Received: by 10.213.65.68 with SMTP id h4csp1757303imn; Mon, 19 Mar 2018 12:25:34 -0700 (PDT) X-Google-Smtp-Source: AG47ELud3XsVi0XAbPPYQ4y9IS7KP5i9reyfrG3uDQclBRFjN8g59LO+iRYTongFJZYMkhRI86H9 X-Received: by 10.101.97.139 with SMTP id c11mr9837257pgv.439.1521487534902; Mon, 19 Mar 2018 12:25:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521487534; cv=none; d=google.com; s=arc-20160816; b=KF7I71HXq95TBI8+QkJsy8gwnPUfZOd8CKL/M/RzI+pciF6PTH8qV3AJb2J/p97Ys1 95hk0w6blww3Tk0RgUvNMjpbsk98Rj4Ig5bIYbPEwayKy6M8NaJ22URTpabUFLfWlAjP TrLjfmgoliByichw7EV5VHPJFTn7MQuUAeJF8k4KicoMybRgJZ5HIS8nQ+N0N6EEcZV/ drNkw2bo3512Dij3gxbm15EUl1f8eA2mDY5STB7zEsaVHuUDngQe85PTpDXrxpIRngM5 v4fRRap6xYyDM3Nwz+/+fnK+JH+bLaPQMEKSL1UZcpDamPl3mDb6d88NEqlnyP8vXhS5 nVTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0v3HRY50vYU0PwM1UVl0Gad/3ow5H1AAghNmVno68jA=; b=ev9IZ9ggtD0YntnuwSWg9Msghq8CWI416HzpYk2iRXeYeD4g2iL8tsZpI7HOa9akhJ 0+XCBiu4HfYcaqBK/dAo96HcMSqhylpGvMHUrLN+Jzv3hI0UmGN3GELTyHPve+AgKElU IIjwnZmBmX97zNgQKwiDIvMRK9TvwzyKkLdHYynjnCz0QldONevcGofUZio24Rd35aVE enJHh/IDIFZnpxuYyvGcKsu+yms1853OdoZyuEo+w0IDyRRPYSgjP+SgAC1E5DCoPyk8 jviaiJFdnoO+/ITA5XfZ93Szw1UfINhs6+d8n+NTrSn3afs1c9EnLwTdbbJPZe+FW8bD 4CHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si517593plt.371.2018.03.19.12.25.19; Mon, 19 Mar 2018 12:25:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031552AbeCSSYw (ORCPT + 99 others); Mon, 19 Mar 2018 14:24:52 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50084 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965902AbeCSSYo (ORCPT ); Mon, 19 Mar 2018 14:24:44 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A109BF72; Mon, 19 Mar 2018 18:24:43 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Ryabinin , Masami Hiramatsu , Ananth N Mavinakayanahalli , Anil S Keshavamurthy , Borislav Petkov , Brian Gerst , "David S . Miller" , Denys Vlasenko , "H. Peter Anvin" , Josh Poimboeuf , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ye Xiaolong , Ingo Molnar , Sasha Levin Subject: [PATCH 4.9 153/241] kprobes/x86: Set kprobes pages read-only Date: Mon, 19 Mar 2018 19:06:58 +0100 Message-Id: <20180319180757.511132837@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180751.172155436@linuxfoundation.org> References: <20180319180751.172155436@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Masami Hiramatsu [ Upstream commit d0381c81c2f782fa2131178d11e0cfb23d50d631 ] Set the pages which is used for kprobes' singlestep buffer and optprobe's trampoline instruction buffer to readonly. This can prevent unexpected (or unintended) instruction modification. This also passes rodata_test as below. Without this patch, rodata_test shows a warning: WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:235 note_page+0x7a9/0xa20 x86/mm: Found insecure W+X mapping at address ffffffffa0000000/0xffffffffa0000000 With this fix, no W+X pages are found: x86/mm: Checked W+X mappings: passed, no W+X pages found. rodata_test: all tests were successful Reported-by: Andrey Ryabinin Signed-off-by: Masami Hiramatsu Cc: Ananth N Mavinakayanahalli Cc: Anil S Keshavamurthy Cc: Borislav Petkov Cc: Brian Gerst Cc: David S . Miller Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Ye Xiaolong Link: http://lkml.kernel.org/r/149076375592.22469.14174394514338612247.stgit@devbox Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/kprobes/core.c | 4 ++++ arch/x86/kernel/kprobes/opt.c | 3 +++ 2 files changed, 7 insertions(+) --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -409,6 +409,8 @@ static int arch_copy_kprobe(struct kprob { int ret; + set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1); + /* Copy an instruction with recovering if other optprobe modifies it.*/ ret = __copy_instruction(p->ainsn.insn, p->addr); if (!ret) @@ -423,6 +425,8 @@ static int arch_copy_kprobe(struct kprob else p->ainsn.boostable = -1; + set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1); + /* Check whether the instruction modifies Interrupt Flag or not */ p->ainsn.if_modifier = is_IF_modifier(p->ainsn.insn); --- a/arch/x86/kernel/kprobes/opt.c +++ b/arch/x86/kernel/kprobes/opt.c @@ -371,6 +371,7 @@ int arch_prepare_optimized_kprobe(struct } buf = (u8 *)op->optinsn.insn; + set_memory_rw((unsigned long)buf & PAGE_MASK, 1); /* Copy instructions into the out-of-line buffer */ ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr); @@ -393,6 +394,8 @@ int arch_prepare_optimized_kprobe(struct synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, (u8 *)op->kp.addr + op->optinsn.size); + set_memory_ro((unsigned long)buf & PAGE_MASK, 1); + flush_icache_range((unsigned long) buf, (unsigned long) buf + TMPL_END_IDX + op->optinsn.size + RELATIVEJUMP_SIZE);