On Thu, Sep 29, 2016 at 02:32:57PM -0700, Laura Abbott wrote: > @@ -219,6 +223,15 @@ static void note_page(struct pg_state *st, unsigned long > addr, unsigned level, > unsigned long delta; > > if (st->current_prot) { > + if (st->check_wx && > + ((st->current_prot & PTE_RDONLY) != PTE_RDONLY) && > + ((st->current_prot & PTE_PXN) != PTE_PXN)) { > + WARN_ONCE(1, "arm64/mm: Found insecure W+X > mapping at address %p/%pS\n", > + (void *)st->start_address, > + (void *)st->start_address); > + st->wx_pages += (addr - st->start_address) / > PAGE_SIZE; > + } > +
Would it be worth verifying that all kernel mappings are UXN, too? ARMv8 allows execute-only mappings, and a !UXN mapping could result in an info leak (e.g. pointers in MOVZ+MOVK sequences), or potential asynchronous issues (e.g. user instruction fetches accessing read-destructive device registers). All kernel mappings *should* be UXN. Thanks, Mark.