Re: rwx mapping between ex_table and rodata
* Kees Cook wrote: > On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar wrote: > > > > * Thomas Gleixner wrote: > > > >> On Mon, 28 Sep 2015, Kees Cook wrote: > >> > > --- a/arch/x86/mm/init_64.c > >> > > +++ b/arch/x86/mm/init_64.c > >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > >> > > * has been zapped already via cleanup_highmem(). > >> > > */ > >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > >> > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> > >> > > PAGE_SHIFT); > >> > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > >> > > > >> > > rodata_test(); > >> > > > >> > > > >> > > >> > That should work, yeah. I'd still like to find the default permissions > >> > and > >> > make them W+nx, though. Regardless, let's get the above added. > >> > >> The default permissions are set at boot time when setting up the early page > >> tables. When we split them up later on we inherit the PTE bits and then we > >> do > >> that _ro/nx cleanup after the overall layout has been settled. > >> > >> We can't make them W+nx in the early setup without shooting ourself in the > >> foot, > >> because we only set up at the pud/pmd level. > > > > So I think at minimum we should do a (debug) scan in late init, of the whole > > range, for any leftover WX permissions? That would have caught this bug. > > (and > > might catch other existing bugs that might occur with various > > configs/hw-layouts.) > > I think this would be great. I'd like to disassociate it from PTDUMP, > though, since that exposes kernel address to userspace. It'd be nice > to have the check without also the debugfs entry. Yeah, so it could still use pretty much the same code, except no registry in /debug? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cookwrote: > On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar wrote: > > > > * Thomas Gleixner wrote: > > > >> On Mon, 28 Sep 2015, Kees Cook wrote: > >> > > --- a/arch/x86/mm/init_64.c > >> > > +++ b/arch/x86/mm/init_64.c > >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > >> > > * has been zapped already via cleanup_highmem(). > >> > > */ > >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > >> > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> > >> > > PAGE_SHIFT); > >> > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > >> > > > >> > > rodata_test(); > >> > > > >> > > > >> > > >> > That should work, yeah. I'd still like to find the default permissions > >> > and > >> > make them W+nx, though. Regardless, let's get the above added. > >> > >> The default permissions are set at boot time when setting up the early page > >> tables. When we split them up later on we inherit the PTE bits and then we > >> do > >> that _ro/nx cleanup after the overall layout has been settled. > >> > >> We can't make them W+nx in the early setup without shooting ourself in the > >> foot, > >> because we only set up at the pud/pmd level. > > > > So I think at minimum we should do a (debug) scan in late init, of the whole > > range, for any leftover WX permissions? That would have caught this bug. > > (and > > might catch other existing bugs that might occur with various > > configs/hw-layouts.) > > I think this would be great. I'd like to disassociate it from PTDUMP, > though, since that exposes kernel address to userspace. It'd be nice > to have the check without also the debugfs entry. Yeah, so it could still use pretty much the same code, except no registry in /debug? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnar wrote: > > * Thomas Gleixner wrote: > >> On Mon, 28 Sep 2015, Kees Cook wrote: >> > > --- a/arch/x86/mm/init_64.c >> > > +++ b/arch/x86/mm/init_64.c >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) >> > > * has been zapped already via cleanup_highmem(). >> > > */ >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); >> > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> >> > > PAGE_SHIFT); >> > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); >> > > >> > > rodata_test(); >> > > >> > > >> > >> > That should work, yeah. I'd still like to find the default permissions and >> > make them W+nx, though. Regardless, let's get the above added. >> >> The default permissions are set at boot time when setting up the early page >> tables. When we split them up later on we inherit the PTE bits and then we do >> that _ro/nx cleanup after the overall layout has been settled. >> >> We can't make them W+nx in the early setup without shooting ourself in the >> foot, >> because we only set up at the pud/pmd level. > > So I think at minimum we should do a (debug) scan in late init, of the whole > range, for any leftover WX permissions? That would have caught this bug. (and > might catch other existing bugs that might occur with various > configs/hw-layouts.) I think this would be great. I'd like to disassociate it from PTDUMP, though, since that exposes kernel address to userspace. It'd be nice to have the check without also the debugfs entry. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Thomas Gleixner wrote: > On Mon, 28 Sep 2015, Kees Cook wrote: > > > --- a/arch/x86/mm/init_64.c > > > +++ b/arch/x86/mm/init_64.c > > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > > * has been zapped already via cleanup_highmem(). > > > */ > > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> > > > PAGE_SHIFT); > > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > > > rodata_test(); > > > > > > > > > > That should work, yeah. I'd still like to find the default permissions and > > make them W+nx, though. Regardless, let's get the above added. > > The default permissions are set at boot time when setting up the early page > tables. When we split them up later on we inherit the PTE bits and then we do > that _ro/nx cleanup after the overall layout has been settled. > > We can't make them W+nx in the early setup without shooting ourself in the > foot, > because we only set up at the pud/pmd level. So I think at minimum we should do a (debug) scan in late init, of the whole range, for any leftover WX permissions? That would have caught this bug. (and might catch other existing bugs that might occur with various configs/hw-layouts.) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, 28 Sep 2015, Kees Cook wrote: > > --- a/arch/x86/mm/init_64.c > > +++ b/arch/x86/mm/init_64.c > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > * has been zapped already via cleanup_highmem(). > > */ > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > rodata_test(); > > > > > > That should work, yeah. I'd still like to find the default permissions > and make them W+nx, though. Regardless, let's get the above added. The default permissions are set at boot time when setting up the early page tables. When we split them up later on we inherit the PTE bits and then we do that _ro/nx cleanup after the overall layout has been settled. We can't make them W+nx in the early setup without shooting ourself in the foot, because we only set up at the pud/pmd level. Thanks, tglx -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cook wrote: > On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley wrote: > > On 09/24/2015 06:25 PM, Kees Cook wrote: > >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley > >> wrote: > >>> Hi, > >>> > >>> With the attached config and 4.3-rc2 on x86_64, I see the following in > >>> /sys/kernel/debug/kernel_page_tables: > >>> ... > >>> ---[ High Kernel Mapping ]--- > >>> 0x8000-0x8100 16M > >>>pmd > >>> 0x8100-0x8160 6M ro PSE > >>> GLB x pmd > >>> 0x8160-0x817750001492K ro > >>> GLB x pte > >>> 0x81775000-0x8180 556K RW > >>> GLB x pte > >>> ^ > >>> 0x8180-0x81a0 2M ro PSE > >>> GLB NX pmd > >>> 0x81a0-0x81b430001292K ro > >>> GLB NX pte > >>> 0x81b43000-0x82004852K RW > >>> GLB NX pte > >>> 0x8200-0x8220 2M RW PSE > >>> GLB NX pmd > >>> 0x8220-0xa000 478M > >>>pmd > >>> ... > >>> > >>> This region seems to be between the end of ex_table and the start of > >>> rodata, > >>> $ objdump -x vmlinux | sort > >>> ... > >>> 817728b0 g __ex_table > >>> __start___ex_table > >>> 817728b0 ld __ex_table __ex_table > >>> 81774998 g __ex_table __stop___ex_table > >>> 8180 g .rodata __start_rodata > >>> 8180 ld .rodata .rodata > >>> ... > >>> > >>> $ readelf -a vmlinux > >>> ... > >>> Section Headers: > >>> [Nr] Name Type Address Offset > >>>Size EntSize Flags Link Info Align > >>> ... > >>> [ 3] __ex_tablePROGBITS 817728b0 009728b0 > >>>20e8 A 0 0 8 > >>> [ 4] .rodata PROGBITS 8180 00a0 > >>>002eefd2 A 0 0 64 > >>> ... > >>> > >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), > >>> so it isn't new to 4.3. > >> > >> To me it looks like another alignment/padding issue like got fixed > >> before. The space between __ex_table and rodata is (seems?) unused, so > >> the default page table permissions end up being W+X. Can we fix the > >> default to be NX instead? It'll make these bugs stay gone. > > > > Not sure where that would get fixed (or the ramifications), but is there > > a reason we can't just do the following to fix this particular case? > > > > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c > > index 30564e2..df48430 100644 > > --- a/arch/x86/mm/init_64.c > > +++ b/arch/x86/mm/init_64.c > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > * has been zapped already via cleanup_highmem(). > > */ > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > rodata_test(); > > > > > > That should work, yeah. I'd still like to find the default permissions > and make them W+nx, though. Regardless, let's get the above added. Ok, could someone please send a changelogged, signed off patch for this? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Thu, Oct 1, 2015 at 2:12 AM, Ingo Molnarwrote: > > * Thomas Gleixner wrote: > >> On Mon, 28 Sep 2015, Kees Cook wrote: >> > > --- a/arch/x86/mm/init_64.c >> > > +++ b/arch/x86/mm/init_64.c >> > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) >> > > * has been zapped already via cleanup_highmem(). >> > > */ >> > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); >> > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> >> > > PAGE_SHIFT); >> > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); >> > > >> > > rodata_test(); >> > > >> > > >> > >> > That should work, yeah. I'd still like to find the default permissions and >> > make them W+nx, though. Regardless, let's get the above added. >> >> The default permissions are set at boot time when setting up the early page >> tables. When we split them up later on we inherit the PTE bits and then we do >> that _ro/nx cleanup after the overall layout has been settled. >> >> We can't make them W+nx in the early setup without shooting ourself in the >> foot, >> because we only set up at the pud/pmd level. > > So I think at minimum we should do a (debug) scan in late init, of the whole > range, for any leftover WX permissions? That would have caught this bug. (and > might catch other existing bugs that might occur with various > configs/hw-layouts.) I think this would be great. I'd like to disassociate it from PTDUMP, though, since that exposes kernel address to userspace. It'd be nice to have the check without also the debugfs entry. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cookwrote: > On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley wrote: > > On 09/24/2015 06:25 PM, Kees Cook wrote: > >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley > >> wrote: > >>> Hi, > >>> > >>> With the attached config and 4.3-rc2 on x86_64, I see the following in > >>> /sys/kernel/debug/kernel_page_tables: > >>> ... > >>> ---[ High Kernel Mapping ]--- > >>> 0x8000-0x8100 16M > >>>pmd > >>> 0x8100-0x8160 6M ro PSE > >>> GLB x pmd > >>> 0x8160-0x817750001492K ro > >>> GLB x pte > >>> 0x81775000-0x8180 556K RW > >>> GLB x pte > >>> ^ > >>> 0x8180-0x81a0 2M ro PSE > >>> GLB NX pmd > >>> 0x81a0-0x81b430001292K ro > >>> GLB NX pte > >>> 0x81b43000-0x82004852K RW > >>> GLB NX pte > >>> 0x8200-0x8220 2M RW PSE > >>> GLB NX pmd > >>> 0x8220-0xa000 478M > >>>pmd > >>> ... > >>> > >>> This region seems to be between the end of ex_table and the start of > >>> rodata, > >>> $ objdump -x vmlinux | sort > >>> ... > >>> 817728b0 g __ex_table > >>> __start___ex_table > >>> 817728b0 ld __ex_table __ex_table > >>> 81774998 g __ex_table __stop___ex_table > >>> 8180 g .rodata __start_rodata > >>> 8180 ld .rodata .rodata > >>> ... > >>> > >>> $ readelf -a vmlinux > >>> ... > >>> Section Headers: > >>> [Nr] Name Type Address Offset > >>>Size EntSize Flags Link Info Align > >>> ... > >>> [ 3] __ex_tablePROGBITS 817728b0 009728b0 > >>>20e8 A 0 0 8 > >>> [ 4] .rodata PROGBITS 8180 00a0 > >>>002eefd2 A 0 0 64 > >>> ... > >>> > >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), > >>> so it isn't new to 4.3. > >> > >> To me it looks like another alignment/padding issue like got fixed > >> before. The space between __ex_table and rodata is (seems?) unused, so > >> the default page table permissions end up being W+X. Can we fix the > >> default to be NX instead? It'll make these bugs stay gone. > > > > Not sure where that would get fixed (or the ramifications), but is there > > a reason we can't just do the following to fix this particular case? > > > > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c > > index 30564e2..df48430 100644 > > --- a/arch/x86/mm/init_64.c > > +++ b/arch/x86/mm/init_64.c > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > * has been zapped already via cleanup_highmem(). > > */ > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > rodata_test(); > > > > > > That should work, yeah. I'd still like to find the default permissions > and make them W+nx, though. Regardless, let's get the above added. Ok, could someone please send a changelogged, signed off patch for this? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, 28 Sep 2015, Kees Cook wrote: > > --- a/arch/x86/mm/init_64.c > > +++ b/arch/x86/mm/init_64.c > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > * has been zapped already via cleanup_highmem(). > > */ > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > rodata_test(); > > > > > > That should work, yeah. I'd still like to find the default permissions > and make them W+nx, though. Regardless, let's get the above added. The default permissions are set at boot time when setting up the early page tables. When we split them up later on we inherit the PTE bits and then we do that _ro/nx cleanup after the overall layout has been settled. We can't make them W+nx in the early setup without shooting ourself in the foot, because we only set up at the pud/pmd level. Thanks, tglx -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Thomas Gleixnerwrote: > On Mon, 28 Sep 2015, Kees Cook wrote: > > > --- a/arch/x86/mm/init_64.c > > > +++ b/arch/x86/mm/init_64.c > > > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > > > * has been zapped already via cleanup_highmem(). > > > */ > > > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > > > - set_memory_nx(rodata_start, (all_end - rodata_start) >> > > > PAGE_SHIFT); > > > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > > > > > rodata_test(); > > > > > > > > > > That should work, yeah. I'd still like to find the default permissions and > > make them W+nx, though. Regardless, let's get the above added. > > The default permissions are set at boot time when setting up the early page > tables. When we split them up later on we inherit the PTE bits and then we do > that _ro/nx cleanup after the overall layout has been settled. > > We can't make them W+nx in the early setup without shooting ourself in the > foot, > because we only set up at the pud/pmd level. So I think at minimum we should do a (debug) scan in late init, of the whole range, for any leftover WX permissions? That would have caught this bug. (and might catch other existing bugs that might occur with various configs/hw-layouts.) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
Need to fix. Not sure where the rwx mapping comes from. On September 28, 2015 3:05:33 PM PDT, Kees Cook wrote: >On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin wrote: >> On 09/25/2015 12:22 AM, Ingo Molnar wrote: To me it looks like another alignment/padding issue like got fixed before. The space between __ex_table and rodata is (seems?) unused, >so the default page table permissions end up being W+X. Can we fix the default to be NX instead? It'll make these bugs stay gone. >>> >>> Yeah. Wanna send a patch for that? >>> >> >> At least in the high mapping space, the default should be no >permissions >> (not present), rather than just NX. > >Do you mean "should be" as in, that's how it's coded now, or "should >be" in that we need to fix it? (If we need to fix it, where is that >"default"? I haven't been able to find it yet.) > >-Kees -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin wrote: > On 09/25/2015 12:22 AM, Ingo Molnar wrote: >>> >>> To me it looks like another alignment/padding issue like got fixed >>> before. The space between __ex_table and rodata is (seems?) unused, so >>> the default page table permissions end up being W+X. Can we fix the >>> default to be NX instead? It'll make these bugs stay gone. >> >> Yeah. Wanna send a patch for that? >> > > At least in the high mapping space, the default should be no permissions > (not present), rather than just NX. Do you mean "should be" as in, that's how it's coded now, or "should be" in that we need to fix it? (If we need to fix it, where is that "default"? I haven't been able to find it yet.) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On 09/25/2015 12:22 AM, Ingo Molnar wrote: >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Yeah. Wanna send a patch for that? > At least in the high mapping space, the default should be no permissions (not present), rather than just NX. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalley wrote: > On 09/24/2015 06:25 PM, Kees Cook wrote: >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >>> Hi, >>> >>> With the attached config and 4.3-rc2 on x86_64, I see the following in >>> /sys/kernel/debug/kernel_page_tables: >>> ... >>> ---[ High Kernel Mapping ]--- >>> 0x8000-0x8100 16M >>> pmd >>> 0x8100-0x8160 6M ro PSE >>> GLB x pmd >>> 0x8160-0x817750001492K ro >>> GLB x pte >>> 0x81775000-0x8180 556K RW >>> GLB x pte >>> ^ >>> 0x8180-0x81a0 2M ro PSE >>> GLB NX pmd >>> 0x81a0-0x81b430001292K ro >>> GLB NX pte >>> 0x81b43000-0x82004852K RW >>> GLB NX pte >>> 0x8200-0x8220 2M RW PSE >>> GLB NX pmd >>> 0x8220-0xa000 478M >>> pmd >>> ... >>> >>> This region seems to be between the end of ex_table and the start of rodata, >>> $ objdump -x vmlinux | sort >>> ... >>> 817728b0 g __ex_table __start___ex_table >>> 817728b0 ld __ex_table __ex_table >>> 81774998 g __ex_table __stop___ex_table >>> 8180 g .rodata __start_rodata >>> 8180 ld .rodata .rodata >>> ... >>> >>> $ readelf -a vmlinux >>> ... >>> Section Headers: >>> [Nr] Name Type Address Offset >>>Size EntSize Flags Link Info Align >>> ... >>> [ 3] __ex_tablePROGBITS 817728b0 009728b0 >>>20e8 A 0 0 8 >>> [ 4] .rodata PROGBITS 8180 00a0 >>>002eefd2 A 0 0 64 >>> ... >>> >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >>> it isn't new to 4.3. >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Not sure where that would get fixed (or the ramifications), but is there > a reason we can't just do the following to fix this particular case? > > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c > index 30564e2..df48430 100644 > --- a/arch/x86/mm/init_64.c > +++ b/arch/x86/mm/init_64.c > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > * has been zapped already via cleanup_highmem(). > */ > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > rodata_test(); > > That should work, yeah. I'd still like to find the default permissions and make them W+nx, though. Regardless, let's get the above added. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On 09/24/2015 06:25 PM, Kees Cook wrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >> Hi, >> >> With the attached config and 4.3-rc2 on x86_64, I see the following in >> /sys/kernel/debug/kernel_page_tables: >> ... >> ---[ High Kernel Mapping ]--- >> 0x8000-0x8100 16M >> pmd >> 0x8100-0x8160 6M ro PSE >> GLB x pmd >> 0x8160-0x817750001492K ro >> GLB x pte >> 0x81775000-0x8180 556K RW >> GLB x pte >> ^ >> 0x8180-0x81a0 2M ro PSE >> GLB NX pmd >> 0x81a0-0x81b430001292K ro >> GLB NX pte >> 0x81b43000-0x82004852K RW >> GLB NX pte >> 0x8200-0x8220 2M RW PSE >> GLB NX pmd >> 0x8220-0xa000 478M >> pmd >> ... >> >> This region seems to be between the end of ex_table and the start of rodata, >> $ objdump -x vmlinux | sort >> ... >> 817728b0 g __ex_table __start___ex_table >> 817728b0 ld __ex_table __ex_table >> 81774998 g __ex_table __stop___ex_table >> 8180 g .rodata __start_rodata >> 8180 ld .rodata .rodata >> ... >> >> $ readelf -a vmlinux >> ... >> Section Headers: >> [Nr] Name Type Address Offset >>Size EntSize Flags Link Info Align >> ... >> [ 3] __ex_tablePROGBITS 817728b0 009728b0 >>20e8 A 0 0 8 >> [ 4] .rodata PROGBITS 8180 00a0 >>002eefd2 A 0 0 64 >> ... >> >> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >> it isn't new to 4.3. > > To me it looks like another alignment/padding issue like got fixed > before. The space between __ex_table and rodata is (seems?) unused, so > the default page table permissions end up being W+X. Can we fix the > default to be NX instead? It'll make these bugs stay gone. Not sure where that would get fixed (or the ramifications), but is there a reason we can't just do the following to fix this particular case? diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 30564e2..df48430 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) * has been zapped already via cleanup_highmem(). */ all_end = roundup((unsigned long)_brk_end, PMD_SIZE); - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); rodata_test(); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, Sep 28, 2015 at 7:11 AM, Stephen Smalleywrote: > On 09/24/2015 06:25 PM, Kees Cook wrote: >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >>> Hi, >>> >>> With the attached config and 4.3-rc2 on x86_64, I see the following in >>> /sys/kernel/debug/kernel_page_tables: >>> ... >>> ---[ High Kernel Mapping ]--- >>> 0x8000-0x8100 16M >>> pmd >>> 0x8100-0x8160 6M ro PSE >>> GLB x pmd >>> 0x8160-0x817750001492K ro >>> GLB x pte >>> 0x81775000-0x8180 556K RW >>> GLB x pte >>> ^ >>> 0x8180-0x81a0 2M ro PSE >>> GLB NX pmd >>> 0x81a0-0x81b430001292K ro >>> GLB NX pte >>> 0x81b43000-0x82004852K RW >>> GLB NX pte >>> 0x8200-0x8220 2M RW PSE >>> GLB NX pmd >>> 0x8220-0xa000 478M >>> pmd >>> ... >>> >>> This region seems to be between the end of ex_table and the start of rodata, >>> $ objdump -x vmlinux | sort >>> ... >>> 817728b0 g __ex_table __start___ex_table >>> 817728b0 ld __ex_table __ex_table >>> 81774998 g __ex_table __stop___ex_table >>> 8180 g .rodata __start_rodata >>> 8180 ld .rodata .rodata >>> ... >>> >>> $ readelf -a vmlinux >>> ... >>> Section Headers: >>> [Nr] Name Type Address Offset >>>Size EntSize Flags Link Info Align >>> ... >>> [ 3] __ex_tablePROGBITS 817728b0 009728b0 >>>20e8 A 0 0 8 >>> [ 4] .rodata PROGBITS 8180 00a0 >>>002eefd2 A 0 0 64 >>> ... >>> >>> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >>> it isn't new to 4.3. >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Not sure where that would get fixed (or the ramifications), but is there > a reason we can't just do the following to fix this particular case? > > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c > index 30564e2..df48430 100644 > --- a/arch/x86/mm/init_64.c > +++ b/arch/x86/mm/init_64.c > @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) > * has been zapped already via cleanup_highmem(). > */ > all_end = roundup((unsigned long)_brk_end, PMD_SIZE); > - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); > + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); > > rodata_test(); > > That should work, yeah. I'd still like to find the default permissions and make them W+nx, though. Regardless, let's get the above added. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On 09/25/2015 12:22 AM, Ingo Molnar wrote: >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Yeah. Wanna send a patch for that? > At least in the high mapping space, the default should be no permissions (not present), rather than just NX. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On 09/24/2015 06:25 PM, Kees Cook wrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalleywrote: >> Hi, >> >> With the attached config and 4.3-rc2 on x86_64, I see the following in >> /sys/kernel/debug/kernel_page_tables: >> ... >> ---[ High Kernel Mapping ]--- >> 0x8000-0x8100 16M >> pmd >> 0x8100-0x8160 6M ro PSE >> GLB x pmd >> 0x8160-0x817750001492K ro >> GLB x pte >> 0x81775000-0x8180 556K RW >> GLB x pte >> ^ >> 0x8180-0x81a0 2M ro PSE >> GLB NX pmd >> 0x81a0-0x81b430001292K ro >> GLB NX pte >> 0x81b43000-0x82004852K RW >> GLB NX pte >> 0x8200-0x8220 2M RW PSE >> GLB NX pmd >> 0x8220-0xa000 478M >> pmd >> ... >> >> This region seems to be between the end of ex_table and the start of rodata, >> $ objdump -x vmlinux | sort >> ... >> 817728b0 g __ex_table __start___ex_table >> 817728b0 ld __ex_table __ex_table >> 81774998 g __ex_table __stop___ex_table >> 8180 g .rodata __start_rodata >> 8180 ld .rodata .rodata >> ... >> >> $ readelf -a vmlinux >> ... >> Section Headers: >> [Nr] Name Type Address Offset >>Size EntSize Flags Link Info Align >> ... >> [ 3] __ex_tablePROGBITS 817728b0 009728b0 >>20e8 A 0 0 8 >> [ 4] .rodata PROGBITS 8180 00a0 >>002eefd2 A 0 0 64 >> ... >> >> I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >> it isn't new to 4.3. > > To me it looks like another alignment/padding issue like got fixed > before. The space between __ex_table and rodata is (seems?) unused, so > the default page table permissions end up being W+X. Can we fix the > default to be NX instead? It'll make these bugs stay gone. Not sure where that would get fixed (or the ramifications), but is there a reason we can't just do the following to fix this particular case? diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 30564e2..df48430 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -1132,7 +1132,7 @@ void mark_rodata_ro(void) * has been zapped already via cleanup_highmem(). */ all_end = roundup((unsigned long)_brk_end, PMD_SIZE); - set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); + set_memory_nx(text_end, (all_end - text_end) >> PAGE_SHIFT); rodata_test(); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
Need to fix. Not sure where the rwx mapping comes from. On September 28, 2015 3:05:33 PM PDT, Kees Cookwrote: >On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvin wrote: >> On 09/25/2015 12:22 AM, Ingo Molnar wrote: To me it looks like another alignment/padding issue like got fixed before. The space between __ex_table and rodata is (seems?) unused, >so the default page table permissions end up being W+X. Can we fix the default to be NX instead? It'll make these bugs stay gone. >>> >>> Yeah. Wanna send a patch for that? >>> >> >> At least in the high mapping space, the default should be no >permissions >> (not present), rather than just NX. > >Do you mean "should be" as in, that's how it's coded now, or "should >be" in that we need to fix it? (If we need to fix it, where is that >"default"? I haven't been able to find it yet.) > >-Kees -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Mon, Sep 28, 2015 at 2:16 PM, H. Peter Anvinwrote: > On 09/25/2015 12:22 AM, Ingo Molnar wrote: >>> >>> To me it looks like another alignment/padding issue like got fixed >>> before. The space between __ex_table and rodata is (seems?) unused, so >>> the default page table permissions end up being W+X. Can we fix the >>> default to be NX instead? It'll make these bugs stay gone. >> >> Yeah. Wanna send a patch for that? >> > > At least in the high mapping space, the default should be no permissions > (not present), rather than just NX. Do you mean "should be" as in, that's how it's coded now, or "should be" in that we need to fix it? (If we need to fix it, where is that "default"? I haven't been able to find it yet.) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Fri, Sep 25, 2015 at 12:22 AM, Ingo Molnar wrote: > > * Kees Cook wrote: > >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >> > Hi, >> > >> > With the attached config and 4.3-rc2 on x86_64, I see the following in >> > /sys/kernel/debug/kernel_page_tables: >> > ... >> > ---[ High Kernel Mapping ]--- >> > 0x8000-0x8100 16M >> > pmd >> > 0x8100-0x8160 6M ro PSE >> > GLB x pmd >> > 0x8160-0x817750001492K ro >> > GLB x pte >> > 0x81775000-0x8180 556K RW >> > GLB x pte >> > ^ >> > 0x8180-0x81a0 2M ro PSE >> > GLB NX pmd >> > 0x81a0-0x81b430001292K ro >> > GLB NX pte >> > 0x81b43000-0x82004852K RW >> > GLB NX pte >> > 0x8200-0x8220 2M RW PSE >> > GLB NX pmd >> > 0x8220-0xa000 478M >> > pmd >> > ... >> > >> > This region seems to be between the end of ex_table and the start of >> > rodata, >> > $ objdump -x vmlinux | sort >> > ... >> > 817728b0 g __ex_table __start___ex_table >> > 817728b0 ld __ex_table __ex_table >> > 81774998 g __ex_table __stop___ex_table >> > 8180 g .rodata __start_rodata >> > 8180 ld .rodata .rodata >> > ... >> > >> > $ readelf -a vmlinux >> > ... >> > Section Headers: >> > [Nr] Name Type Address Offset >> >Size EntSize Flags Link Info Align >> > ... >> > [ 3] __ex_tablePROGBITS 817728b0 009728b0 >> >20e8 A 0 0 8 >> > [ 4] .rodata PROGBITS 8180 00a0 >> >002eefd2 A 0 0 64 >> > ... >> > >> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >> > it isn't new to 4.3. >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Yeah. Wanna send a patch for that? I haven't found where that is actually happening. :( If anyone has pointers, I can dig a bit more. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Fri, Sep 25, 2015 at 12:22 AM, Ingo Molnarwrote: > > * Kees Cook wrote: > >> On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: >> > Hi, >> > >> > With the attached config and 4.3-rc2 on x86_64, I see the following in >> > /sys/kernel/debug/kernel_page_tables: >> > ... >> > ---[ High Kernel Mapping ]--- >> > 0x8000-0x8100 16M >> > pmd >> > 0x8100-0x8160 6M ro PSE >> > GLB x pmd >> > 0x8160-0x817750001492K ro >> > GLB x pte >> > 0x81775000-0x8180 556K RW >> > GLB x pte >> > ^ >> > 0x8180-0x81a0 2M ro PSE >> > GLB NX pmd >> > 0x81a0-0x81b430001292K ro >> > GLB NX pte >> > 0x81b43000-0x82004852K RW >> > GLB NX pte >> > 0x8200-0x8220 2M RW PSE >> > GLB NX pmd >> > 0x8220-0xa000 478M >> > pmd >> > ... >> > >> > This region seems to be between the end of ex_table and the start of >> > rodata, >> > $ objdump -x vmlinux | sort >> > ... >> > 817728b0 g __ex_table __start___ex_table >> > 817728b0 ld __ex_table __ex_table >> > 81774998 g __ex_table __stop___ex_table >> > 8180 g .rodata __start_rodata >> > 8180 ld .rodata .rodata >> > ... >> > >> > $ readelf -a vmlinux >> > ... >> > Section Headers: >> > [Nr] Name Type Address Offset >> >Size EntSize Flags Link Info Align >> > ... >> > [ 3] __ex_tablePROGBITS 817728b0 009728b0 >> >20e8 A 0 0 8 >> > [ 4] .rodata PROGBITS 8180 00a0 >> >002eefd2 A 0 0 64 >> > ... >> > >> > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so >> > it isn't new to 4.3. >> >> To me it looks like another alignment/padding issue like got fixed >> before. The space between __ex_table and rodata is (seems?) unused, so >> the default page table permissions end up being W+X. Can we fix the >> default to be NX instead? It'll make these bugs stay gone. > > Yeah. Wanna send a patch for that? I haven't found where that is actually happening. :( If anyone has pointers, I can dig a bit more. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cook wrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: > > Hi, > > > > With the attached config and 4.3-rc2 on x86_64, I see the following in > > /sys/kernel/debug/kernel_page_tables: > > ... > > ---[ High Kernel Mapping ]--- > > 0x8000-0x8100 16M > > pmd > > 0x8100-0x8160 6M ro PSE > > GLB x pmd > > 0x8160-0x817750001492K ro > > GLB x pte > > 0x81775000-0x8180 556K RW > > GLB x pte > > ^ Btw., I think we should run this lookup automatically in late bootup, if CONFIG_X86_PTDUMP=y, and print a WARN()ing if there's any RWX permissions in the mappings. That makes sure automated testing picks new bugs up. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cook wrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: > > Hi, > > > > With the attached config and 4.3-rc2 on x86_64, I see the following in > > /sys/kernel/debug/kernel_page_tables: > > ... > > ---[ High Kernel Mapping ]--- > > 0x8000-0x8100 16M > > pmd > > 0x8100-0x8160 6M ro PSE > > GLB x pmd > > 0x8160-0x817750001492K ro > > GLB x pte > > 0x81775000-0x8180 556K RW > > GLB x pte > > ^ > > 0x8180-0x81a0 2M ro PSE > > GLB NX pmd > > 0x81a0-0x81b430001292K ro > > GLB NX pte > > 0x81b43000-0x82004852K RW > > GLB NX pte > > 0x8200-0x8220 2M RW PSE > > GLB NX pmd > > 0x8220-0xa000 478M > > pmd > > ... > > > > This region seems to be between the end of ex_table and the start of rodata, > > $ objdump -x vmlinux | sort > > ... > > 817728b0 g __ex_table __start___ex_table > > 817728b0 ld __ex_table __ex_table > > 81774998 g __ex_table __stop___ex_table > > 8180 g .rodata __start_rodata > > 8180 ld .rodata .rodata > > ... > > > > $ readelf -a vmlinux > > ... > > Section Headers: > > [Nr] Name Type Address Offset > >Size EntSize Flags Link Info Align > > ... > > [ 3] __ex_tablePROGBITS 817728b0 009728b0 > >20e8 A 0 0 8 > > [ 4] .rodata PROGBITS 8180 00a0 > >002eefd2 A 0 0 64 > > ... > > > > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so > > it isn't new to 4.3. > > To me it looks like another alignment/padding issue like got fixed > before. The space between __ex_table and rodata is (seems?) unused, so > the default page table permissions end up being W+X. Can we fix the > default to be NX instead? It'll make these bugs stay gone. Yeah. Wanna send a patch for that? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cookwrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: > > Hi, > > > > With the attached config and 4.3-rc2 on x86_64, I see the following in > > /sys/kernel/debug/kernel_page_tables: > > ... > > ---[ High Kernel Mapping ]--- > > 0x8000-0x8100 16M > > pmd > > 0x8100-0x8160 6M ro PSE > > GLB x pmd > > 0x8160-0x817750001492K ro > > GLB x pte > > 0x81775000-0x8180 556K RW > > GLB x pte > > ^ Btw., I think we should run this lookup automatically in late bootup, if CONFIG_X86_PTDUMP=y, and print a WARN()ing if there's any RWX permissions in the mappings. That makes sure automated testing picks new bugs up. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
* Kees Cookwrote: > On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: > > Hi, > > > > With the attached config and 4.3-rc2 on x86_64, I see the following in > > /sys/kernel/debug/kernel_page_tables: > > ... > > ---[ High Kernel Mapping ]--- > > 0x8000-0x8100 16M > > pmd > > 0x8100-0x8160 6M ro PSE > > GLB x pmd > > 0x8160-0x817750001492K ro > > GLB x pte > > 0x81775000-0x8180 556K RW > > GLB x pte > > ^ > > 0x8180-0x81a0 2M ro PSE > > GLB NX pmd > > 0x81a0-0x81b430001292K ro > > GLB NX pte > > 0x81b43000-0x82004852K RW > > GLB NX pte > > 0x8200-0x8220 2M RW PSE > > GLB NX pmd > > 0x8220-0xa000 478M > > pmd > > ... > > > > This region seems to be between the end of ex_table and the start of rodata, > > $ objdump -x vmlinux | sort > > ... > > 817728b0 g __ex_table __start___ex_table > > 817728b0 ld __ex_table __ex_table > > 81774998 g __ex_table __stop___ex_table > > 8180 g .rodata __start_rodata > > 8180 ld .rodata .rodata > > ... > > > > $ readelf -a vmlinux > > ... > > Section Headers: > > [Nr] Name Type Address Offset > >Size EntSize Flags Link Info Align > > ... > > [ 3] __ex_tablePROGBITS 817728b0 009728b0 > >20e8 A 0 0 8 > > [ 4] .rodata PROGBITS 8180 00a0 > >002eefd2 A 0 0 64 > > ... > > > > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so > > it isn't new to 4.3. > > To me it looks like another alignment/padding issue like got fixed > before. The space between __ex_table and rodata is (seems?) unused, so > the default page table permissions end up being W+X. Can we fix the > default to be NX instead? It'll make these bugs stay gone. Yeah. Wanna send a patch for that? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalley wrote: > Hi, > > With the attached config and 4.3-rc2 on x86_64, I see the following in > /sys/kernel/debug/kernel_page_tables: > ... > ---[ High Kernel Mapping ]--- > 0x8000-0x8100 16M >pmd > 0x8100-0x8160 6M ro PSE GLB > x pmd > 0x8160-0x817750001492K ro GLB > x pte > 0x81775000-0x8180 556K RW GLB > x pte > ^ > 0x8180-0x81a0 2M ro PSE GLB > NX pmd > 0x81a0-0x81b430001292K ro GLB > NX pte > 0x81b43000-0x82004852K RW GLB > NX pte > 0x8200-0x8220 2M RW PSE GLB > NX pmd > 0x8220-0xa000 478M >pmd > ... > > This region seems to be between the end of ex_table and the start of rodata, > $ objdump -x vmlinux | sort > ... > 817728b0 g __ex_table __start___ex_table > 817728b0 ld __ex_table __ex_table > 81774998 g __ex_table __stop___ex_table > 8180 g .rodata __start_rodata > 8180 ld .rodata .rodata > ... > > $ readelf -a vmlinux > ... > Section Headers: > [Nr] Name Type Address Offset >Size EntSize Flags Link Info Align > ... > [ 3] __ex_tablePROGBITS 817728b0 009728b0 >20e8 A 0 0 8 > [ 4] .rodata PROGBITS 8180 00a0 >002eefd2 A 0 0 64 > ... > > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it > isn't new to 4.3. To me it looks like another alignment/padding issue like got fixed before. The space between __ex_table and rodata is (seems?) unused, so the default page table permissions end up being W+X. Can we fix the default to be NX instead? It'll make these bugs stay gone. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: rwx mapping between ex_table and rodata
On Thu, Sep 24, 2015 at 1:26 PM, Stephen Smalleywrote: > Hi, > > With the attached config and 4.3-rc2 on x86_64, I see the following in > /sys/kernel/debug/kernel_page_tables: > ... > ---[ High Kernel Mapping ]--- > 0x8000-0x8100 16M >pmd > 0x8100-0x8160 6M ro PSE GLB > x pmd > 0x8160-0x817750001492K ro GLB > x pte > 0x81775000-0x8180 556K RW GLB > x pte > ^ > 0x8180-0x81a0 2M ro PSE GLB > NX pmd > 0x81a0-0x81b430001292K ro GLB > NX pte > 0x81b43000-0x82004852K RW GLB > NX pte > 0x8200-0x8220 2M RW PSE GLB > NX pmd > 0x8220-0xa000 478M >pmd > ... > > This region seems to be between the end of ex_table and the start of rodata, > $ objdump -x vmlinux | sort > ... > 817728b0 g __ex_table __start___ex_table > 817728b0 ld __ex_table __ex_table > 81774998 g __ex_table __stop___ex_table > 8180 g .rodata __start_rodata > 8180 ld .rodata .rodata > ... > > $ readelf -a vmlinux > ... > Section Headers: > [Nr] Name Type Address Offset >Size EntSize Flags Link Info Align > ... > [ 3] __ex_tablePROGBITS 817728b0 009728b0 >20e8 A 0 0 8 > [ 4] .rodata PROGBITS 8180 00a0 >002eefd2 A 0 0 64 > ... > > I see a similar rwx mapping with the stock Fedora kernels (e.g. 4.1.6), so it > isn't new to 4.3. To me it looks like another alignment/padding issue like got fixed before. The space between __ex_table and rodata is (seems?) unused, so the default page table permissions end up being W+X. Can we fix the default to be NX instead? It'll make these bugs stay gone. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/