Received: by 10.223.185.116 with SMTP id b49csp2385499wrg; Thu, 22 Feb 2018 12:54:25 -0800 (PST) X-Google-Smtp-Source: AH8x225DSH1n9F472s5osTEGjyAXp9Q3ZcLcxGBIPt30bRKnfL8mlfNjEc/mb3jrt6mpcaptXTa+ X-Received: by 10.99.113.90 with SMTP id b26mr6595132pgn.10.1519332865086; Thu, 22 Feb 2018 12:54:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519332865; cv=none; d=google.com; s=arc-20160816; b=Qt1EkmrVCogPiTm88wDpY5wZvbFR6TyYbIsf2/dNGEHclnaYF3gJl3ejjFwVa9Iznp ZT7U0E50qGkOPDbee3zEpSueXieFlanfd7+dE6x/hB3tLUyqs5snJyacpUrOVuATYKvZ cgLZjPNOrh2zftrFf4dtvGx/I5wnq0zrlEm8dB6B0QHK+/Db2yBVbKPZE8u4bnckfz7U fxxaRSoy1scb+5Q0jo2c4m4QVPadaQ4u9QpfUuINz6OpEYwzY+UMU03E7uyBpsTaZXNO c5fh0s2FwivdcyofBHPsLMIFTjWGSd63GDzmr/iUAI4WA5lQQ8yACQkAwgWSYTqeIw3f C6Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=lS8vtcXvlXeTJ2iXWCXsdhfY79ziXilwlFks/nk6wVU=; b=jAIQIEywMLU9OMPLmByY6VrYHLCADeSu3xroUu8YZ7j7K5Fqg8uKmViEnUrQGzlB0w oWQC23oLlmaJjBO4+UBvP+1JQCUybwXiDNFGyXWOFH7mLOjYoe2XNI0lP5REUS5fbJvx DqO9986LH2yVk1DG+I9BqzTdiN+NdPdEVS1iO+3zq19hVb4iyykaRr3Xm3b+k/OrLJkr Hpt9foDv1CkVrTh84XmvFxjS/czjzDHCzwM+7vbFv5hRqvdecfJ6LroHo9bAi+eguopZ IO82kQ6nEr6aK2+ZW+otrZGnxuwJQZ+eYfNfofBVzvWBT+S5otaS0wmDcHdpTKY1Ohmn 75aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TP8a/9n+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16-v6si555478plo.369.2018.02.22.12.54.08; Thu, 22 Feb 2018 12:54:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TP8a/9n+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751357AbeBVUxK (ORCPT + 99 others); Thu, 22 Feb 2018 15:53:10 -0500 Received: from mail-vk0-f65.google.com ([209.85.213.65]:37125 "EHLO mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750842AbeBVUxJ (ORCPT ); Thu, 22 Feb 2018 15:53:09 -0500 Received: by mail-vk0-f65.google.com with SMTP id u200so3972628vke.4 for ; Thu, 22 Feb 2018 12:53:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lS8vtcXvlXeTJ2iXWCXsdhfY79ziXilwlFks/nk6wVU=; b=TP8a/9n+2I2ZrQH/EZFalSUk0vg8HUEtQpU2D/hVLGY95SlTc9hNUOxlLqhlbSZ1Y+ UomPXmcR+b/haGyBxmaoZsQIi49mBcobfdawFGevxexXJ2CmBC5F49i0ZsE9zFfVBVOs ujv5aAZLVORGxJta4Eponee764R5UqToaiLyOiLP8x5mm4EKi7ih5i/UxIvrZ09umbu9 yXprsnE1KDbmMjqPsGcazPjCwu6BCnw2q/emqUtI0PuobyjyBpw0aXI71Lx3RTJbEI0T JT0t7ItfTe5Y003eSDFaJ0SUB46/Yz16UlBDQghI78eWRmus+v982Z0DeOeREbyl0/Jq 5OZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lS8vtcXvlXeTJ2iXWCXsdhfY79ziXilwlFks/nk6wVU=; b=n+dSfuX6S07ugEm33ObS9nCqe27M1xXANuMQe4So+QcFIt9DCnsGG955A4ufIGVbDq D+uLfHNWpe50rSEIp3dSi0wdaCwrBg7hS7udjf0s3I7PKK3gZ6/8E+NhN0rfqNGiLJmm ui0I2ewS/HWEGeUssk/nnCKTNNCupdcg2q5PvB1ndZbkyCgQgVC9QAWPZpgXy2LOJ4wm aNOWkA3TuocbgL7mjqlhkTN2rny7glko5X7Oj8ybvQlVWmy/rlmZjEJyHv1h1s5xPMVK 0Z5GJPHXQE8I2nYol+DMyw4Kk1LpdfjBuCiKpvbYY46nxAko1WkJyoZCYcHrsWFOHReL 5q2g== X-Gm-Message-State: APf1xPCVA7y47I68IVm9deULUE5/3nFzZNnvkyyOwkLmMazkhWk9lNC4 FcKSHuz6d1HU7gIz4RAvqWLIoMCXBPuBdq30eUTz3g== X-Received: by 10.31.196.131 with SMTP id u125mr6047975vkf.158.1519332788398; Thu, 22 Feb 2018 12:53:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Thu, 22 Feb 2018 12:53:06 -0800 (PST) In-Reply-To: <20180222203704.62AB5499@viggo.jf.intel.com> References: <20180222203651.B776810C@viggo.jf.intel.com> <20180222203704.62AB5499@viggo.jf.intel.com> From: Kees Cook Date: Thu, 22 Feb 2018 12:53:06 -0800 Message-ID: Subject: Re: [RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init To: Dave Hansen Cc: LKML , Andrea Arcangeli , Andy Lutomirski , Linus Torvalds , Hugh Dickins , Juergen Gross , X86 ML , namit@vmware.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansen wrote: > > From: Dave Hansen > > __ro_after_init data gets stuck in the .rodata section. That's normally > fine because the kernel itself manages the R/W properties. > > But, if we run __change_page_attr() on an area which is __ro_after_init, > the .rodata checks will trigger and force the area to be immediately > read-only, even if it is early-ish in boot. This caused problems when > trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: > it cleared _PAGE_GLOBAL like I asked, but also took it up on itself > to clear _PAGE_RW. The kernel then oopses the next time it wrote to > a __ro_after_init data structure. > > To fix this, add the kernel_set_to_readonly check, just like we have > for kernel text, just a few lines below in this function. Yup, looks sensible. Thanks! > > Signed-off-by: Dave Hansen > Cc: Andrea Arcangeli > Cc: Andy Lutomirski > Cc: Linus Torvalds > Cc: Kees Cook > Cc: Hugh Dickins > Cc: Juergen Gross > Cc: x86@kernel.org > Cc: Nadav Amit Acked-by: Kees Cook -Kees > --- > > b/arch/x86/mm/pageattr.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly arch/x86/mm/pageattr.c > --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 12:36:21.531036546 -0800 > +++ b/arch/x86/mm/pageattr.c 2018-02-22 12:36:21.535036546 -0800 > @@ -298,9 +298,11 @@ static inline pgprot_t static_protection > > /* > * The .rodata section needs to be read-only. Using the pfn > - * catches all aliases. > + * catches all aliases. This also includes __ro_after_init, > + * so do not enforce until kernel_set_to_readonly is true. > */ > - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > + if (kernel_set_to_readonly && > + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > __pa_symbol(__end_rodata) >> PAGE_SHIFT)) > pgprot_val(forbidden) |= _PAGE_RW; > > _ -- Kees Cook Pixel Security