Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964984AbdCWVOY (ORCPT <rfc822;w@1wt.eu>);
        Thu, 23 Mar 2017 17:14:24 -0400
Received: from mail-io0-f176.google.com ([209.85.223.176]:35800 "EHLO
        mail-io0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S964932AbdCWVOW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Mar 2017 17:14:22 -0400
MIME-Version: 1.0
In-Reply-To: <20170323025549.19588-3-ewk@edkovsky.org>
References: <20170323025549.19588-1-ewk@edkovsky.org> <20170323025549.19588-3-ewk@edkovsky.org>
From: Kees Cook <keescook@chromium.org>
Date: Thu, 23 Mar 2017 14:14:20 -0700
X-Google-Sender-Auth: pbs1DUKqG0q7_PjZ18xBLhoGEHA
Message-ID: <CAGXu5j+yJ6_-vBbHRqqtwyjMgVEYzSM+TrAQZzrvvsAO8cbdyw@mail.gmail.com>
Subject: Re: [PATCH v3 2/2] extable: verify address is read-only
To: Eddie Kovsky <ewk@edkovsky.org>
Cc: Jessica Yu <jeyu@redhat.com>, Rusty Russell <rusty@rustcorp.com.au>,
        LKML <linux-kernel@vger.kernel.org>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2376
Lines: 82

On Wed, Mar 22, 2017 at 7:55 PM, Eddie Kovsky <ewk@edkovsky.org> wrote:
> Provide a mechanism to check if the address of a variable is
> const or ro_after_init. It mimics the existing functions that test if an
> address is inside the kernel's text section.
>
> Other functions inside the kernel could then use this capability to
> verify that their arguments are read-only.
>
> Signed-off-by: Eddie Kovsky <ewk@edkovsky.org>

Looks great!

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
> Changes in v3:
>  - Fix missing declaration of is_module_rodata_address()
>
>  include/linux/kernel.h |  2 ++
>  kernel/extable.c       | 29 +++++++++++++++++++++++++++++
>  2 files changed, 31 insertions(+)
>
> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> index 4c26dc3a8295..51beea39e6c4 100644
> --- a/include/linux/kernel.h
> +++ b/include/linux/kernel.h
> @@ -444,6 +444,8 @@ extern int core_kernel_data(unsigned long addr);
>  extern int __kernel_text_address(unsigned long addr);
>  extern int kernel_text_address(unsigned long addr);
>  extern int func_ptr_is_kernel_text(void *ptr);
> +extern int core_kernel_ro_data(unsigned long addr);
> +extern int kernel_ro_address(unsigned long addr);
>
>  unsigned long int_sqrt(unsigned long);
>
> diff --git a/kernel/extable.c b/kernel/extable.c
> index 2676d7f8baf6..3c3a9f4e6250 100644
> --- a/kernel/extable.c
> +++ b/kernel/extable.c
> @@ -154,3 +154,32 @@ int func_ptr_is_kernel_text(void *ptr)
>                 return 1;
>         return is_module_text_address(addr);
>  }
> +
> +/**
> + * core_kernel_ro_data - Verify address points to read-only section
> + * @addr: address to test
> + *
> + */
> +int core_kernel_ro_data(unsigned long addr)
> +{
> +       if (addr >= (unsigned long)__start_rodata &&
> +           addr < (unsigned long)__end_rodata)
> +               return 1;
> +
> +       if (addr >= (unsigned long)__start_data_ro_after_init &&
> +           addr < (unsigned long)__end_data_ro_after_init)
> +               return 1;
> +
> +       return 0;
> +}
> +
> +/* Verify that address is const or ro_after_init. */
> +int kernel_ro_address(unsigned long addr)
> +{
> +       if (core_kernel_ro_data(addr))
> +               return 1;
> +       if (is_module_rodata_address(addr))
> +               return 1;
> +
> +       return 0;
> +}
> --
> 2.12.0



-- 
Kees Cook
Pixel Security