Received: by 10.192.165.148 with SMTP id m20csp4098223imm; Mon, 30 Apr 2018 11:41:15 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpPZqoEwx3XSwbjh3gxAvcn+iliIlafoyMmJqJE5PTYAGjGmb3aBQ8fKGU5hSEOYmcY6gGm X-Received: by 2002:a17:902:7d09:: with SMTP id z9-v6mr13597050pll.4.1525113675802; Mon, 30 Apr 2018 11:41:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525113675; cv=none; d=google.com; s=arc-20160816; b=m4HH8RzHVJVNUfWjiBxZ9+yqxz3dq8kTA9potqv9iV672eu3Uc54wFP4DA/qTPYlrw N3DCoSPfsx7U3fRlgziYWXyR0ZPBBlcevH9aIc7RECKdwjAmp77aavxxmHtOx5MnunZs 1Kj9+m/PAbuvIvoOMyVksVR/h22igtvDBpipMP/bRO4z4shNrsMBAOcq5DoAcniHWJLM AJfQIfP/1lcyTztVnw8HFR4XfzaEhAIK4X76cKWJAgTkKwCtg0m21GYCbHNFoDnl6iey kWHW7ryhOrdziVaPRlVYQD/ZeclrVteIqyB6bS7XkwYCYFpI5pyq2QgQzfKsXrhqkFSE 7B4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=zU5gNrk+NF7J84xsth9LRt1hCYW/T8MvebXqH3/ZVBk=; b=Ho0SzuTULRUQBUYurqPLTJnxQUoZwH0BVxxbbJyY+OaBkJFNEvBviGMOJCN9aj/nAE fpuKMtU5TY/ly0hEn5jYSVfMjSX8Dgsb8oJBrG4UR47NUKlAaJHdc3oNwTQPwpX269rp uNCB3YPysJSlngKv9nWSA+VlwvZ95D8z+ElvfwM6zyDnzF3j0pJODjnsgd8+IT8k6c5v 7JCtmpGB3369rvDB8lybTARpz4/o4iq1mI6qmKyS19o0JWJxL9ClDamJU4wuQKAOjPhs y31M+ePCnHfnB7HeG3ItRurPW2+AYlgoO6e2NKLtkBZqm7qKPW8OeOd6VeIL5c3SjWBP uK/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=MxdLCYAn; dkim=fail header.i=@chromium.org header.s=google header.b=AE6aUlnr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3-v6si3441263pgv.574.2018.04.30.11.41.01; Mon, 30 Apr 2018 11:41:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=MxdLCYAn; dkim=fail header.i=@chromium.org header.s=google header.b=AE6aUlnr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754578AbeD3Skp (ORCPT + 99 others); Mon, 30 Apr 2018 14:40:45 -0400 Received: from mail-vk0-f66.google.com ([209.85.213.66]:37449 "EHLO mail-vk0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752255AbeD3Sko (ORCPT ); Mon, 30 Apr 2018 14:40:44 -0400 Received: by mail-vk0-f66.google.com with SMTP id m144-v6so5701135vke.4 for ; Mon, 30 Apr 2018 11:40:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zU5gNrk+NF7J84xsth9LRt1hCYW/T8MvebXqH3/ZVBk=; b=MxdLCYAnaD2SX/HD8ZsBhTzBrKXOx3AOyQf6Zvrt86adhJIVuGwAnvxcjPcmUt5ZCH u9w+w+ej0sasFQoeiR2xJySeUiZZ1eAPuAUFD2/kRpM3cVugaX7Ol+YPYHHYRDZVffDx iqvi+njVYuaxpl5CAZiju9wbLPkupi77TPpJ43JkVYCVJN1reKduowBa+0KyYbG0phNg kwhkPpQ4z/J8uSUrt9PrssReD0CJWk2hAsmohGEy6zs0r304iQCmmaosMlyIrihTrp6z SEbKGDH5j1Y462PIO7MYU+6Fbr3Y1zDgxJmPk5MveWjupSEr/i4liigU719Ss+KFsH00 JRtw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zU5gNrk+NF7J84xsth9LRt1hCYW/T8MvebXqH3/ZVBk=; b=AE6aUlnrdLO5HWLktHALeTdbXp3kfuCINQzpIGvCXoQ3s9fwjw9b0iCEip5TjyGoIm KhrTv+0oQUOeHcyEW9YsfV4N5s/2QW03dsEyfwvoLNds5VglHlhxkKDKOsxa29ozuOgK mXF6a3+Qg9wIZa3OUeXMmWSjT3IoSxuqK632o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zU5gNrk+NF7J84xsth9LRt1hCYW/T8MvebXqH3/ZVBk=; b=NEc+7gUKTVEGHzJ3qUqZN5rm5qnerJKPFLSjg9yio7vQQBSiIjTXaEm0hxpdqRiGkI NHIx3X4NAj0VntDZPxQ+Ew9zmKv3Dug/G1oR+kkNTGME7zLJd4xtJ8+2npEtxSTenavv b3SM5YjBDHscDUvnPidvDVZ1vp1kIkPeOEMbge/qsvv1kKGIVCYT8hpNL1BGDZzLQLn7 belUzJfIbvB/V9lvzaf2gOTcp9WfwdAjAsB5FJI2acVa9p77STFd1juHUMjnt7D46JNx lfn12RaNICx17uxLyQmEfLqroK0b0sXyWkZNARBPv0p6dPETvjJJPaDgN4QY+LG9JX3g lBNw== X-Gm-Message-State: ALQs6tDJks+EiVtDIiDLh3Yukc4CGgY6cP0dcA/wYDGzbAYm6tFqprg7 R8MRkSvDWc/qK5BQ4AeE+g6wPl6KIyy0BFk6DNjh0A== X-Received: by 2002:a1f:b7c6:: with SMTP id h189-v6mr7205593vkf.84.1525113643164; Mon, 30 Apr 2018 11:40:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Mon, 30 Apr 2018 11:40:42 -0700 (PDT) In-Reply-To: References: <1525103946-29526-1-git-send-email-jhugo@codeaurora.org> From: Kees Cook Date: Mon, 30 Apr 2018 11:40:42 -0700 X-Google-Sender-Auth: a0E9yUOmft--KMTEz5wOskoYXTU Message-ID: Subject: Re: [PATCH v3] init: Fix false positives in W+X checking To: Laura Abbott Cc: Jeffrey Hugo , linux-arm-kernel , LKML , Mark Rutland , Jan Glauber , Ard Biesheuvel , Catalin Marinas , Will Deacon , Timur Tabi , Stephen Smalley , Andrew Morton , Ingo Molnar , Thomas Gleixner , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 30, 2018 at 10:19 AM, Laura Abbott wrote: > On 04/30/2018 08:59 AM, Jeffrey Hugo wrote: >> >> load_module() creates W+X mappings via __vmalloc_node_range() (from >> layout_and_allocate()->move_module()->module_alloc()) by using >> PAGE_KERNEL_EXEC. These mappings are later cleaned up via >> "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). >> >> This is a problem because call_rcu_sched() queues work, which can be run >> after debug_checkwx() is run, resulting in a race condition. If hit, the >> race results in a nasty splat about insecure W+X mappings, which results >> in a poor user experience as these are not the mappings that >> debug_checkwx() is intended to catch. >> >> This issue is observed on multiple arm64 platforms, and has been >> artificially triggered on an x86 platform. >> >> Address the race by flushing the queued work before running the >> arch-defined mark_rodata_ro() which then calls debug_checkwx(). >> >> Reported-by: Timur Tabi >> Reported-by: Jan Glauber >> Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") >> Signed-off-by: Jeffrey Hugo >> Acked-by: Kees Cook >> Acked-by: Ingo Molnar >> Acked-by: Will Deacon >> --- >> > > Acked-by: Laura Abbott > > If you don't have a tree for this to go through, I might suggest having > Kees take it. akpm has taken the W^X stuff in the past, but I'm happy to do so. Just let me know either way. :) -Kees -- Kees Cook Pixel Security