kernel-hardening - Re: [PATCH v4 2/2] arm64: mm: apply r/o permissions of VM areas to its linear alias as well

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Wed, 7 Nov 2018 15:17:36 -0800
From: Laura Abbott <labbott@...hat.com>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>,
 linux-arm-kernel@...ts.infradead.org
Cc: kernel-hardening@...ts.openwall.com, keescook@...omium.org,
 will.deacon@....com, jannh@...gle.com, mark.rutland@....com,
 james.morse@....com, catalin.marinas@....com
Subject: Re: [PATCH v4 2/2] arm64: mm: apply r/o permissions of VM areas to
 its linear alias as well

On 11/7/18 2:36 AM, Ard Biesheuvel wrote:
> @@ -93,6 +96,18 @@ static int change_memory_common(unsigned long addr, int numpages,
>   	if (!numpages)
>   		return 0;
>   
> +	/*
> +	 * If we are manipulating read-only permissions, apply the same
> +	 * change to the linear mapping of the pages that back this VM area.
> +	 */
> +	if (rodata_full && (pgprot_val(set_mask) == PTE_RDONLY ||
> +			    pgprot_val(clear_mask) == PTE_RDONLY)) {
> +		for (i = 0; i < area->nr_pages; i++) {
> +			__change_memory_common((u64)page_address(area->pages[i]),
> +					       PAGE_SIZE, set_mask, clear_mask);
> +		}
> +	}
> +
>   	/*
>   	 * Get rid of potentially aliasing lazily unmapped vm areas that may
>   	 * have permissions set that deviate from the ones we are setting here.


This check assumes the masks are only adjusting the PTE_RDONLY bit.
I guess this is fine for now since all the calls currently change one
bit at a time.

Tested-by: Laura Abbott <labbott@...hat.com>

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.