Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jLstVv7+QHJe7pGdHkd9beSyqXq2N7G9xX-frmFjeGuiA@mail.gmail.com>
Date: Wed, 10 Aug 2016 14:40:11 -0700
From: Kees Cook <keescook@...omium.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	Russell King - ARM Linux <linux@...linux.org.uk>, linux-arch <linux-arch@...r.kernel.org>, 
	Ard Biesheuvel <ard.biesheuvel@...aro.org>, "x86@...nel.org" <x86@...nel.org>, 
	LKML <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Mathias Krause <minipli@...glemail.com>
Subject: Re: [PATCH 2/2] arm: apply more __ro_after_init

On Wed, Aug 10, 2016 at 12:41 PM, Arnd Bergmann <arnd@...db.de> wrote:
> On Wednesday, August 10, 2016 11:32:07 AM CEST Kees Cook wrote:
>> On Wed, Aug 10, 2016 at 2:43 AM, Russell King - ARM Linux
>> <linux@...linux.org.uk> wrote:
>> > On Fri, Jun 03, 2016 at 11:40:24AM -0700, Kees Cook wrote:
>> >> @@ -1309,16 +1309,11 @@ void __init arm_mm_memblock_reserve(void)
>> >>   * Any other function or debugging method which may touch any device _will_
>> >>   * crash the kernel.
>> >>   */
>> >> +static char vectors[PAGE_SIZE * 2] __ro_after_init __aligned(PAGE_SIZE);
>> >>  static void __init devicemaps_init(const struct machine_desc *mdesc)
>> >>  {
>> >>       struct map_desc map;
>> >>       unsigned long addr;
>> >> -     void *vectors;
>> >> -
>> >> -     /*
>> >> -      * Allocate the vector page early.
>> >> -      */
>> >> -     vectors = early_alloc(PAGE_SIZE * 2);
>> >
>> > This one is not appropriate.  We _do_ write to these pages after init
>> > for FIQ handler updates.  See set_fiq_handler().
>>
>> Ah, interesting. I guess none of that hardware is being tested on
>> linux-next.
>
> Right. The OMAP1 Amstrad Delta is a somewhat obscure machine, and that
> would be the most likely candidate to run into this.
>
> RiscPC also has FIQ support, but I have not heard of anyone other
> than Russell still using one with a modern kernel, and I doubt he
> tests linux-next on it.
>
> The s3c24xx and imx machines that could use FIQ probably don't
> use it in practice, last time I checked, I didn't see any DTS file
> or platform data definition in the kernel that activated that
> code path.
>
>> I'll drop that chunk and resubmit.
>
> Good enough for now, but it may be worth revisiting this, as the
> vector page might be a good target for an attack if you have a
> way to overwrite a few bytes in the kernel.
>
> Note that there are two mappings for the pages, and as Russell
> mentioned, the TLS emulation writes to the other one that is
> at a fixed virtual address.
>
> It might be better to start by making the fixed mapping readonly,
> as KASLR doesn't protect that one at all, and change the TLS
> code accordingly.

That sounds good (anyone want to work on this?). Does arm64 need a
similar vector page protection?

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.