Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1339795imu; Wed, 16 Jan 2019 17:37:05 -0800 (PST) X-Google-Smtp-Source: ALg8bN4N1G3y8ViC1LiWIcq15p7BUdSpCxr6yeoy8eJkRHIExyfGJC4996qqzhGa+hLlzS7PZrVw X-Received: by 2002:a63:2ac9:: with SMTP id q192mr11695605pgq.58.1547689025130; Wed, 16 Jan 2019 17:37:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547689025; cv=none; d=google.com; s=arc-20160816; b=rrbzVvrs2BVi3KAAMVj4Qz3+vDMUg9XlDLFj7bab2volez/53t6N6fYL6cdpdPw+1h bukk9PErz0+oEiEfE2VuTRvXwRw62VjsUTAtb3PUUygd4mAYTtYwPzY9pNNt7Og1p96H wjbQr9SjUKLwTyLMJ/0O/8dd+W17fdah59F3tppnETJnUFhZZqsImv1b5iTnHRCKNOPh SvjrLGMK7cLc/lMGv2jDScex3KJq+WGSVyQNaiJqzEY792RDDBHQDKYm8L/qhziAVied ZMly7yaaZEqY/jxqNIfKFIszmg+N8/oQ5esSU6gRwoOaB0gej04VkWuXoWoKwgq/+f+K tGyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=c13Wr+3Necp9qzFvMVo2W40U43LJE4xOuse7XO7h/k8=; b=dXx2pQkSOXYmSSWF8mnu4zhzwXRmVWi0JD9Jm/S+JcZ1m3Cq4Iywoww6KM3dsUBx/0 AOm76k1vIBL8iyKvtvxJKHS9T9XfA8b69PEEStxP1CQSfXcdMbOAh0JWHDv16RL5d3yg llDE37OJ3hvsPRo1xb7sN60CfIgDDIbLHG+p1BKSfq5fSeoSum+I5IUVhIX981jP2zsW 3ohK7HbmUNCDaIoSlqLIRWw24vNGH9oTjqnkxkK9CW1n6TfTvZFGrcrJmN8Frp+Ql/2E iJgD9lOJyrd7uE0f0YQjo8wQo/N7RwrhQ2Y3/c8BEqBWGF0WfpJfZomyopNc+IAy6LfG yNzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p14si108231pfi.12.2019.01.16.17.36.49; Wed, 16 Jan 2019 17:37:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731005AbfAQAep (ORCPT + 99 others); Wed, 16 Jan 2019 19:34:45 -0500 Received: from mga05.intel.com ([192.55.52.43]:42206 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729982AbfAQAdj (ORCPT ); Wed, 16 Jan 2019 19:33:39 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2019 16:33:37 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,488,1539673200"; d="scan'208";a="292166037" Received: from rpedgeco-desk5.jf.intel.com ([10.54.75.79]) by orsmga005.jf.intel.com with ESMTP; 16 Jan 2019 16:33:36 -0800 From: Rick Edgecombe To: Andy Lutomirski , Ingo Molnar Cc: linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com, Thomas Gleixner , Borislav Petkov , Nadav Amit , Dave Hansen , Peter Zijlstra , linux_dti@icloud.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, akpm@linux-foundation.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, will.deacon@arm.com, ard.biesheuvel@linaro.org, kristen@linux.intel.com, deneen.t.dock@intel.com, Nadav Amit , Masami Hiramatsu , Rick Edgecombe Subject: [PATCH 09/17] x86/kprobes: Instruction pages initialization enhancements Date: Wed, 16 Jan 2019 16:32:51 -0800 Message-Id: <20190117003259.23141-10-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190117003259.23141-1-rick.p.edgecombe@intel.com> References: <20190117003259.23141-1-rick.p.edgecombe@intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nadav Amit This patch is a preparatory patch for a following patch that makes module allocated pages non-executable. The patch sets the page as executable after allocation. In the future, we may get better protection of executables. For example, by using hypercalls to request the hypervisor to protect VM executable pages from modifications using nested page-tables. This would allow us to ensure the executable has not changed between allocation and its write-protection. While at it, do some small cleanup of what appears to be unnecessary masking. Cc: Masami Hiramatsu Signed-off-by: Nadav Amit Signed-off-by: Rick Edgecombe --- arch/x86/kernel/kprobes/core.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index 4ba75afba527..fac692e36833 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -431,8 +431,20 @@ void *alloc_insn_page(void) void *page; page = module_alloc(PAGE_SIZE); - if (page) - set_memory_ro((unsigned long)page & PAGE_MASK, 1); + if (page == NULL) + return NULL; + + /* + * First make the page read-only, and then only then make it executable + * to prevent it from being W+X in between. + */ + set_memory_ro((unsigned long)page, 1); + + /* + * TODO: Once additional kernel code protection mechanisms are set, ensure + * that the page was not maliciously altered and it is still zeroed. + */ + set_memory_x((unsigned long)page, 1); return page; } @@ -440,8 +452,12 @@ void *alloc_insn_page(void) /* Recover page to RW mode before releasing it */ void free_insn_page(void *page) { - set_memory_nx((unsigned long)page & PAGE_MASK, 1); - set_memory_rw((unsigned long)page & PAGE_MASK, 1); + /* + * First make the page non-executable, and then only then make it + * writable to prevent it from being W+X in between. + */ + set_memory_nx((unsigned long)page, 1); + set_memory_rw((unsigned long)page, 1); module_memfree(page); } -- 2.17.1