leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7abc7d833c
linux/arch/arm64/kernel
History
David Brown 88d8a7994e arm64: vdso: Mark vDSO code as read-only 
Although the arm64 vDSO is cleanly separated by code/data with the
code being read-only in userspace mappings, the code page is still
writable from the kernel.  There have been exploits (such as
http://itszn.com/blog/?p=21) that take advantage of this on x86 to go
from a bad kernel write to full root.

Prevent this specific exploit on arm64 by putting the vDSO code page
in read-only memory as well.

Before the change:
[    3.138366] vdso: 2 pages (1 code @ ffffffc000a71000, 1 data @ ffffffc000a70000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b6000        1752K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b6000-0xffffffc000c00000        2344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

After:
[    3.138368] vdso: 2 pages (1 code @ ffffffc0006de000, 1 data @ ffffffc000a74000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b8000        1760K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b8000-0xffffffc000c00000        2336K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the
PaX Team, Brad Spengler, and Kees Cook.

Signed-off-by: David Brown <david.brown@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[catalin.marinas@arm.com: removed superfluous __PAGE_ALIGNED_DATA]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2016-02-16 18:20:23 +00:00
..
vdso arm64: vdso: Mark vDSO code as read-only 2016-02-16 18:20:23 +00:00
.gitignore
acpi_parking_protocol.c arm64: kernel: implement ACPI parking protocol 2016-02-16 15:12:32 +00:00
acpi.c Power management and ACPI updates for v4.4-rc1 2015-11-04 18:10:13 -08:00
alternative.c arm64: mm: fold alternatives into .init 2015-12-10 17:36:08 +00:00
arm64ksyms.c ARM: 8480/2: arm64: add implementation for arm-smccc 2016-01-04 16:24:45 +00:00
armv8_deprecated.c arm64: add __init/__initdata section marker to some functions/variables 2015-12-02 12:17:11 +00:00
asm-offsets.c * s390: Support for runtime instrumentation within guests, 2016-01-12 13:22:12 -08:00
cacheinfo.c arm64: kernel: add support for cpu cache information 2015-01-15 11:55:07 +00:00
cpu_errata.c arm64: prefetch: add alternative pattern for CPUs without a prefetcher 2016-02-16 15:12:32 +00:00
cpu_ops.c arm64: kernel: implement ACPI parking protocol 2016-02-16 15:12:32 +00:00
cpufeature.c arm64: prefetch: add alternative pattern for CPUs without a prefetcher 2016-02-16 15:12:32 +00:00
cpuidle.c arm64: cpuidle: add __init section marker to arm_cpuidle_init 2015-07-02 17:44:27 +01:00
cpuinfo.c arm64: restore bogomips information in /proc/cpuinfo 2015-11-19 17:57:18 +00:00
debug-monitors.c arm64: replace read_lock to rcu lock in call_step_hook 2016-02-16 15:40:45 +00:00
efi-entry.S arm64/efi: isolate EFI stub from the kernel proper 2015-10-12 16:20:12 +01:00
efi.c arm64/efi: refactor EFI init and runtime code for reuse by 32-bit ARM 2015-12-09 16:57:23 +00:00
entry32.S arm64: entry32: remove pointless register assignment 2015-07-10 16:47:13 +01:00
entry-fpsimd.S arm64: fpsimd: fix a typo in fpsimd_save_partial_state ENDPROC 2014-07-31 11:42:42 +01:00
entry-ftrace.S arm64: ftrace: fix function_graph tracer panic 2015-10-02 11:12:56 +01:00
entry.S arm64: entry: remove pointless SPSR mode check 2016-01-06 15:40:38 +00:00
fpsimd.c arm64: add __init/__initdata section marker to some functions/variables 2015-12-02 12:17:11 +00:00
ftrace.c arm64: ftrace: modify a stack frame in a safe way 2015-12-21 17:26:01 +00:00
head.S arm64: mm: place empty_zero_page in bss 2016-02-16 15:10:44 +00:00
hw_breakpoint.c arm64: Fix missing #include in hw_breakpoint.c 2015-10-12 12:10:53 +01:00
hyp-stub.S irqchip: gic-v3: Initial support for GICv3 2014-07-08 22:11:47 +00:00
image.h arm64: hide __efistub_ aliases from kallsyms 2016-01-25 11:09:04 +00:00
insn.c arm64: insn: remove BUG_ON from codegen 2016-01-17 19:15:26 -05:00
io.c arm64: optimize memcpy_{from,to}io() and memset_io() 2014-11-06 17:25:27 +00:00
irq.c arm64: remove irq_count and do_softirq_own_stack() 2015-12-21 17:26:01 +00:00
jump_label.c jump_label: Rename JUMP_LABEL_{EN,DIS}ABLE to JUMP_LABEL_{JMP,NOP} 2015-08-03 11:34:12 +02:00
kgdb.c arm64/debug: Simplify BRK insn opcode declarations 2015-07-27 11:08:42 +01:00
kuser32.S arm64: Add __NR_* definitions for compat syscalls 2014-07-10 11:02:40 +01:00
Makefile arm64: kernel: implement ACPI parking protocol 2016-02-16 15:12:32 +00:00
module.c arm64: module: avoid undefined shift behavior in reloc_data() 2016-01-05 11:27:20 +00:00
paravirt.c arm64: introduce CONFIG_PARAVIRT, PARAVIRT_TIME_ACCOUNTING and pv_time_ops 2015-12-21 14:40:54 +00:00
pci.c ARM64: PCI: do not enable resources on PROBE_ONLY systems 2015-07-30 20:17:07 +01:00
perf_callchain.c arm64: ftrace: fix a stack tracer's output under function graph tracer 2015-12-21 17:26:02 +00:00
perf_event.c arm64: perf: add support for Cortex-A72 2015-12-22 14:45:35 +00:00
perf_regs.c perf: Move task_pt_regs sampling into arch code 2015-01-09 11:12:28 +01:00
process.c arm64: ftrace: fix a stack tracer's output under function graph tracer 2015-12-21 17:26:02 +00:00
psci.c drivers: firmware: psci: move power_state handling to generic code 2015-10-02 14:35:16 +01:00
ptrace.c arm64: Clear out any singlestep state on a ptrace detach operation 2015-12-07 17:48:21 +00:00
return_address.c arm64: ftrace: fix a stack tracer's output under function graph tracer 2015-12-21 17:26:02 +00:00
setup.c arm64: unmap idmap earlier 2016-02-16 15:10:45 +00:00
signal32.c arm64: compat: fix vfp save/restore across signal handlers in big-endian 2015-09-17 11:57:03 +01:00
signal.c arm64: Removed unused variable 2015-04-13 20:40:10 +02:00
sleep.S arm64: Store struct thread_info in sp_el0 2015-12-08 11:40:48 +00:00
smccc-call.S ARM: 8480/2: arm64: add implementation for arm-smccc 2016-01-04 16:24:45 +00:00
smp_spin_table.c ARM64: kernel: make cpu_ops hooks DT agnostic 2015-05-19 16:09:29 +01:00
smp.c arm64: kernel: implement ACPI parking protocol 2016-02-16 15:12:32 +00:00
stacktrace.c arm64: ftrace: fix a stack tracer's output under function graph tracer 2015-12-21 17:26:02 +00:00
suspend.c arm64: unify idmap removal 2016-02-16 15:10:44 +00:00
sys32.c arm64: fix implementation of mmap2 compat syscall 2015-03-19 10:43:51 +00:00
sys_compat.c arm64: compat: align cacheflush syscall with arch/arm 2014-12-01 13:31:12 +00:00
sys.c arm64: make sys_call_table const 2015-01-27 09:38:08 +00:00
time.c arm64: ftrace: fix a stack tracer's output under function graph tracer 2015-12-21 17:26:02 +00:00
topology.c arm64: kernel: remove non-legit DT warnings when booting using ACPI 2015-07-27 11:08:41 +01:00
trace-events-emulation.h arm64: Trace emulation of AArch32 legacy instructions 2014-11-20 16:35:02 +00:00
traps.c arm64: traps: address fallout from printk -> pr_* conversion 2015-12-21 17:26:02 +00:00
vdso.c arm64: VDSO: fix coarse clock monotonicity regression 2015-08-10 15:37:45 +01:00
vmlinux.lds.S arm64: ensure _stext and _etext are page-aligned 2016-02-16 15:10:46 +00:00