Re: [RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init

[Kees Cook]

On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansen
 wrote:
>
> From: Dave Hansen 
>
> __ro_after_init data gets stuck in the .rodata section.  That's normally
> fine because the kernel itself manages the R/W properties.
>
> But, if we run __change_page_attr() on an area which is __ro_after_init,
> the .rodata checks will trigger and force the area to be immediately
> read-only, even if it is early-ish in boot.  This caused problems when
> trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
> it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
> to clear _PAGE_RW.  The kernel then oopses the next time it wrote to
> a __ro_after_init data structure.
>
> To fix this, add the kernel_set_to_readonly check, just like we have
> for kernel text, just a few lines below in this function.

Yup, looks sensible. Thanks!

>
> Signed-off-by: Dave Hansen 
> Cc: Andrea Arcangeli 
> Cc: Andy Lutomirski 
> Cc: Linus Torvalds 
> Cc: Kees Cook 
> Cc: Hugh Dickins 
> Cc: Juergen Gross 
> Cc: x...@kernel.org
> Cc: Nadav Amit 

Acked-by: Kees Cook 

-Kees

> ---
>
>  b/arch/x86/mm/pageattr.c |6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 
> arch/x86/mm/pageattr.c
> --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly   2018-02-22 
> 12:36:21.531036546 -0800
> +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800
> @@ -298,9 +298,11 @@ static inline pgprot_t static_protection
>
> /*
>  * The .rodata section needs to be read-only. Using the pfn
> -* catches all aliases.
> +* catches all aliases.  This also includes __ro_after_init,
> +* so do not enforce until kernel_set_to_readonly is true.
>  */
> -   if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
> +   if (kernel_set_to_readonly &&
> +   within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
>__pa_symbol(__end_rodata) >> PAGE_SHIFT))
> pgprot_val(forbidden) |= _PAGE_RW;
>
> _



-- 
Kees Cook
Pixel Security

Re: [RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init

[Kees Cook]

On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansen
 wrote:
>
> From: Dave Hansen 
>
> __ro_after_init data gets stuck in the .rodata section.  That's normally
> fine because the kernel itself manages the R/W properties.
>
> But, if we run __change_page_attr() on an area which is __ro_after_init,
> the .rodata checks will trigger and force the area to be immediately
> read-only, even if it is early-ish in boot.  This caused problems when
> trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
> it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
> to clear _PAGE_RW.  The kernel then oopses the next time it wrote to
> a __ro_after_init data structure.
>
> To fix this, add the kernel_set_to_readonly check, just like we have
> for kernel text, just a few lines below in this function.

Yup, looks sensible. Thanks!

>
> Signed-off-by: Dave Hansen 
> Cc: Andrea Arcangeli 
> Cc: Andy Lutomirski 
> Cc: Linus Torvalds 
> Cc: Kees Cook 
> Cc: Hugh Dickins 
> Cc: Juergen Gross 
> Cc: x...@kernel.org
> Cc: Nadav Amit 

Acked-by: Kees Cook 

-Kees

> ---
>
>  b/arch/x86/mm/pageattr.c |6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 
> arch/x86/mm/pageattr.c
> --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly   2018-02-22 
> 12:36:21.531036546 -0800
> +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800
> @@ -298,9 +298,11 @@ static inline pgprot_t static_protection
>
> /*
>  * The .rodata section needs to be read-only. Using the pfn
> -* catches all aliases.
> +* catches all aliases.  This also includes __ro_after_init,
> +* so do not enforce until kernel_set_to_readonly is true.
>  */
> -   if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
> +   if (kernel_set_to_readonly &&
> +   within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
>__pa_symbol(__end_rodata) >> PAGE_SHIFT))
> pgprot_val(forbidden) |= _PAGE_RW;
>
> _



-- 
Kees Cook
Pixel Security

[RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init

[Dave Hansen]

From: Dave Hansen 

__ro_after_init data gets stuck in the .rodata section.  That's normally
fine because the kernel itself manages the R/W properties.

But, if we run __change_page_attr() on an area which is __ro_after_init,
the .rodata checks will trigger and force the area to be immediately
read-only, even if it is early-ish in boot.  This caused problems when
trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
to clear _PAGE_RW.  The kernel then oopses the next time it wrote to
a __ro_after_init data structure.

To fix this, add the kernel_set_to_readonly check, just like we have
for kernel text, just a few lines below in this function.

Signed-off-by: Dave Hansen 
Cc: Andrea Arcangeli 
Cc: Andy Lutomirski 
Cc: Linus Torvalds 
Cc: Kees Cook 
Cc: Hugh Dickins 
Cc: Juergen Gross 
Cc: x...@kernel.org
Cc: Nadav Amit 
---

 b/arch/x86/mm/pageattr.c |6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 
arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly   2018-02-22 
12:36:21.531036546 -0800
+++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800
@@ -298,9 +298,11 @@ static inline pgprot_t static_protection
 
/*
 * The .rodata section needs to be read-only. Using the pfn
-* catches all aliases.
+* catches all aliases.  This also includes __ro_after_init,
+* so do not enforce until kernel_set_to_readonly is true.
 */
-   if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
+   if (kernel_set_to_readonly &&
+   within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
   __pa_symbol(__end_rodata) >> PAGE_SHIFT))
pgprot_val(forbidden) |= _PAGE_RW;
 
_

[RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init

[Dave Hansen]

From: Dave Hansen 

__ro_after_init data gets stuck in the .rodata section.  That's normally
fine because the kernel itself manages the R/W properties.

But, if we run __change_page_attr() on an area which is __ro_after_init,
the .rodata checks will trigger and force the area to be immediately
read-only, even if it is early-ish in boot.  This caused problems when
trying to clear the _PAGE_GLOBAL bit for these area in the PTI code:
it cleared _PAGE_GLOBAL like I asked, but also took it up on itself
to clear _PAGE_RW.  The kernel then oopses the next time it wrote to
a __ro_after_init data structure.

To fix this, add the kernel_set_to_readonly check, just like we have
for kernel text, just a few lines below in this function.

Signed-off-by: Dave Hansen 
Cc: Andrea Arcangeli 
Cc: Andy Lutomirski 
Cc: Linus Torvalds 
Cc: Kees Cook 
Cc: Hugh Dickins 
Cc: Juergen Gross 
Cc: x...@kernel.org
Cc: Nadav Amit 
---

 b/arch/x86/mm/pageattr.c |6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 
arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly   2018-02-22 
12:36:21.531036546 -0800
+++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800
@@ -298,9 +298,11 @@ static inline pgprot_t static_protection
 
/*
 * The .rodata section needs to be read-only. Using the pfn
-* catches all aliases.
+* catches all aliases.  This also includes __ro_after_init,
+* so do not enforce until kernel_set_to_readonly is true.
 */
-   if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
+   if (kernel_set_to_readonly &&
+   within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
   __pa_symbol(__end_rodata) >> PAGE_SHIFT))
pgprot_val(forbidden) |= _PAGE_RW;
 
_