From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Ingo Molnar <mingo@redhat.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com,
Thomas Gleixner <tglx@linutronix.de>,
Nadav Amit <nadav.amit@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
linux_dti@icloud.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, akpm@linux-foundation.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
will.deacon@arm.com, ard.biesheuvel@linaro.org,
kristen@linux.intel.com, deneen.t.dock@intel.com,
Nadav Amit <namit@vmware.com>, Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@intel.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Jessica Yu <jeyu@kernel.org>,
Rick Edgecombe <rick.p.edgecombe@intel.com>
Subject: [PATCH v4 11/23] x86/module: Avoid breaking W^X while loading modules
Date: Mon, 22 Apr 2019 11:57:53 -0700 [thread overview]
Message-ID: <20190422185805.1169-12-rick.p.edgecombe@intel.com> (raw)
In-Reply-To: <20190422185805.1169-1-rick.p.edgecombe@intel.com>
From: Nadav Amit <namit@vmware.com>
When modules and BPF filters are loaded, there is a time window in
which some memory is both writable and executable. An attacker that has
already found another vulnerability (e.g., a dangling pointer) might be
able to exploit this behavior to overwrite kernel code. Prevent having
writable executable PTEs in this stage.
In addition, avoiding having W+X mappings can also slightly simplify the
patching of modules code on initialization (e.g., by alternatives and
static-key), as would be done in the next patch. This was actually the
main motivation for this patch.
To avoid having W+X mappings, set them initially as RW (NX) and after
they are set as RO set them as X as well. Setting them as executable is
done as a separate step to avoid one core in which the old PTE is cached
(hence writable), and another which sees the updated PTE (executable),
which would break the W^X protection.
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jessica Yu <jeyu@kernel.org>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Suggested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
arch/x86/kernel/alternative.c | 28 +++++++++++++++++++++-------
arch/x86/kernel/module.c | 2 +-
include/linux/filter.h | 1 +
kernel/module.c | 5 +++++
4 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 599203876c32..3d2b6b6fb20c 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -668,15 +668,29 @@ void __init alternative_instructions(void)
* handlers seeing an inconsistent instruction while you patch.
*/
void *__init_or_module text_poke_early(void *addr, const void *opcode,
- size_t len)
+ size_t len)
{
unsigned long flags;
- local_irq_save(flags);
- memcpy(addr, opcode, len);
- local_irq_restore(flags);
- sync_core();
- /* Could also do a CLFLUSH here to speed up CPU recovery; but
- that causes hangs on some VIA CPUs. */
+
+ if (boot_cpu_has(X86_FEATURE_NX) &&
+ is_module_text_address((unsigned long)addr)) {
+ /*
+ * Modules text is marked initially as non-executable, so the
+ * code cannot be running and speculative code-fetches are
+ * prevented. Just change the code.
+ */
+ memcpy(addr, opcode, len);
+ } else {
+ local_irq_save(flags);
+ memcpy(addr, opcode, len);
+ local_irq_restore(flags);
+ sync_core();
+
+ /*
+ * Could also do a CLFLUSH here to speed up CPU recovery; but
+ * that causes hangs on some VIA CPUs.
+ */
+ }
return addr;
}
diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
index b052e883dd8c..cfa3106faee4 100644
--- a/arch/x86/kernel/module.c
+++ b/arch/x86/kernel/module.c
@@ -87,7 +87,7 @@ void *module_alloc(unsigned long size)
p = __vmalloc_node_range(size, MODULE_ALIGN,
MODULES_VADDR + get_module_load_offset(),
MODULES_END, GFP_KERNEL,
- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
+ PAGE_KERNEL, 0, NUMA_NO_NODE,
__builtin_return_address(0));
if (p && (kasan_module_alloc(p, size) < 0)) {
vfree(p);
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 6074aa064b54..14ec3bdad9a9 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -746,6 +746,7 @@ static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
{
set_memory_ro((unsigned long)hdr, hdr->pages);
+ set_memory_x((unsigned long)hdr, hdr->pages);
}
static inline void bpf_jit_binary_unlock_ro(struct bpf_binary_header *hdr)
diff --git a/kernel/module.c b/kernel/module.c
index 0b9aa8ab89f0..2b2845ae983e 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1950,8 +1950,13 @@ void module_enable_ro(const struct module *mod, bool after_init)
return;
frob_text(&mod->core_layout, set_memory_ro);
+ frob_text(&mod->core_layout, set_memory_x);
+
frob_rodata(&mod->core_layout, set_memory_ro);
+
frob_text(&mod->init_layout, set_memory_ro);
+ frob_text(&mod->init_layout, set_memory_x);
+
frob_rodata(&mod->init_layout, set_memory_ro);
if (after_init)
--
2.17.1
next prev parent reply other threads:[~2019-04-22 18:59 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-22 18:57 [PATCH v4 00/23] Merge text_poke fixes and executable lockdowns Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 01/23] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 02/23] x86/jump_label: Use text_poke_early() during early init Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 03/23] x86/mm: Introduce temporary mm structs Rick Edgecombe
2019-04-25 16:26 ` Borislav Petkov
2019-04-25 17:37 ` Nadav Amit
2019-04-25 17:49 ` Andy Lutomirski
2019-04-25 17:49 ` Andy Lutomirski
2019-04-22 18:57 ` [PATCH v4 04/23] x86/mm: Save DRs when loading a temporary mm Rick Edgecombe
2019-04-25 16:36 ` Borislav Petkov
2019-04-25 18:17 ` Peter Zijlstra
2019-04-22 18:57 ` [PATCH v4 05/23] fork: Provide a function for copying init_mm Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 06/23] x86/alternative: Initialize temporary mm for patching Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 07/23] x86/alternative: Use temporary mm for text poking Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 08/23] x86/kgdb: Avoid redundant comparison of patched code Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 09/23] x86/ftrace: Set trampoline pages as executable Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 10/23] x86/kprobes: Set instruction page " Rick Edgecombe
2019-04-22 18:57 ` Rick Edgecombe [this message]
2019-04-22 18:57 ` [PATCH v4 12/23] x86/jump-label: Remove support for custom poker Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 13/23] x86/alternative: Remove the return value of text_poke_*() Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 14/23] x86/mm/cpa: Add set_direct_map_ functions Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 15/23] mm: Make hibernate handle unmapped pages Rick Edgecombe
2019-04-22 18:57 ` [PATCH v4 16/23] vmalloc: Add flag for free of special permsissions Rick Edgecombe
2019-04-25 20:38 ` Peter Zijlstra
2019-04-25 21:22 ` Edgecombe, Rick P
2019-04-25 21:22 ` Edgecombe, Rick P
2019-04-22 18:57 ` [PATCH v4 17/23] modules: Use vmalloc special flag Rick Edgecombe
2019-04-22 18:58 ` [PATCH v4 18/23] bpf: " Rick Edgecombe
2019-04-22 18:58 ` [PATCH v4 19/23] x86/ftrace: " Rick Edgecombe
2019-04-25 18:28 ` Steven Rostedt
2019-04-25 19:19 ` Edgecombe, Rick P
2019-04-25 19:19 ` Edgecombe, Rick P
2019-04-22 18:58 ` [PATCH v4 20/23] x86/kprobes: " Rick Edgecombe
2019-04-22 18:58 ` [PATCH v4 21/23] x86/alternative: Comment about module removal races Rick Edgecombe
2019-04-22 18:58 ` [PATCH v4 22/23] tlb: provide default nmi_uaccess_okay() Rick Edgecombe
2019-04-22 18:58 ` [PATCH v4 23/23] bpf: Fail bpf_probe_write_user() while mm is switched Rick Edgecombe
2019-04-25 20:48 ` [PATCH v4 00/23] Merge text_poke fixes and executable lockdowns Peter Zijlstra
2019-04-25 20:49 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190422185805.1169-12-rick.p.edgecombe@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=deneen.t.dock@intel.com \
--cc=hpa@zytor.com \
--cc=jeyu@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=namit@vmware.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.