From patchwork Wed Feb 10 21:52:22 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Brown <david.brown@linaro.org>
X-Patchwork-Id: 61695
Delivered-To: patch@linaro.org
Received: by 10.112.43.199 with SMTP id y7csp2900954lbl;
 Wed, 10 Feb 2016 13:52:59 -0800 (PST)
X-Received: by 10.98.43.151 with SMTP id r145mr29515935pfr.4.1455141179588; 
 Wed, 10 Feb 2016 13:52:59 -0800 (PST)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 b90si7556649pfj.165.2016.02.10.13.52.59; 
 Wed, 10 Feb 2016 13:52:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dkim=pass header.i=@linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751556AbcBJVw5 (ORCPT <rfc822;bjorn.andersson@linaro.org>
 + 30 others); Wed, 10 Feb 2016 16:52:57 -0500
Received: from mail-ob0-f177.google.com ([209.85.214.177]:36563 "EHLO
 mail-ob0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751248AbcBJVwz (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Wed, 10 Feb 2016 16:52:55 -0500
Received: by mail-ob0-f177.google.com with SMTP id ba1so47822449obb.3
 for <linux-kernel@vger.kernel.org>;
 Wed, 10 Feb 2016 13:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id;
 bh=ct1IqxSzQ0WCq/aow5xoGoRyLEMAikY6k/pTjSi8JLU=;
 b=Tn1dZDUZjT/El6rFONdJVC4LFjbPSoIKx1JCouiTuimwgeQasI2/CWy/xcPC2JWB5a
 Ed7dDznenADxYLrg0gBMAhFA8xBSKJmO7rO2LYWhPy/FzFMXqAEWtEQSy6Lbeh/JYQAo
 HPjpSNyfLj17xCYEcwtn3Rt+L9X/u4sgofONQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=ct1IqxSzQ0WCq/aow5xoGoRyLEMAikY6k/pTjSi8JLU=;
 b=KQFOPY3Z+P7pEddObcbe519rIrt1Ca6/a49xJI9xeo6O2Dy/Y2ZEn3G5msA+BjNyPs
 /dNEIAV7fuAt4frSw1XCi7ho0WuqtkPGZ8NeRziski9tWqAublKzRYKCfpbnXyQ+hG7i
 VQBvx3n6Lnh+sYQ68ICl32Uf+1VMAgloN4RvvTwkVk5N05JDygKsJQgbHJhvibnDRDP7
 xANh7207+iuggZJXaGy7H7MKwwdpz7dJJUkKCwM2scbCqpxZcp6HtKpwP//uE9dCNDTA
 rj8bZe6PkBvmayscKbnLamp5pnmAvj2lDh7sKe46mhzY/gf+DVTTUA/UPVAngEkZKkH6
 AN/w==
X-Gm-Message-State: AG10YOTWcleyx2sTCD+46A4ts7kcVkTr14GSDc0UZiFXoH5FINpNaEwjZZwh51lua8SngHW9
X-Received: by 10.60.62.243 with SMTP id b19mr40974788oes.28.1455141175016; 
 Wed, 10 Feb 2016 13:52:55 -0800 (PST)
Received: from a64.davidb.org ([2601:282:500:b612::2])
 by smtp.gmail.com with ESMTPSA id
 fg8sm2623356oeb.16.2016.02.10.13.52.53
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 10 Feb 2016 13:52:54 -0800 (PST)
From: David Brown <david.brown@linaro.org>
To: Catalin Marinas <catalin.marinas@arm.com>,
 Will Deacon <will.deacon@arm.com>
Cc: David Brown <david.brown@linaro.org>,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 Kees Cook <keescook@chromium.org>, kernel-hardening@lists.openwall.com
Subject: [PATCH] arm64: vdso: Mark vDSO code as read-only
Date: Wed, 10 Feb 2016 13:52:22 -0800
Message-Id: <1455141142-6838-1-git-send-email-david.brown@linaro.org>
X-Mailer: git-send-email 2.7.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Although the arm64 vDSO is cleanly separated by code/data with the
code being read-only in userspace mappings, the code page is still
writable from the kernel.  There have been exploits (such as
http://itszn.com/blog/?p=21) that take advantage of this on x86 to go
from a bad kernel write to full root.

Prevent this specific exploit on arm64 by putting the vDSO code page
in read-only memory as well.

Before the change:
[    3.138366] vdso: 2 pages (1 code @ ffffffc000a71000, 1 data @ ffffffc000a70000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b6000        1752K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b6000-0xffffffc000c00000        2344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

After:
[    3.138368] vdso: 2 pages (1 code @ ffffffc0006de000, 1 data @ ffffffc000a74000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b8000        1760K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b8000-0xffffffc000c00000        2336K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the
PaX Team, Brad Spengler, and Kees Cook.

Signed-off-by: David Brown <david.brown@linaro.org>
---
 arch/arm64/kernel/vdso/vdso.S | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.1
Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

diff --git a/arch/arm64/kernel/vdso/vdso.S b/arch/arm64/kernel/vdso/vdso.S
index 60c1db5..db7c0f2 100644
--- a/arch/arm64/kernel/vdso/vdso.S
+++ b/arch/arm64/kernel/vdso/vdso.S
@@ -24,6 +24,7 @@
 	__PAGE_ALIGNED_DATA
 
 	.globl vdso_start, vdso_end
+	.section .rodata
 	.balign PAGE_SIZE
 vdso_start:
 	.incbin "arch/arm64/kernel/vdso/vdso.so"