subject:"rwx mapping between ex

Re: rwx mapping between ex_table and rodata

2015-10-02 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar  wrote:
> >
> > * Thomas Gleixner  wrote:
> >
> >> On Mon, 28 Sep 2015, Kees Cook wrote:
> >> > > --- a/arch/x86/mm/init_64.c
> >> > > +++ b/arch/x86/mm/init_64.c
> >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >> > >  * has been zapped already via cleanup_highmem().
> >> > >  */
> >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> >> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
> >> > > PAGE_SHIFT);
> >> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >> > >
> >> > > rodata_test();
> >> > >
> >> > >
> >> >
> >> > That should work, yeah. I'd still like to find the default permissions 
> >> > and
> >> > make them W+nx, though. Regardless, let's get the above added.
> >>
> >> The default permissions are set at boot time when setting up the early page
> >> tables. When we split them up later on we inherit the PTE bits and then we 
> >> do
> >> that _ro/nx cleanup after the overall layout has been settled.
> >>
> >> We can't make them W+nx in the early setup without shooting ourself in the 
> >> foot,
> >> because we only set up at the pud/pmd level.
> >
> > So I think at minimum we should do a (debug) scan in late init, of the whole
> > range, for any leftover WX permissions? That would have caught this bug. 
> > (and
> > might catch other existing bugs that might occur with various 
> > configs/hw-layouts.)
> 
> I think this would be great. I'd like to disassociate it from PTDUMP,
> though, since that exposes kernel address to userspace. It'd be nice
> to have the check without also the debugfs entry.

Yeah, so it could still use pretty much the same code, except no registry in 
/debug?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-02 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar  wrote:
> >
> > * Thomas Gleixner  wrote:
> >
> >> On Mon, 28 Sep 2015, Kees Cook wrote:
> >> > > --- a/arch/x86/mm/init_64.c
> >> > > +++ b/arch/x86/mm/init_64.c
> >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >> > >  * has been zapped already via cleanup_highmem().
> >> > >  */
> >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> >> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
> >> > > PAGE_SHIFT);
> >> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >> > >
> >> > > rodata_test();
> >> > >
> >> > >
> >> >
> >> > That should work, yeah. I'd still like to find the default permissions 
> >> > and
> >> > make them W+nx, though. Regardless, let's get the above added.
> >>
> >> The default permissions are set at boot time when setting up the early page
> >> tables. When we split them up later on we inherit the PTE bits and then we 
> >> do
> >> that _ro/nx cleanup after the overall layout has been settled.
> >>
> >> We can't make them W+nx in the early setup without shooting ourself in the 
> >> foot,
> >> because we only set up at the pud/pmd level.
> >
> > So I think at minimum we should do a (debug) scan in late init, of the whole
> > range, for any leftover WX permissions? That would have caught this bug. 
> > (and
> > might catch other existing bugs that might occur with various 
> > configs/hw-layouts.)
> 
> I think this would be great. I'd like to disassociate it from PTDUMP,
> though, since that exposes kernel address to userspace. It'd be nice
> to have the check without also the debugfs entry.

Yeah, so it could still use pretty much the same code, except no registry in 
/debug?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Kees Cook

On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar  wrote:
>
> * Thomas Gleixner  wrote:
>
>> On Mon, 28 Sep 2015, Kees Cook wrote:
>> > > --- a/arch/x86/mm/init_64.c
>> > > +++ b/arch/x86/mm/init_64.c
>> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
>> > >  * has been zapped already via cleanup_highmem().
>> > >  */
>> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
>> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
>> > > PAGE_SHIFT);
>> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
>> > >
>> > > rodata_test();
>> > >
>> > >
>> >
>> > That should work, yeah. I'd still like to find the default permissions and
>> > make them W+nx, though. Regardless, let's get the above added.
>>
>> The default permissions are set at boot time when setting up the early page
>> tables. When we split them up later on we inherit the PTE bits and then we do
>> that _ro/nx cleanup after the overall layout has been settled.
>>
>> We can't make them W+nx in the early setup without shooting ourself in the 
>> foot,
>> because we only set up at the pud/pmd level.
>
> So I think at minimum we should do a (debug) scan in late init, of the whole
> range, for any leftover WX permissions? That would have caught this bug. (and
> might catch other existing bugs that might occur with various 
> configs/hw-layouts.)

I think this would be great. I'd like to disassociate it from PTDUMP,
though, since that exposes kernel address to userspace. It'd be nice
to have the check without also the debugfs entry.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Ingo Molnar


* Thomas Gleixner  wrote:

> On Mon, 28 Sep 2015, Kees Cook wrote:
> > > --- a/arch/x86/mm/init_64.c
> > > +++ b/arch/x86/mm/init_64.c
> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> > >  * has been zapped already via cleanup_highmem().
> > >  */
> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
> > > PAGE_SHIFT);
> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> > >
> > > rodata_test();
> > >
> > >
> > 
> > That should work, yeah. I'd still like to find the default permissions and 
> > make them W+nx, though. Regardless, let's get the above added.
> 
> The default permissions are set at boot time when setting up the early page 
> tables. When we split them up later on we inherit the PTE bits and then we do 
> that _ro/nx cleanup after the overall layout has been settled.
> 
> We can't make them W+nx in the early setup without shooting ourself in the 
> foot, 
> because we only set up at the pud/pmd level.

So I think at minimum we should do a (debug) scan in late init, of the whole 
range, for any leftover WX permissions? That would have caught this bug. (and 
might catch other existing bugs that might occur with various 
configs/hw-layouts.)

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Thomas Gleixner

On Mon, 28 Sep 2015, Kees Cook wrote:
> > --- a/arch/x86/mm/init_64.c
> > +++ b/arch/x86/mm/init_64.c
> > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >  * has been zapped already via cleanup_highmem().
> >  */
> > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >
> > rodata_test();
> >
> >
> 
> That should work, yeah. I'd still like to find the default permissions
> and make them W+nx, though. Regardless, let's get the above added.

The default permissions are set at boot time when setting up the early
page tables. When we split them up later on we inherit the PTE bits
and then we do that _ro/nx cleanup after the overall layout has been
settled.

We can't make them W+nx in the early setup without shooting ourself in
the foot, because we only set up at the pud/pmd level.

Thanks,

tglx


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Ingo Molnar


* Kees Cook  wrote:

> On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley  wrote:
> > On 09/24/2015 06:25 PM, Kees Cook wrote:
> >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  
> >> wrote:
> >>> Hi,
> >>>
> >>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
> >>> /sys/kernel/debug/kernel_page_tables:
> >>> ...
> >>> ---[ High Kernel Mapping ]---
> >>> 0x8000-0x8100  16M
> >>>pmd
> >>> 0x8100-0x8160   6M ro PSE 
> >>> GLB x  pmd
> >>> 0x8160-0x817750001492K ro 
> >>> GLB x  pte
> >>> 0x81775000-0x8180 556K RW 
> >>> GLB x  pte
> >>> ^
> >>> 0x8180-0x81a0   2M ro PSE 
> >>> GLB NX pmd
> >>> 0x81a0-0x81b430001292K ro 
> >>> GLB NX pte
> >>> 0x81b43000-0x82004852K RW 
> >>> GLB NX pte
> >>> 0x8200-0x8220   2M RW PSE 
> >>> GLB NX pmd
> >>> 0x8220-0xa000 478M
> >>>pmd
> >>> ...
> >>>
> >>> This region seems to be between the end of ex_table and the start of 
> >>> rodata,
> >>> $ objdump -x vmlinux | sort
> >>> ...
> >>> 817728b0 g   __ex_table  
> >>> __start___ex_table
> >>> 817728b0 ld  __ex_table  __ex_table
> >>> 81774998 g   __ex_table  __stop___ex_table
> >>> 8180 g   .rodata __start_rodata
> >>> 8180 ld  .rodata .rodata
> >>> ...
> >>>
> >>> $ readelf -a vmlinux
> >>> ...
> >>> Section Headers:
> >>>   [Nr] Name  Type Address   Offset
> >>>Size  EntSize  Flags  Link  Info  Align
> >>> ...
> >>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
> >>>20e8     A   0 0 8
> >>>   [ 4] .rodata   PROGBITS 8180  00a0
> >>>002eefd2     A   0 0 64
> >>> ...
> >>>
> >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), 
> >>> so it isn't new to 4.3.
> >>
> >> To me it looks like another alignment/padding issue like got fixed
> >> before. The space between __ex_table and rodata is (seems?) unused, so
> >> the default page table permissions end up being W+X. Can we fix the
> >> default to be NX instead? It'll make these bugs stay gone.
> >
> > Not sure where that would get fixed (or the ramifications), but is there
> > a reason we can't just do the following to fix this particular case?
> >
> > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
> > index 30564e2..df48430 100644
> > --- a/arch/x86/mm/init_64.c
> > +++ b/arch/x86/mm/init_64.c
> > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >  * has been zapped already via cleanup_highmem().
> >  */
> > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >
> > rodata_test();
> >
> >
> 
> That should work, yeah. I'd still like to find the default permissions
> and make them W+nx, though. Regardless, let's get the above added.

Ok, could someone please send a changelogged, signed off patch for this?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Kees Cook

On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar  wrote:
>
> * Thomas Gleixner  wrote:
>
>> On Mon, 28 Sep 2015, Kees Cook wrote:
>> > > --- a/arch/x86/mm/init_64.c
>> > > +++ b/arch/x86/mm/init_64.c
>> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
>> > >  * has been zapped already via cleanup_highmem().
>> > >  */
>> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
>> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
>> > > PAGE_SHIFT);
>> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
>> > >
>> > > rodata_test();
>> > >
>> > >
>> >
>> > That should work, yeah. I'd still like to find the default permissions and
>> > make them W+nx, though. Regardless, let's get the above added.
>>
>> The default permissions are set at boot time when setting up the early page
>> tables. When we split them up later on we inherit the PTE bits and then we do
>> that _ro/nx cleanup after the overall layout has been settled.
>>
>> We can't make them W+nx in the early setup without shooting ourself in the 
>> foot,
>> because we only set up at the pud/pmd level.
>
> So I think at minimum we should do a (debug) scan in late init, of the whole
> range, for any leftover WX permissions? That would have caught this bug. (and
> might catch other existing bugs that might occur with various 
> configs/hw-layouts.)

I think this would be great. I'd like to disassociate it from PTDUMP,
though, since that exposes kernel address to userspace. It'd be nice
to have the check without also the debugfs entry.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Ingo Molnar


* Kees Cook  wrote:

> On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley  wrote:
> > On 09/24/2015 06:25 PM, Kees Cook wrote:
> >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  
> >> wrote:
> >>> Hi,
> >>>
> >>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
> >>> /sys/kernel/debug/kernel_page_tables:
> >>> ...
> >>> ---[ High Kernel Mapping ]---
> >>> 0x8000-0x8100  16M
> >>>pmd
> >>> 0x8100-0x8160   6M ro PSE 
> >>> GLB x  pmd
> >>> 0x8160-0x817750001492K ro 
> >>> GLB x  pte
> >>> 0x81775000-0x8180 556K RW 
> >>> GLB x  pte
> >>> ^
> >>> 0x8180-0x81a0   2M ro PSE 
> >>> GLB NX pmd
> >>> 0x81a0-0x81b430001292K ro 
> >>> GLB NX pte
> >>> 0x81b43000-0x82004852K RW 
> >>> GLB NX pte
> >>> 0x8200-0x8220   2M RW PSE 
> >>> GLB NX pmd
> >>> 0x8220-0xa000 478M
> >>>pmd
> >>> ...
> >>>
> >>> This region seems to be between the end of ex_table and the start of 
> >>> rodata,
> >>> $ objdump -x vmlinux | sort
> >>> ...
> >>> 817728b0 g   __ex_table  
> >>> __start___ex_table
> >>> 817728b0 ld  __ex_table  __ex_table
> >>> 81774998 g   __ex_table  __stop___ex_table
> >>> 8180 g   .rodata __start_rodata
> >>> 8180 ld  .rodata .rodata
> >>> ...
> >>>
> >>> $ readelf -a vmlinux
> >>> ...
> >>> Section Headers:
> >>>   [Nr] Name  Type Address   Offset
> >>>Size  EntSize  Flags  Link  Info  Align
> >>> ...
> >>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
> >>>20e8     A   0 0 8
> >>>   [ 4] .rodata   PROGBITS 8180  00a0
> >>>002eefd2     A   0 0 64
> >>> ...
> >>>
> >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), 
> >>> so it isn't new to 4.3.
> >>
> >> To me it looks like another alignment/padding issue like got fixed
> >> before. The space between __ex_table and rodata is (seems?) unused, so
> >> the default page table permissions end up being W+X. Can we fix the
> >> default to be NX instead? It'll make these bugs stay gone.
> >
> > Not sure where that would get fixed (or the ramifications), but is there
> > a reason we can't just do the following to fix this particular case?
> >
> > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
> > index 30564e2..df48430 100644
> > --- a/arch/x86/mm/init_64.c
> > +++ b/arch/x86/mm/init_64.c
> > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >  * has been zapped already via cleanup_highmem().
> >  */
> > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >
> > rodata_test();
> >
> >
> 
> That should work, yeah. I'd still like to find the default permissions
> and make them W+nx, though. Regardless, let's get the above added.

Ok, could someone please send a changelogged, signed off patch for this?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Thomas Gleixner

On Mon, 28 Sep 2015, Kees Cook wrote:
> > --- a/arch/x86/mm/init_64.c
> > +++ b/arch/x86/mm/init_64.c
> > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> >  * has been zapped already via cleanup_highmem().
> >  */
> > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> >
> > rodata_test();
> >
> >
> 
> That should work, yeah. I'd still like to find the default permissions
> and make them W+nx, though. Regardless, let's get the above added.

The default permissions are set at boot time when setting up the early
page tables. When we split them up later on we inherit the PTE bits
and then we do that _ro/nx cleanup after the overall layout has been
settled.

We can't make them W+nx in the early setup without shooting ourself in
the foot, because we only set up at the pud/pmd level.

Thanks,

tglx


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-10-01 Thread Ingo Molnar


* Thomas Gleixner  wrote:

> On Mon, 28 Sep 2015, Kees Cook wrote:
> > > --- a/arch/x86/mm/init_64.c
> > > +++ b/arch/x86/mm/init_64.c
> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
> > >  * has been zapped already via cleanup_highmem().
> > >  */
> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> > > -   set_memory_nx(rodata_start, (all_end - rodata_start) >> 
> > > PAGE_SHIFT);
> > > +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
> > >
> > > rodata_test();
> > >
> > >
> > 
> > That should work, yeah. I'd still like to find the default permissions and 
> > make them W+nx, though. Regardless, let's get the above added.
> 
> The default permissions are set at boot time when setting up the early page 
> tables. When we split them up later on we inherit the PTE bits and then we do 
> that _ro/nx cleanup after the overall layout has been settled.
> 
> We can't make them W+nx in the early setup without shooting ourself in the 
> foot, 
> because we only set up at the pud/pmd level.

So I think at minimum we should do a (debug) scan in late init, of the whole 
range, for any leftover WX permissions? That would have caught this bug. (and 
might catch other existing bugs that might occur with various 
configs/hw-layouts.)

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread H. Peter Anvin

Need to fix.  Not sure where the rwx mapping comes from.

On September 28, 2015 3:05:33 PM PDT, Kees Cook  wrote:
>On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin  wrote:
>> On 09/25/2015 12:22 AM, Ingo Molnar wrote:

 To me it looks like another alignment/padding issue like got fixed
 before. The space between __ex_table and rodata is (seems?) unused,
>so
 the default page table permissions end up being W+X. Can we fix the
 default to be NX instead? It'll make these bugs stay gone.
>>>
>>> Yeah. Wanna send a patch for that?
>>>
>>
>> At least in the high mapping space, the default should be no
>permissions
>> (not present), rather than just NX.
>
>Do you mean "should be" as in, that's how it's coded now, or "should
>be" in that we need to fix it? (If we need to fix it, where is that
>"default"? I haven't been able to find it yet.)
>
>-Kees

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Kees Cook

On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin  wrote:
> On 09/25/2015 12:22 AM, Ingo Molnar wrote:
>>>
>>> To me it looks like another alignment/padding issue like got fixed
>>> before. The space between __ex_table and rodata is (seems?) unused, so
>>> the default page table permissions end up being W+X. Can we fix the
>>> default to be NX instead? It'll make these bugs stay gone.
>>
>> Yeah. Wanna send a patch for that?
>>
>
> At least in the high mapping space, the default should be no permissions
> (not present), rather than just NX.

Do you mean "should be" as in, that's how it's coded now, or "should
be" in that we need to fix it? (If we need to fix it, where is that
"default"? I haven't been able to find it yet.)

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread H. Peter Anvin

On 09/25/2015 12:22 AM, Ingo Molnar wrote:
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
> 
> Yeah. Wanna send a patch for that?
> 

At least in the high mapping space, the default should be no permissions
(not present), rather than just NX.

-hpa


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Kees Cook

On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley  wrote:
> On 09/24/2015 06:25 PM, Kees Cook wrote:
>> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>>> Hi,
>>>
>>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
>>> /sys/kernel/debug/kernel_page_tables:
>>> ...
>>> ---[ High Kernel Mapping ]---
>>> 0x8000-0x8100  16M  
>>>  pmd
>>> 0x8100-0x8160   6M ro PSE 
>>> GLB x  pmd
>>> 0x8160-0x817750001492K ro 
>>> GLB x  pte
>>> 0x81775000-0x8180 556K RW 
>>> GLB x  pte
>>> ^
>>> 0x8180-0x81a0   2M ro PSE 
>>> GLB NX pmd
>>> 0x81a0-0x81b430001292K ro 
>>> GLB NX pte
>>> 0x81b43000-0x82004852K RW 
>>> GLB NX pte
>>> 0x8200-0x8220   2M RW PSE 
>>> GLB NX pmd
>>> 0x8220-0xa000 478M  
>>>  pmd
>>> ...
>>>
>>> This region seems to be between the end of ex_table and the start of rodata,
>>> $ objdump -x vmlinux | sort
>>> ...
>>> 817728b0 g   __ex_table  __start___ex_table
>>> 817728b0 ld  __ex_table  __ex_table
>>> 81774998 g   __ex_table  __stop___ex_table
>>> 8180 g   .rodata __start_rodata
>>> 8180 ld  .rodata .rodata
>>> ...
>>>
>>> $ readelf -a vmlinux
>>> ...
>>> Section Headers:
>>>   [Nr] Name  Type Address   Offset
>>>Size  EntSize  Flags  Link  Info  Align
>>> ...
>>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>>>20e8     A   0 0 8
>>>   [ 4] .rodata   PROGBITS 8180  00a0
>>>002eefd2     A   0 0 64
>>> ...
>>>
>>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>>> it isn't new to 4.3.
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
>
> Not sure where that would get fixed (or the ramifications), but is there
> a reason we can't just do the following to fix this particular case?
>
> diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
> index 30564e2..df48430 100644
> --- a/arch/x86/mm/init_64.c
> +++ b/arch/x86/mm/init_64.c
> @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
>  * has been zapped already via cleanup_highmem().
>  */
> all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
>
> rodata_test();
>
>

That should work, yeah. I'd still like to find the default permissions
and make them W+nx, though. Regardless, let's get the above added.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Stephen Smalley

On 09/24/2015 06:25 PM, Kees Cook wrote:
> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>> Hi,
>>
>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
>> /sys/kernel/debug/kernel_page_tables:
>> ...
>> ---[ High Kernel Mapping ]---
>> 0x8000-0x8100  16M   
>> pmd
>> 0x8100-0x8160   6M ro PSE 
>> GLB x  pmd
>> 0x8160-0x817750001492K ro 
>> GLB x  pte
>> 0x81775000-0x8180 556K RW 
>> GLB x  pte
>> ^
>> 0x8180-0x81a0   2M ro PSE 
>> GLB NX pmd
>> 0x81a0-0x81b430001292K ro 
>> GLB NX pte
>> 0x81b43000-0x82004852K RW 
>> GLB NX pte
>> 0x8200-0x8220   2M RW PSE 
>> GLB NX pmd
>> 0x8220-0xa000 478M   
>> pmd
>> ...
>>
>> This region seems to be between the end of ex_table and the start of rodata,
>> $ objdump -x vmlinux | sort
>> ...
>> 817728b0 g   __ex_table  __start___ex_table
>> 817728b0 ld  __ex_table  __ex_table
>> 81774998 g   __ex_table  __stop___ex_table
>> 8180 g   .rodata __start_rodata
>> 8180 ld  .rodata .rodata
>> ...
>>
>> $ readelf -a vmlinux
>> ...
>> Section Headers:
>>   [Nr] Name  Type Address   Offset
>>Size  EntSize  Flags  Link  Info  Align
>> ...
>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>>20e8     A   0 0 8
>>   [ 4] .rodata   PROGBITS 8180  00a0
>>002eefd2     A   0 0 64
>> ...
>>
>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>> it isn't new to 4.3.
> 
> To me it looks like another alignment/padding issue like got fixed
> before. The space between __ex_table and rodata is (seems?) unused, so
> the default page table permissions end up being W+X. Can we fix the
> default to be NX instead? It'll make these bugs stay gone.

Not sure where that would get fixed (or the ramifications), but is there
a reason we can't just do the following to fix this particular case?

diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 30564e2..df48430 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
 * has been zapped already via cleanup_highmem().
 */
all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
-   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
+   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
 
rodata_test();


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Kees Cook

On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley  wrote:
> On 09/24/2015 06:25 PM, Kees Cook wrote:
>> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>>> Hi,
>>>
>>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
>>> /sys/kernel/debug/kernel_page_tables:
>>> ...
>>> ---[ High Kernel Mapping ]---
>>> 0x8000-0x8100  16M  
>>>  pmd
>>> 0x8100-0x8160   6M ro PSE 
>>> GLB x  pmd
>>> 0x8160-0x817750001492K ro 
>>> GLB x  pte
>>> 0x81775000-0x8180 556K RW 
>>> GLB x  pte
>>> ^
>>> 0x8180-0x81a0   2M ro PSE 
>>> GLB NX pmd
>>> 0x81a0-0x81b430001292K ro 
>>> GLB NX pte
>>> 0x81b43000-0x82004852K RW 
>>> GLB NX pte
>>> 0x8200-0x8220   2M RW PSE 
>>> GLB NX pmd
>>> 0x8220-0xa000 478M  
>>>  pmd
>>> ...
>>>
>>> This region seems to be between the end of ex_table and the start of rodata,
>>> $ objdump -x vmlinux | sort
>>> ...
>>> 817728b0 g   __ex_table  __start___ex_table
>>> 817728b0 ld  __ex_table  __ex_table
>>> 81774998 g   __ex_table  __stop___ex_table
>>> 8180 g   .rodata __start_rodata
>>> 8180 ld  .rodata .rodata
>>> ...
>>>
>>> $ readelf -a vmlinux
>>> ...
>>> Section Headers:
>>>   [Nr] Name  Type Address   Offset
>>>Size  EntSize  Flags  Link  Info  Align
>>> ...
>>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>>>20e8     A   0 0 8
>>>   [ 4] .rodata   PROGBITS 8180  00a0
>>>002eefd2     A   0 0 64
>>> ...
>>>
>>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>>> it isn't new to 4.3.
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
>
> Not sure where that would get fixed (or the ramifications), but is there
> a reason we can't just do the following to fix this particular case?
>
> diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
> index 30564e2..df48430 100644
> --- a/arch/x86/mm/init_64.c
> +++ b/arch/x86/mm/init_64.c
> @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
>  * has been zapped already via cleanup_highmem().
>  */
> all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
> -   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
> +   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
>
> rodata_test();
>
>

That should work, yeah. I'd still like to find the default permissions
and make them W+nx, though. Regardless, let's get the above added.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread H. Peter Anvin

On 09/25/2015 12:22 AM, Ingo Molnar wrote:
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
> 
> Yeah. Wanna send a patch for that?
> 

At least in the high mapping space, the default should be no permissions
(not present), rather than just NX.

-hpa


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Stephen Smalley

On 09/24/2015 06:25 PM, Kees Cook wrote:
> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>> Hi,
>>
>> With the attached config and 4.3-rc2 on x86_64, I see the following in 
>> /sys/kernel/debug/kernel_page_tables:
>> ...
>> ---[ High Kernel Mapping ]---
>> 0x8000-0x8100  16M   
>> pmd
>> 0x8100-0x8160   6M ro PSE 
>> GLB x  pmd
>> 0x8160-0x817750001492K ro 
>> GLB x  pte
>> 0x81775000-0x8180 556K RW 
>> GLB x  pte
>> ^
>> 0x8180-0x81a0   2M ro PSE 
>> GLB NX pmd
>> 0x81a0-0x81b430001292K ro 
>> GLB NX pte
>> 0x81b43000-0x82004852K RW 
>> GLB NX pte
>> 0x8200-0x8220   2M RW PSE 
>> GLB NX pmd
>> 0x8220-0xa000 478M   
>> pmd
>> ...
>>
>> This region seems to be between the end of ex_table and the start of rodata,
>> $ objdump -x vmlinux | sort
>> ...
>> 817728b0 g   __ex_table  __start___ex_table
>> 817728b0 ld  __ex_table  __ex_table
>> 81774998 g   __ex_table  __stop___ex_table
>> 8180 g   .rodata __start_rodata
>> 8180 ld  .rodata .rodata
>> ...
>>
>> $ readelf -a vmlinux
>> ...
>> Section Headers:
>>   [Nr] Name  Type Address   Offset
>>Size  EntSize  Flags  Link  Info  Align
>> ...
>>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>>20e8     A   0 0 8
>>   [ 4] .rodata   PROGBITS 8180  00a0
>>002eefd2     A   0 0 64
>> ...
>>
>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>> it isn't new to 4.3.
> 
> To me it looks like another alignment/padding issue like got fixed
> before. The space between __ex_table and rodata is (seems?) unused, so
> the default page table permissions end up being W+X. Can we fix the
> default to be NX instead? It'll make these bugs stay gone.

Not sure where that would get fixed (or the ramifications), but is there
a reason we can't just do the following to fix this particular case?

diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 30564e2..df48430 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1132,7 +1132,7 @@ void mark_rodata_ro(void)
 * has been zapped already via cleanup_highmem().
 */
all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
-   set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
+   set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT);
 
rodata_test();


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread H. Peter Anvin

Need to fix.  Not sure where the rwx mapping comes from.

On September 28, 2015 3:05:33 PM PDT, Kees Cook  wrote:
>On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin  wrote:
>> On 09/25/2015 12:22 AM, Ingo Molnar wrote:

 To me it looks like another alignment/padding issue like got fixed
 before. The space between __ex_table and rodata is (seems?) unused,
>so
 the default page table permissions end up being W+X. Can we fix the
 default to be NX instead? It'll make these bugs stay gone.
>>>
>>> Yeah. Wanna send a patch for that?
>>>
>>
>> At least in the high mapping space, the default should be no
>permissions
>> (not present), rather than just NX.
>
>Do you mean "should be" as in, that's how it's coded now, or "should
>be" in that we need to fix it? (If we need to fix it, where is that
>"default"? I haven't been able to find it yet.)
>
>-Kees

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-28 Thread Kees Cook

On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin  wrote:
> On 09/25/2015 12:22 AM, Ingo Molnar wrote:
>>>
>>> To me it looks like another alignment/padding issue like got fixed
>>> before. The space between __ex_table and rodata is (seems?) unused, so
>>> the default page table permissions end up being W+X. Can we fix the
>>> default to be NX instead? It'll make these bugs stay gone.
>>
>> Yeah. Wanna send a patch for that?
>>
>
> At least in the high mapping space, the default should be no permissions
> (not present), rather than just NX.

Do you mean "should be" as in, that's how it's coded now, or "should
be" in that we need to fix it? (If we need to fix it, where is that
"default"? I haven't been able to find it yet.)

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-26 Thread Kees Cook

On Fri, Sep 25, 2015 at 12:22 AM, Ingo Molnar  wrote:
>
> * Kees Cook  wrote:
>
>> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>> > Hi,
>> >
>> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
>> > /sys/kernel/debug/kernel_page_tables:
>> > ...
>> > ---[ High Kernel Mapping ]---
>> > 0x8000-0x8100  16M 
>> >   pmd
>> > 0x8100-0x8160   6M ro PSE 
>> > GLB x  pmd
>> > 0x8160-0x817750001492K ro 
>> > GLB x  pte
>> > 0x81775000-0x8180 556K RW 
>> > GLB x  pte
>> > ^
>> > 0x8180-0x81a0   2M ro PSE 
>> > GLB NX pmd
>> > 0x81a0-0x81b430001292K ro 
>> > GLB NX pte
>> > 0x81b43000-0x82004852K RW 
>> > GLB NX pte
>> > 0x8200-0x8220   2M RW PSE 
>> > GLB NX pmd
>> > 0x8220-0xa000 478M 
>> >   pmd
>> > ...
>> >
>> > This region seems to be between the end of ex_table and the start of 
>> > rodata,
>> > $ objdump -x vmlinux | sort
>> > ...
>> > 817728b0 g   __ex_table  __start___ex_table
>> > 817728b0 ld  __ex_table  __ex_table
>> > 81774998 g   __ex_table  __stop___ex_table
>> > 8180 g   .rodata __start_rodata
>> > 8180 ld  .rodata .rodata
>> > ...
>> >
>> > $ readelf -a vmlinux
>> > ...
>> > Section Headers:
>> >   [Nr] Name  Type Address   Offset
>> >Size  EntSize  Flags  Link  Info  Align
>> > ...
>> >   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>> >20e8     A   0 0 8
>> >   [ 4] .rodata   PROGBITS 8180  00a0
>> >002eefd2     A   0 0 64
>> > ...
>> >
>> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>> > it isn't new to 4.3.
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
>
> Yeah. Wanna send a patch for that?

I haven't found where that is actually happening. :( If anyone has
pointers, I can dig a bit more.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-26 Thread Kees Cook

On Fri, Sep 25, 2015 at 12:22 AM, Ingo Molnar  wrote:
>
> * Kees Cook  wrote:
>
>> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
>> > Hi,
>> >
>> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
>> > /sys/kernel/debug/kernel_page_tables:
>> > ...
>> > ---[ High Kernel Mapping ]---
>> > 0x8000-0x8100  16M 
>> >   pmd
>> > 0x8100-0x8160   6M ro PSE 
>> > GLB x  pmd
>> > 0x8160-0x817750001492K ro 
>> > GLB x  pte
>> > 0x81775000-0x8180 556K RW 
>> > GLB x  pte
>> > ^
>> > 0x8180-0x81a0   2M ro PSE 
>> > GLB NX pmd
>> > 0x81a0-0x81b430001292K ro 
>> > GLB NX pte
>> > 0x81b43000-0x82004852K RW 
>> > GLB NX pte
>> > 0x8200-0x8220   2M RW PSE 
>> > GLB NX pmd
>> > 0x8220-0xa000 478M 
>> >   pmd
>> > ...
>> >
>> > This region seems to be between the end of ex_table and the start of 
>> > rodata,
>> > $ objdump -x vmlinux | sort
>> > ...
>> > 817728b0 g   __ex_table  __start___ex_table
>> > 817728b0 ld  __ex_table  __ex_table
>> > 81774998 g   __ex_table  __stop___ex_table
>> > 8180 g   .rodata __start_rodata
>> > 8180 ld  .rodata .rodata
>> > ...
>> >
>> > $ readelf -a vmlinux
>> > ...
>> > Section Headers:
>> >   [Nr] Name  Type Address   Offset
>> >Size  EntSize  Flags  Link  Info  Align
>> > ...
>> >   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>> >20e8     A   0 0 8
>> >   [ 4] .rodata   PROGBITS 8180  00a0
>> >002eefd2     A   0 0 64
>> > ...
>> >
>> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
>> > it isn't new to 4.3.
>>
>> To me it looks like another alignment/padding issue like got fixed
>> before. The space between __ex_table and rodata is (seems?) unused, so
>> the default page table permissions end up being W+X. Can we fix the
>> default to be NX instead? It'll make these bugs stay gone.
>
> Yeah. Wanna send a patch for that?

I haven't found where that is actually happening. :( If anyone has
pointers, I can dig a bit more.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-25 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> > Hi,
> >
> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
> > /sys/kernel/debug/kernel_page_tables:
> > ...
> > ---[ High Kernel Mapping ]---
> > 0x8000-0x8100  16M  
> >  pmd
> > 0x8100-0x8160   6M ro PSE 
> > GLB x  pmd
> > 0x8160-0x817750001492K ro 
> > GLB x  pte
> > 0x81775000-0x8180 556K RW 
> > GLB x  pte
> > ^

Btw., I think we should run this lookup automatically in late bootup, if 
CONFIG_X86_PTDUMP=y, and print a WARN()ing if there's any RWX permissions in 
the 
mappings.

That makes sure automated testing picks new bugs up.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-25 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> > Hi,
> >
> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
> > /sys/kernel/debug/kernel_page_tables:
> > ...
> > ---[ High Kernel Mapping ]---
> > 0x8000-0x8100  16M  
> >  pmd
> > 0x8100-0x8160   6M ro PSE 
> > GLB x  pmd
> > 0x8160-0x817750001492K ro 
> > GLB x  pte
> > 0x81775000-0x8180 556K RW 
> > GLB x  pte
> > ^
> > 0x8180-0x81a0   2M ro PSE 
> > GLB NX pmd
> > 0x81a0-0x81b430001292K ro 
> > GLB NX pte
> > 0x81b43000-0x82004852K RW 
> > GLB NX pte
> > 0x8200-0x8220   2M RW PSE 
> > GLB NX pmd
> > 0x8220-0xa000 478M  
> >  pmd
> > ...
> >
> > This region seems to be between the end of ex_table and the start of rodata,
> > $ objdump -x vmlinux | sort
> > ...
> > 817728b0 g   __ex_table  __start___ex_table
> > 817728b0 ld  __ex_table  __ex_table
> > 81774998 g   __ex_table  __stop___ex_table
> > 8180 g   .rodata __start_rodata
> > 8180 ld  .rodata .rodata
> > ...
> >
> > $ readelf -a vmlinux
> > ...
> > Section Headers:
> >   [Nr] Name  Type Address   Offset
> >Size  EntSize  Flags  Link  Info  Align
> > ...
> >   [ 3] __ex_tablePROGBITS 817728b0  009728b0
> >20e8     A   0 0 8
> >   [ 4] .rodata   PROGBITS 8180  00a0
> >002eefd2     A   0 0 64
> > ...
> >
> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
> > it isn't new to 4.3.
> 
> To me it looks like another alignment/padding issue like got fixed
> before. The space between __ex_table and rodata is (seems?) unused, so
> the default page table permissions end up being W+X. Can we fix the
> default to be NX instead? It'll make these bugs stay gone.

Yeah. Wanna send a patch for that?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-25 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> > Hi,
> >
> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
> > /sys/kernel/debug/kernel_page_tables:
> > ...
> > ---[ High Kernel Mapping ]---
> > 0x8000-0x8100  16M  
> >  pmd
> > 0x8100-0x8160   6M ro PSE 
> > GLB x  pmd
> > 0x8160-0x817750001492K ro 
> > GLB x  pte
> > 0x81775000-0x8180 556K RW 
> > GLB x  pte
> > ^

Btw., I think we should run this lookup automatically in late bootup, if 
CONFIG_X86_PTDUMP=y, and print a WARN()ing if there's any RWX permissions in 
the 
mappings.

That makes sure automated testing picks new bugs up.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-25 Thread Ingo Molnar


* Kees Cook  wrote:

> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> > Hi,
> >
> > With the attached config and 4.3-rc2 on x86_64, I see the following in 
> > /sys/kernel/debug/kernel_page_tables:
> > ...
> > ---[ High Kernel Mapping ]---
> > 0x8000-0x8100  16M  
> >  pmd
> > 0x8100-0x8160   6M ro PSE 
> > GLB x  pmd
> > 0x8160-0x817750001492K ro 
> > GLB x  pte
> > 0x81775000-0x8180 556K RW 
> > GLB x  pte
> > ^
> > 0x8180-0x81a0   2M ro PSE 
> > GLB NX pmd
> > 0x81a0-0x81b430001292K ro 
> > GLB NX pte
> > 0x81b43000-0x82004852K RW 
> > GLB NX pte
> > 0x8200-0x8220   2M RW PSE 
> > GLB NX pmd
> > 0x8220-0xa000 478M  
> >  pmd
> > ...
> >
> > This region seems to be between the end of ex_table and the start of rodata,
> > $ objdump -x vmlinux | sort
> > ...
> > 817728b0 g   __ex_table  __start___ex_table
> > 817728b0 ld  __ex_table  __ex_table
> > 81774998 g   __ex_table  __stop___ex_table
> > 8180 g   .rodata __start_rodata
> > 8180 ld  .rodata .rodata
> > ...
> >
> > $ readelf -a vmlinux
> > ...
> > Section Headers:
> >   [Nr] Name  Type Address   Offset
> >Size  EntSize  Flags  Link  Info  Align
> > ...
> >   [ 3] __ex_tablePROGBITS 817728b0  009728b0
> >20e8     A   0 0 8
> >   [ 4] .rodata   PROGBITS 8180  00a0
> >002eefd2     A   0 0 64
> > ...
> >
> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so 
> > it isn't new to 4.3.
> 
> To me it looks like another alignment/padding issue like got fixed
> before. The space between __ex_table and rodata is (seems?) unused, so
> the default page table permissions end up being W+X. Can we fix the
> default to be NX instead? It'll make these bugs stay gone.

Yeah. Wanna send a patch for that?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-24 Thread Kees Cook

On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> Hi,
>
> With the attached config and 4.3-rc2 on x86_64, I see the following in 
> /sys/kernel/debug/kernel_page_tables:
> ...
> ---[ High Kernel Mapping ]---
> 0x8000-0x8100  16M
>pmd
> 0x8100-0x8160   6M ro PSE GLB 
> x  pmd
> 0x8160-0x817750001492K ro GLB 
> x  pte
> 0x81775000-0x8180 556K RW GLB 
> x  pte
> ^
> 0x8180-0x81a0   2M ro PSE GLB 
> NX pmd
> 0x81a0-0x81b430001292K ro GLB 
> NX pte
> 0x81b43000-0x82004852K RW GLB 
> NX pte
> 0x8200-0x8220   2M RW PSE GLB 
> NX pmd
> 0x8220-0xa000 478M
>pmd
> ...
>
> This region seems to be between the end of ex_table and the start of rodata,
> $ objdump -x vmlinux | sort
> ...
> 817728b0 g   __ex_table  __start___ex_table
> 817728b0 ld  __ex_table  __ex_table
> 81774998 g   __ex_table  __stop___ex_table
> 8180 g   .rodata __start_rodata
> 8180 ld  .rodata .rodata
> ...
>
> $ readelf -a vmlinux
> ...
> Section Headers:
>   [Nr] Name  Type Address   Offset
>Size  EntSize  Flags  Link  Info  Align
> ...
>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>20e8     A   0 0 8
>   [ 4] .rodata   PROGBITS 8180  00a0
>002eefd2     A   0 0 64
> ...
>
> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it 
> isn't new to 4.3.

To me it looks like another alignment/padding issue like got fixed
before. The space between __ex_table and rodata is (seems?) unused, so
the default page table permissions end up being W+X. Can we fix the
default to be NX instead? It'll make these bugs stay gone.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

2015-09-24 Thread Kees Cook

On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley  wrote:
> Hi,
>
> With the attached config and 4.3-rc2 on x86_64, I see the following in 
> /sys/kernel/debug/kernel_page_tables:
> ...
> ---[ High Kernel Mapping ]---
> 0x8000-0x8100  16M
>pmd
> 0x8100-0x8160   6M ro PSE GLB 
> x  pmd
> 0x8160-0x817750001492K ro GLB 
> x  pte
> 0x81775000-0x8180 556K RW GLB 
> x  pte
> ^
> 0x8180-0x81a0   2M ro PSE GLB 
> NX pmd
> 0x81a0-0x81b430001292K ro GLB 
> NX pte
> 0x81b43000-0x82004852K RW GLB 
> NX pte
> 0x8200-0x8220   2M RW PSE GLB 
> NX pmd
> 0x8220-0xa000 478M
>pmd
> ...
>
> This region seems to be between the end of ex_table and the start of rodata,
> $ objdump -x vmlinux | sort
> ...
> 817728b0 g   __ex_table  __start___ex_table
> 817728b0 ld  __ex_table  __ex_table
> 81774998 g   __ex_table  __stop___ex_table
> 8180 g   .rodata __start_rodata
> 8180 ld  .rodata .rodata
> ...
>
> $ readelf -a vmlinux
> ...
> Section Headers:
>   [Nr] Name  Type Address   Offset
>Size  EntSize  Flags  Link  Info  Align
> ...
>   [ 3] __ex_tablePROGBITS 817728b0  009728b0
>20e8     A   0 0 8
>   [ 4] .rodata   PROGBITS 8180  00a0
>002eefd2     A   0 0 64
> ...
>
> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it 
> isn't new to 4.3.

To me it looks like another alignment/padding issue like got fixed
before. The space between __ex_table and rodata is (seems?) unused, so
the default page table permissions end up being W+X. Can we fix the
default to be NX instead? It'll make these bugs stay gone.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

Re: rwx mapping between ex_table and rodata

28 matches

Site Navigation

Mail list logo

Footer information