Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20180313205945.245105-25-thgarnie@google.com>
Date: Tue, 13 Mar 2018 13:59:42 -0700
From: Thomas Garnier <thgarnie@...gle.com>
To: Herbert Xu <herbert@...dor.apana.org.au>,
	"David S . Miller" <davem@...emloft.net>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H . Peter Anvin" <hpa@...or.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Kate Stewart <kstewart@...uxfoundation.org>,
	Thomas Garnier <thgarnie@...gle.com>,
	Arnd Bergmann <arnd@...db.de>,
	Philippe Ombredanne <pombredanne@...b.com>,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	Matthias Kaehlcke <mka@...omium.org>,
	Kees Cook <keescook@...omium.org>,
	Tom Lendacky <thomas.lendacky@....com>,
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
	Andy Lutomirski <luto@...nel.org>,
	Dominik Brodowski <linux@...inikbrodowski.net>,
	Borislav Petkov <bp@...en8.de>,
	Borislav Petkov <bp@...e.de>,
	"Rafael J . Wysocki" <rjw@...ysocki.net>,
	Len Brown <len.brown@...el.com>,
	Pavel Machek <pavel@....cz>,
	Juergen Gross <jgross@...e.com>,
	Alok Kataria <akataria@...are.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Tejun Heo <tj@...nel.org>,
	Christoph Lameter <cl@...ux.com>,
	Dennis Zhou <dennisszhou@...il.com>,
	Boris Ostrovsky <boris.ostrovsky@...cle.com>,
	David Woodhouse <dwmw@...zon.co.uk>,
	Alexey Dobriyan <adobriyan@...il.com>,
	"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Nicolas Pitre <nicolas.pitre@...aro.org>,
	Randy Dunlap <rdunlap@...radead.org>,
	"Luis R . Rodriguez" <mcgrof@...nel.org>,
	Christopher Li <sparse@...isli.org>,
	Jason Baron <jbaron@...mai.com>,
	Ashish Kalra <ashish@...estacks.com>,
	Kyle McMartin <kyle@...hat.com>,
	Dou Liyang <douly.fnst@...fujitsu.com>,
	Lukas Wunner <lukas@...ner.de>,
	Petr Mladek <pmladek@...e.com>,
	Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
	Masahiro Yamada <yamada.masahiro@...ionext.com>,
	Ingo Molnar <mingo@...nel.org>,
	Nicholas Piggin <npiggin@...il.com>,
	Cao jin <caoj.fnst@...fujitsu.com>,
	"H . J . Lu" <hjl.tools@...il.com>,
	Paolo Bonzini <pbonzini@...hat.com>,
	Radim Krčmář <rkrcmar@...hat.com>,
	Joerg Roedel <joro@...tes.org>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Rik van Riel <riel@...hat.com>,
	Jia Zhang <qianyue.zj@...baba-inc.com>,
	Jiri Slaby <jslaby@...e.cz>,
	Kyle Huey <me@...ehuey.com>,
	Jonathan Corbet <corbet@....net>,
	Matthew Wilcox <mawilcox@...rosoft.com>,
	Michal Hocko <mhocko@...e.com>,
	Rob Landley <rob@...dley.net>,
	Baoquan He <bhe@...hat.com>,
	Daniel Micay <danielmicay@...il.com>,
	Jan H . Schönherr <jschoenh@...zon.de>
Cc: x86@...nel.org,
	linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-pm@...r.kernel.org,
	virtualization@...ts.linux-foundation.org,
	xen-devel@...ts.xenproject.org,
	linux-arch@...r.kernel.org,
	linux-sparse@...r.kernel.org,
	kvm@...r.kernel.org,
	linux-doc@...r.kernel.org,
	kernel-hardening@...ts.openwall.com
Subject: [PATCH v2 24/27] x86/mm: Make the x86 GOT read-only

The GOT is changed during early boot when relocations are applied. Make
it read-only directly. This table exists only for PIE binary.

Position Independent Executable (PIE) support will allow to extended the
KASLR randomization range below the -2G memory limit.

Signed-off-by: Thomas Garnier <thgarnie@...gle.com>
---
 include/asm-generic/vmlinux.lds.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index 1ab0e520d6fc..89398d042f78 100644
--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -295,6 +295,17 @@
 	VMLINUX_SYMBOL(__end_ro_after_init) = .;
 #endif
 
+#ifdef CONFIG_X86_PIE
+#define RO_GOT_X86							\
+	.got        : AT(ADDR(.got) - LOAD_OFFSET) {			\
+		VMLINUX_SYMBOL(__start_got) = .;			\
+		*(.got);						\
+		VMLINUX_SYMBOL(__end_got) = .;				\
+	}
+#else
+#define RO_GOT_X86
+#endif
+
 /*
  * Read only Data
  */
@@ -351,6 +362,7 @@
 		VMLINUX_SYMBOL(__end_builtin_fw) = .;			\
 	}								\
 									\
+	RO_GOT_X86							\
 	TRACEDATA							\
 									\
 	/* Kernel symbol table: Normal symbols */			\
-- 
2.16.2.660.g709887971b-goog

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.