Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9226943imu; Wed, 5 Dec 2018 00:54:02 -0800 (PST) X-Google-Smtp-Source: AFSGD/XlR6jm/MPRY5Uvq/Zrr5q3HbTz4cDCoUIFSCVa0Uk8GuTWk+0qm0qrYD2qt7OqnE5rs4Da X-Received: by 2002:a17:902:708b:: with SMTP id z11mr23253253plk.203.1544000042118; Wed, 05 Dec 2018 00:54:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544000042; cv=none; d=google.com; s=arc-20160816; b=IZan6imDDasZ0OAyDXf+S0HvilfHTp94QeyDswAkLUIWF16iiGYVT7w/IfkDKmNI5+ xeiHgQZkrqXSm+hVe6w2Nop4vJh3WfB6FrvyNudMn0t6ydBg6nhw/cgKe6cyIr80AhO6 Sbkmsa87CV5mLjAkXXkyJtqNi5CA5tKJnq0WXiIskxMXeDcdbI2m2ZTWhH8B7FJ2GNOo EWEhfUl/IefLS+n2z+Zhw9a1s7/1IxFfIlmekX0f9LSVLj9IhxExtA2cz2/991C7BMTk W0U2pMhPBx7Uvk19dmTqp+yPQAVs7FC/lDtLxLG82/HWndwjYkIU9+LwkcAKek1MS4Zr I56A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=hK0YMbM3ngKDmYIHjX/Fxoo3dOHFv/MJZdxgs7Rtz1o=; b=mY55Z5qXTzJ53cGcNQPDMlcnZ2rm87ffDgTwP+owDJEe28U7VJygXNkQ3lSIKBR7HI QuOe3g0wtPl7sHDzYqGfNq/lPEJwyzaBTJUS2uyA9GKVTFQGpCzZjQ+IFlFDj6PIT8EE dbfUrxH4AMSrnQZTGWdfKWFj/Njep91CpG+MEKx8nr6H2DxaskTZYmwEVdXo17W52KX5 v1vwh7SblyoOFP7JDDXpIQbRMkx1gqHnB7fQ1+lXm4WsZQ7ciqkgPMTWBtA/UNlxQtcA AVPCVEiOVLmeBLI1h5lw8FQV4AMY8aepuh7Dl75Rf0Jnx/KF3M6c2ZrX+EQUuNprgCav eOkA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vmware.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g4si21090331pfm.85.2018.12.05.00.53.47; Wed, 05 Dec 2018 00:54:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vmware.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727571AbeLEIwp (ORCPT + 99 others); Wed, 5 Dec 2018 03:52:45 -0500 Received: from ex13-edg-ou-002.vmware.com ([208.91.0.190]:46460 "EHLO EX13-EDG-OU-002.vmware.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727409AbeLEIwL (ORCPT ); Wed, 5 Dec 2018 03:52:11 -0500 Received: from sc9-mailhost3.vmware.com (10.113.161.73) by EX13-EDG-OU-002.vmware.com (10.113.208.156) with Microsoft SMTP Server id 15.0.1156.6; Wed, 5 Dec 2018 00:52:03 -0800 Received: from sc2-haas01-esx0118.eng.vmware.com (sc2-haas01-esx0118.eng.vmware.com [10.172.44.118]) by sc9-mailhost3.vmware.com (Postfix) with ESMTP id 21D1941397; Wed, 5 Dec 2018 00:52:05 -0800 (PST) From: Nadav Amit To: Ingo Molnar CC: , , "H. Peter Anvin" , Thomas Gleixner , Borislav Petkov , Andy Lutomirski , Nadav Amit , Dave Hansen , Peter Zijlstra , , , , Nadav Amit , Masami Hiramatsu Subject: [PATCH v7 09/14] x86/kprobes: Instruction pages initialization enhancements Date: Tue, 4 Dec 2018 17:34:03 -0800 Message-ID: <20181205013408.47725-10-namit@vmware.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181205013408.47725-1-namit@vmware.com> References: <20181205013408.47725-1-namit@vmware.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (EX13-EDG-OU-002.vmware.com: namit@vmware.com does not designate permitted sender hosts) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch is a preparatory patch for a following patch that makes module allocated pages non-executable. The patch sets the page as executable after allocation. In the future, we may get better protection of executables. For example, by using hypercalls to request the hypervisor to protect VM executable pages from modifications using nested page-tables. This would allow us to ensure the executable has not changed between allocation and its write-protection. While at it, do some small cleanup of what appears to be unnecessary masking. Cc: Masami Hiramatsu Signed-off-by: Nadav Amit --- arch/x86/kernel/kprobes/core.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index c33b06f5faa4..ca0118d3b3e8 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -431,8 +431,20 @@ void *alloc_insn_page(void) void *page; page = module_alloc(PAGE_SIZE); - if (page) - set_memory_ro((unsigned long)page & PAGE_MASK, 1); + if (page == NULL) + return NULL; + + /* + * First make the page read-only, and then only then make it executable + * to prevent it from being W+X in between. + */ + set_memory_ro((unsigned long)page, 1); + + /* + * TODO: Once additional kernel code protection mechanisms are set, ensure + * that the page was not maliciously altered and it is still zeroed. + */ + set_memory_x((unsigned long)page, 1); return page; } @@ -440,8 +452,12 @@ void *alloc_insn_page(void) /* Recover page to RW mode before releasing it */ void free_insn_page(void *page) { - set_memory_nx((unsigned long)page & PAGE_MASK, 1); - set_memory_rw((unsigned long)page & PAGE_MASK, 1); + /* + * First make the page non-executable, and then only then make it + * writable to prevent it from being W+X in between. + */ + set_memory_nx((unsigned long)page, 1); + set_memory_rw((unsigned long)page, 1); module_memfree(page); } -- 2.17.1