From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938869AbcHJTmQ (ORCPT ); Wed, 10 Aug 2016 15:42:16 -0400 Received: from mout.kundenserver.de ([212.227.17.10]:56466 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933051AbcHJTmL (ORCPT ); Wed, 10 Aug 2016 15:42:11 -0400 From: Arnd Bergmann To: linux-arm-kernel@lists.infradead.org Cc: Kees Cook , Russell King - ARM Linux , linux-arch , Ard Biesheuvel , "x86@kernel.org" , LKML , "kernel-hardening@lists.openwall.com" , Andrew Morton , Mathias Krause Subject: Re: [PATCH 2/2] arm: apply more __ro_after_init Date: Wed, 10 Aug 2016 21:41:23 +0200 Message-ID: <2760702.46Rp2Juk5b@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-31-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: References: <1464979224-2085-1-git-send-email-keescook@chromium.org> <20160810094339.GK1041@n2100.armlinux.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Provags-ID: V03:K0:e8LSD9w+hDxl/jfTYr8qmtEHS48AWuiWJvXhVZSe0qbf/OClt+9 BHmJuz52u6pxi1XssYYY73zbUv1jkh8B/IEedpI2SDkkGSF5OZMTwUi26NVGeSBDtTXF4Tx 0efO2EZ8fxSTccmOqgQie6wMqLz8Y+yR3k6VCTzk8HLCEuTK3xMjYGXkTQ/cn6vAUfK14NY NWBpqdKX9GYiaLygOSB6Q== X-UI-Out-Filterresults: notjunk:1;V01:K0:PIwl02iXZuA=:q2QPAiN3zrpstAaPcO6RKY ZyuM+QQV1sGFzka5L3c4fB9bSNcAci+g6Ucc72FSPccGL/w5jehXmqsJUurWCUrQHsNGB/hZw BLu7GDjy/lYkpdnrP62ifaPQGg7N4itvON1jqBKwJIhf4AXSQNzAaH73SmiitlEpUjHaPuHHl CmBTtjpQHykD0i6XYBmj4l/o5P/c8ulaAWklZunzlkTN17X3824EXoH3iJIDPB7EISAxVhG4m islj2bJo+fXP06H5hLAXNcF+GhebED88WzM52/pQqHVtzDL4XTBE3RtfR9jQl55rXvjPkiVNb ErNTzAyll6O3k/lU3co1kVMKf2mARSCQgd6xl7ofxg+MGmNLGE6x2AHqG29w7DphoA84MzhQl vaID6TQO1xISwfPYYdKIVHmE9eCOkHxfXKMu4Y8jTM2UXKdRjYFj8zNP4BZLmlb3FOtVRM3mi 7m6u+V8FmA8X6grMTYFfiGwPOluNfSJKME2XbPIsfEAbvgC+YEMltewI8zgxzO8d3BTmgoRFM asB3/HULwsE9mH7rZES3IPmrn/wj6jda5igEcj3Gdt9PO8WuzvsNwQydjGv/D/KTSGydGBugE U/oh35UAF/YANKVVo4GC1ya7Li0gbcIFJz6aS1FIB0jMz5Gkb7tfDXYZFtUdLZH7DcD+5D/B7 V8bvqZ+EAZq+dKymNzjjPDfuZNqRwSYgNRzK97vWGVQQ4DImoCgrHG5edV/fKT/X2nppJVLRB oD5b/vIg5+kzo8zx Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday, August 10, 2016 11:32:07 AM CEST Kees Cook wrote: > On Wed, Aug 10, 2016 at 2:43 AM, Russell King - ARM Linux > wrote: > > On Fri, Jun 03, 2016 at 11:40:24AM -0700, Kees Cook wrote: > >> @@ -1309,16 +1309,11 @@ void __init arm_mm_memblock_reserve(void) > >> * Any other function or debugging method which may touch any device _will_ > >> * crash the kernel. > >> */ > >> +static char vectors[PAGE_SIZE * 2] __ro_after_init __aligned(PAGE_SIZE); > >> static void __init devicemaps_init(const struct machine_desc *mdesc) > >> { > >> struct map_desc map; > >> unsigned long addr; > >> - void *vectors; > >> - > >> - /* > >> - * Allocate the vector page early. > >> - */ > >> - vectors = early_alloc(PAGE_SIZE * 2); > > > > This one is not appropriate. We _do_ write to these pages after init > > for FIQ handler updates. See set_fiq_handler(). > > Ah, interesting. I guess none of that hardware is being tested on > linux-next. Right. The OMAP1 Amstrad Delta is a somewhat obscure machine, and that would be the most likely candidate to run into this. RiscPC also has FIQ support, but I have not heard of anyone other than Russell still using one with a modern kernel, and I doubt he tests linux-next on it. The s3c24xx and imx machines that could use FIQ probably don't use it in practice, last time I checked, I didn't see any DTS file or platform data definition in the kernel that activated that code path. > I'll drop that chunk and resubmit. Good enough for now, but it may be worth revisiting this, as the vector page might be a good target for an attack if you have a way to overwrite a few bytes in the kernel. Note that there are two mappings for the pages, and as Russell mentioned, the TLS emulation writes to the other one that is at a fixed virtual address. It might be better to start by making the fixed mapping readonly, as KASLR doesn't protect that one at all, and change the TLS code accordingly. Arnd