From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756365AbcBQFUQ (ORCPT ); Wed, 17 Feb 2016 00:20:16 -0500 Received: from mail-io0-f172.google.com ([209.85.223.172]:32999 "EHLO mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751179AbcBQFUO (ORCPT ); Wed, 17 Feb 2016 00:20:14 -0500 Date: Tue, 16 Feb 2016 22:20:10 -0700 From: David Brown To: Kees Cook Cc: Russell King , "linux-arm-kernel@lists.infradead.org" , "kernel-hardening@lists.openwall.com" , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Michael Ellerman , Mathias Krause , Thomas Gleixner , "x86@kernel.org" , Arnd Bergmann , PaX Team , Emese Revfy , LKML , linux-arch Subject: Re: [PATCH] ARM: vdso: Mark vDSO code as read-only Message-ID: <20160217052010.GA49233@davidb.org> References: <1453226922-16831-1-git-send-email-keescook@chromium.org> <20160216213659.GA47194@davidb.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 16, 2016 at 01:52:33PM -0800, Kees Cook wrote: >On Tue, Feb 16, 2016 at 1:36 PM, David Brown wrote: >> Although the arm vDSO is cleanly separated by code/data with the code >> being read-only in userspace mappings, the code page is still writable >> from the kernel. There have been exploits (such as >> http://itszn.com/blog/?p=21) that take advantage of this on x86 to go >> from a bad kernel write to full root. >> >> Prevent this specific exploit on arm by putting the vDSO code page in >> post-init read-only memory as well. > >Is the vdso dynamically built at init time like on x86, or can this >just use .rodata directly? On ARM, it is patched during init. Arm64's is just plain read-only. David