Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1340170imu; Wed, 16 Jan 2019 17:37:39 -0800 (PST) X-Google-Smtp-Source: ALg8bN7gxGJl1jjXU3SSEbBGRsRdE0rtmFOqxpVJvASyw74GNUFeyymq+wciGlVcNGGeBKECDBvV X-Received: by 2002:a62:3811:: with SMTP id f17mr13174860pfa.206.1547689059622; Wed, 16 Jan 2019 17:37:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547689059; cv=none; d=google.com; s=arc-20160816; b=nl0sYYFsnQwToDjxaNpO62XHN9NDvCXqVyoM7EvT+IBPg/XMsMlwaVwDmFHrwswPHq Sgi8jooWvOMMD5tdWmrqPZOFGi5ok9cSePYR4eYdAMi0Jo9w2qb/lYAivK7Lq80m/d+p FXsa6+vJDIelSAy2Gg3wD9R6Hp/KmHjZRN+ngneDuGitbUGj+OrFJ348izzPCUupAlIK N5a7+lnGzgD80kmyBPhE+xqbEODLdR1q6qSNfGJf3XwdjKEfo22Nt9qzf8S+tXW6zUWn 1eWzjnsQ8/tliEXpCRUptU2mb8QG+aMAF+o668scz/0wfHzUBjAsK5D1E11HUXIowBqJ o3Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=/2dO2C+UYfBQiXTmhGySAi6PBFtX+ameLwxuka7ZeCk=; b=idZ2nX1mLjHocFdBaCxI7zawLL5fzBBDQcdFe1TP7H1AH4Ls0DOJAAUUkGVeQc/Jin fHK7+KTe425n0QqP+KtFvyx5AXnjMvGZDS4bgMeKPinuzeuN7QIEeoXoy5mp5hWNWfWk 2eFEC5oCy8/J1Mzgw7zHmqnlw0kyJGYAUX+pWyEqFVdCCn/9AvcQaM4rIBSRiupwwJKz zb9Avgi+FqiWMhqNp7mFcFAQ+9cELEhxoR5GsmkGkzkHBt6+M+bbyjo0lCC3vWaYaFYH y+vEA4AfEzDI3lKDJkSSi8CxckWOEPrhhmF6G5mbMvD9gRu9/7T28uPbC5vmIq6c8dHm +Q1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si96351plo.217.2019.01.16.17.37.21; Wed, 16 Jan 2019 17:37:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731122AbfAQAez (ORCPT + 99 others); Wed, 16 Jan 2019 19:34:55 -0500 Received: from mga05.intel.com ([192.55.52.43]:42211 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729954AbfAQAdj (ORCPT ); Wed, 16 Jan 2019 19:33:39 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2019 16:33:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,488,1539673200"; d="scan'208";a="292166034" Received: from rpedgeco-desk5.jf.intel.com ([10.54.75.79]) by orsmga005.jf.intel.com with ESMTP; 16 Jan 2019 16:33:36 -0800 From: Rick Edgecombe To: Andy Lutomirski , Ingo Molnar Cc: linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com, Thomas Gleixner , Borislav Petkov , Nadav Amit , Dave Hansen , Peter Zijlstra , linux_dti@icloud.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, akpm@linux-foundation.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, will.deacon@arm.com, ard.biesheuvel@linaro.org, kristen@linux.intel.com, deneen.t.dock@intel.com, Nadav Amit , Steven Rostedt , Rick Edgecombe Subject: [PATCH 08/17] x86/ftrace: set trampoline pages as executable Date: Wed, 16 Jan 2019 16:32:50 -0800 Message-Id: <20190117003259.23141-9-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190117003259.23141-1-rick.p.edgecombe@intel.com> References: <20190117003259.23141-1-rick.p.edgecombe@intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nadav Amit Since alloc_module() will not set the pages as executable soon, we need to do so for ftrace trampoline pages after they are allocated. For the time being, we do not change ftrace to use the text_poke() interface. As a result, ftrace breaks still breaks W^X. Cc: Steven Rostedt Signed-off-by: Nadav Amit Signed-off-by: Rick Edgecombe --- arch/x86/kernel/ftrace.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c index 8257a59704ae..eb4a1937e72c 100644 --- a/arch/x86/kernel/ftrace.c +++ b/arch/x86/kernel/ftrace.c @@ -742,6 +742,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) unsigned long end_offset; unsigned long op_offset; unsigned long offset; + unsigned long npages; unsigned long size; unsigned long retq; unsigned long *ptr; @@ -774,6 +775,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) return 0; *tramp_size = size + RET_SIZE + sizeof(void *); + npages = DIV_ROUND_UP(*tramp_size, PAGE_SIZE); /* Copy ftrace_caller onto the trampoline memory */ ret = probe_kernel_read(trampoline, (void *)start_offset, size); @@ -818,6 +820,13 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size) /* ALLOC_TRAMP flags lets us know we created it */ ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP; + /* + * Module allocation needs to be completed by making the page + * executable. The page is still writable, which is a security hazard, + * but anyhow ftrace breaks W^X completely. + */ + set_memory_x((unsigned long)trampoline, npages); + return (unsigned long)trampoline; fail: tramp_free(trampoline, *tramp_size); -- 2.17.1