wrote: > On Thu, Oct 1, 2015 at 9:28 AM, Stephen Smalley wrote: > > Warn on any residual W+x mappings if X86_PTDUMP is enabled. > > > > Sample dmesg output: > > Checking for W+x mappings > > 0xffffffff81755000-0xffffffff81800000 684K RW GLB x pte > > Found W+x mappings. Please fix. > > > > Signed-off-by: Stephen Smalley > > --- > > Not sure if this is the best place to put this check. > > It must occur after free_init_pages() or it won't catch the > > W+x case for the gap between __ex_table and rodata. > > Yeah. Hmm. I want this test for sure, but I'd like to be able to do > with without needing PTDUMP, since that puts a very sensitive file in > debugfs. I wonder if we can reuse the same code, but only expose the > page tables to userspace with PTDUMP? So make it a debugging option like CONFIG_EFI_PGT_DUMP and let it dump the pagetable in dmesg during boot, at the exact point you want it to. Then one can grep dmesg for W+x bits or whatever else... -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply.