On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansen <[email protected]> wrote: > > From: Dave Hansen <[email protected]> > > __ro_after_init data gets stuck in the .rodata section. That's normally > fine because the kernel itself manages the R/W properties. > > But, if we run __change_page_attr() on an area which is __ro_after_init, > the .rodata checks will trigger and force the area to be immediately > read-only, even if it is early-ish in boot. This caused problems when > trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: > it cleared _PAGE_GLOBAL like I asked, but also took it up on itself > to clear _PAGE_RW. The kernel then oopses the next time it wrote to > a __ro_after_init data structure. > > To fix this, add the kernel_set_to_readonly check, just like we have > for kernel text, just a few lines below in this function.
Yup, looks sensible. Thanks! > > Signed-off-by: Dave Hansen <[email protected]> > Cc: Andrea Arcangeli <[email protected]> > Cc: Andy Lutomirski <[email protected]> > Cc: Linus Torvalds <[email protected]> > Cc: Kees Cook <[email protected]> > Cc: Hugh Dickins <[email protected]> > Cc: Juergen Gross <[email protected]> > Cc: [email protected] > Cc: Nadav Amit <[email protected]> Acked-by: Kees Cook <[email protected]> -Kees > --- > > b/arch/x86/mm/pageattr.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly > arch/x86/mm/pageattr.c > --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 > 12:36:21.531036546 -0800 > +++ b/arch/x86/mm/pageattr.c 2018-02-22 12:36:21.535036546 -0800 > @@ -298,9 +298,11 @@ static inline pgprot_t static_protection > > /* > * The .rodata section needs to be read-only. Using the pfn > - * catches all aliases. > + * catches all aliases. This also includes __ro_after_init, > + * so do not enforce until kernel_set_to_readonly is true. > */ > - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > + if (kernel_set_to_readonly && > + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > __pa_symbol(__end_rodata) >> PAGE_SHIFT)) > pgprot_val(forbidden) |= _PAGE_RW; > > _ -- Kees Cook Pixel Security
