Received: by 10.192.165.148 with SMTP id m20csp4024580imm; Mon, 30 Apr 2018 10:20:14 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpWN0MlibzzonWfDy6e4C8K6g6JNecscz/cwVcPMoIOU0QkOzmrvBPMyw21dY0YfP3FwxHi X-Received: by 2002:a65:5786:: with SMTP id b6-v6mr5479157pgr.241.1525108814052; Mon, 30 Apr 2018 10:20:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525108814; cv=none; d=google.com; s=arc-20160816; b=hYjsjDxek/8D59kI378TgFrLa8ldsA+iyxkRIKm3acqco0g6IaydvLsIwuwr3qRvYo 1Kk7BSWBZnOJU8QWqboyHA/UXH9RUYWEB62q3ZgcBtoIvc4EAN6Rp4u/omcaoYNxa2lB LulZIZNYAKrM1S7sucHROCofeTGbMyrxZYjQruGwY2+tJUQ3n/rLjQxxSx9MQ7S0JHqn Bw2y5WWgfYIVlI3I/hTKhnmnTVQsqxwfml9X2QGVkwtMVjteAu4N7NNkXKrBFB0BG2g5 B8a35q7ucUa/Od2xk1R+MmMmoz9ch2ljGWEaJ4zuGwaKpqhHdUXaBR3O70124Cp/GATP 02gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=iApES0jIGrtoRfZO13xuXH8atz3S3DjxOafUDDkShnk=; b=C58/smtUz9YpXpovxVmSCa/UTR1T88KEDdkR1a6UoGZNALaPmfbCtcNVaUPkBdqx/w Fn/zdDGs2PKVzBwplfPuJI2D/v8kvHgFXz34QXdOIBOwn1Oy9j6KySaHqEg8MIeNckgR T3ubc9uEIw2rbjmSqzf5dfaBDt47vxMq6mPnTaMuCFc1CwLwRUobLThlfkWSJxaeUF3R yzfnoCefHb79QSZ2NuVpMKoggbup2GJpvRS81/5dqQ8/EF71TYR7lPMbvtiF5bXmbl8i 9mzhyVtH/kNP/j9K/XxZfefn2aGognjHO2x6uI0gyCnTnhMN6HvRrJG8paaqcIQmoi1K eRXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t3-v6si5962025plo.554.2018.04.30.10.19.59; Mon, 30 Apr 2018 10:20:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753652AbeD3RTW (ORCPT + 99 others); Mon, 30 Apr 2018 13:19:22 -0400 Received: from mail-ot0-f195.google.com ([74.125.82.195]:39792 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753441AbeD3RTV (ORCPT ); Mon, 30 Apr 2018 13:19:21 -0400 Received: by mail-ot0-f195.google.com with SMTP id l12-v6so10310318oth.6 for ; Mon, 30 Apr 2018 10:19:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=iApES0jIGrtoRfZO13xuXH8atz3S3DjxOafUDDkShnk=; b=RtuOVRztxCmmAmqwLB7xfSmDsjA96eypdZd9Yd1NziPobSX1/cvtWhUdzMwjkV+DVA U4EhXo4DdcOaBoXTxU0SPsj1yYBIf2tOAihxIX760mnSsy5tIZaG+I7+tlk+UnlKaVq/ DQtnSIR6MthJ3K15VKSyFfsDwRJ0n3HFv+1FSCB1Pat0Lu3RUGasCmabrBkqo5CSWhTk XHlQbgvmj9XWPzsmZo9gX9LD5QfzAOsTOz7gRIPZqnWIrTN9C8wqiB/wfamMOzK1EkwA vzizIpnvrihKfmSpfFbOAl+OOUF0CjqyUWjXgiFq0nQwVyPg32Ls6iqELe1pU415WsQh +HxA== X-Gm-Message-State: ALQs6tAjXuAXvpXLqfh9TVukRek8WW8S8m5EtwAFVHhg7Yo1MACGMX+f pdX0t1vO1bfTd4my79d5LTayOA== X-Received: by 2002:a9d:429c:: with SMTP id r28-v6mr8407479ote.126.1525108760330; Mon, 30 Apr 2018 10:19:20 -0700 (PDT) Received: from ?IPv6:2601:602:9802:a8dc::d2dd? ([2601:602:9802:a8dc::d2dd]) by smtp.gmail.com with ESMTPSA id t27-v6sm4839804oij.14.2018.04.30.10.19.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Apr 2018 10:19:19 -0700 (PDT) Subject: Re: [PATCH v3] init: Fix false positives in W+X checking To: Jeffrey Hugo , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Mark Rutland , Jan Glauber , Kees Cook , Ard Biesheuvel , Catalin Marinas , Will Deacon , Timur Tabi , Stephen Smalley , Andrew Morton , Ingo Molnar , Thomas Gleixner , Peter Zijlstra References: <1525103946-29526-1-git-send-email-jhugo@codeaurora.org> From: Laura Abbott Message-ID: Date: Mon, 30 Apr 2018 10:19:16 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <1525103946-29526-1-git-send-email-jhugo@codeaurora.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/30/2018 08:59 AM, Jeffrey Hugo wrote: > load_module() creates W+X mappings via __vmalloc_node_range() (from > layout_and_allocate()->move_module()->module_alloc()) by using > PAGE_KERNEL_EXEC. These mappings are later cleaned up via > "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). > > This is a problem because call_rcu_sched() queues work, which can be run > after debug_checkwx() is run, resulting in a race condition. If hit, the > race results in a nasty splat about insecure W+X mappings, which results > in a poor user experience as these are not the mappings that > debug_checkwx() is intended to catch. > > This issue is observed on multiple arm64 platforms, and has been > artificially triggered on an x86 platform. > > Address the race by flushing the queued work before running the > arch-defined mark_rodata_ro() which then calls debug_checkwx(). > > Reported-by: Timur Tabi > Reported-by: Jan Glauber > Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") > Signed-off-by: Jeffrey Hugo > Acked-by: Kees Cook > Acked-by: Ingo Molnar > Acked-by: Will Deacon > --- > Acked-by: Laura Abbott If you don't have a tree for this to go through, I might suggest having Kees take it. > v3: > -added comment to module code to establish matching connection > -added acks by Kees, Ingo, and Will > > v2: > -was "arm64: mm: Fix false positives in W+X checking" (see [1]) > -moved to common code based on review and confirmation of issue on x86 > > [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2018-April/573776.html > > init/main.c | 7 +++++++ > kernel/module.c | 5 +++++ > 2 files changed, 12 insertions(+) > > diff --git a/init/main.c b/init/main.c > index b795aa3..499d957 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -1034,6 +1034,13 @@ static int __init set_debug_rodata(char *str) > static void mark_readonly(void) > { > if (rodata_enabled) { > + /* > + * load_module() results in W+X mappings, which are cleaned up > + * with call_rcu_sched(). Let's make sure that queued work is > + * flushed so that we don't hit false positives looking for > + * insecure pages which are W+X. > + */ > + rcu_barrier_sched(); > mark_rodata_ro(); > rodata_test(); > } else > diff --git a/kernel/module.c b/kernel/module.c > index a6e43a5..7b71c3c 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -3516,6 +3516,11 @@ static noinline int do_init_module(struct module *mod) > * walking this with preempt disabled. In all the failure paths, we > * call synchronize_sched(), but we don't want to slow down the success > * path, so use actual RCU here. > + * Note that module_alloc() on most architectures creates W+X page > + * mappings which won't be cleaned up until do_free_init() runs. Any > + * code such as mark_rodata_ro() which depends on those mappings to > + * be cleaned up needs to sync with the queued work - ie > + * rcu_barrier_sched() > */ > call_rcu_sched(&freeinit->rcu, do_free_init); > mutex_unlock(&module_mutex); >