Re: [RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init
On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansenwrote: > > From: Dave Hansen > > __ro_after_init data gets stuck in the .rodata section. That's normally > fine because the kernel itself manages the R/W properties. > > But, if we run __change_page_attr() on an area which is __ro_after_init, > the .rodata checks will trigger and force the area to be immediately > read-only, even if it is early-ish in boot. This caused problems when > trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: > it cleared _PAGE_GLOBAL like I asked, but also took it up on itself > to clear _PAGE_RW. The kernel then oopses the next time it wrote to > a __ro_after_init data structure. > > To fix this, add the kernel_set_to_readonly check, just like we have > for kernel text, just a few lines below in this function. Yup, looks sensible. Thanks! > > Signed-off-by: Dave Hansen > Cc: Andrea Arcangeli > Cc: Andy Lutomirski > Cc: Linus Torvalds > Cc: Kees Cook > Cc: Hugh Dickins > Cc: Juergen Gross > Cc: x...@kernel.org > Cc: Nadav Amit Acked-by: Kees Cook -Kees > --- > > b/arch/x86/mm/pageattr.c |6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly > arch/x86/mm/pageattr.c > --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 > 12:36:21.531036546 -0800 > +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800 > @@ -298,9 +298,11 @@ static inline pgprot_t static_protection > > /* > * The .rodata section needs to be read-only. Using the pfn > -* catches all aliases. > +* catches all aliases. This also includes __ro_after_init, > +* so do not enforce until kernel_set_to_readonly is true. > */ > - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > + if (kernel_set_to_readonly && > + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, >__pa_symbol(__end_rodata) >> PAGE_SHIFT)) > pgprot_val(forbidden) |= _PAGE_RW; > > _ -- Kees Cook Pixel Security
Re: [RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init
On Thu, Feb 22, 2018 at 12:37 PM, Dave Hansen wrote: > > From: Dave Hansen > > __ro_after_init data gets stuck in the .rodata section. That's normally > fine because the kernel itself manages the R/W properties. > > But, if we run __change_page_attr() on an area which is __ro_after_init, > the .rodata checks will trigger and force the area to be immediately > read-only, even if it is early-ish in boot. This caused problems when > trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: > it cleared _PAGE_GLOBAL like I asked, but also took it up on itself > to clear _PAGE_RW. The kernel then oopses the next time it wrote to > a __ro_after_init data structure. > > To fix this, add the kernel_set_to_readonly check, just like we have > for kernel text, just a few lines below in this function. Yup, looks sensible. Thanks! > > Signed-off-by: Dave Hansen > Cc: Andrea Arcangeli > Cc: Andy Lutomirski > Cc: Linus Torvalds > Cc: Kees Cook > Cc: Hugh Dickins > Cc: Juergen Gross > Cc: x...@kernel.org > Cc: Nadav Amit Acked-by: Kees Cook -Kees > --- > > b/arch/x86/mm/pageattr.c |6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly > arch/x86/mm/pageattr.c > --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 > 12:36:21.531036546 -0800 > +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800 > @@ -298,9 +298,11 @@ static inline pgprot_t static_protection > > /* > * The .rodata section needs to be read-only. Using the pfn > -* catches all aliases. > +* catches all aliases. This also includes __ro_after_init, > +* so do not enforce until kernel_set_to_readonly is true. > */ > - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, > + if (kernel_set_to_readonly && > + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, >__pa_symbol(__end_rodata) >> PAGE_SHIFT)) > pgprot_val(forbidden) |= _PAGE_RW; > > _ -- Kees Cook Pixel Security
[RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init
From: Dave Hansen__ro_after_init data gets stuck in the .rodata section. That's normally fine because the kernel itself manages the R/W properties. But, if we run __change_page_attr() on an area which is __ro_after_init, the .rodata checks will trigger and force the area to be immediately read-only, even if it is early-ish in boot. This caused problems when trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: it cleared _PAGE_GLOBAL like I asked, but also took it up on itself to clear _PAGE_RW. The kernel then oopses the next time it wrote to a __ro_after_init data structure. To fix this, add the kernel_set_to_readonly check, just like we have for kernel text, just a few lines below in this function. Signed-off-by: Dave Hansen Cc: Andrea Arcangeli Cc: Andy Lutomirski Cc: Linus Torvalds Cc: Kees Cook Cc: Hugh Dickins Cc: Juergen Gross Cc: x...@kernel.org Cc: Nadav Amit --- b/arch/x86/mm/pageattr.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly arch/x86/mm/pageattr.c --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 12:36:21.531036546 -0800 +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800 @@ -298,9 +298,11 @@ static inline pgprot_t static_protection /* * The .rodata section needs to be read-only. Using the pfn -* catches all aliases. +* catches all aliases. This also includes __ro_after_init, +* so do not enforce until kernel_set_to_readonly is true. */ - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + if (kernel_set_to_readonly && + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, __pa_symbol(__end_rodata) >> PAGE_SHIFT)) pgprot_val(forbidden) |= _PAGE_RW; _
[RFC][PATCH 08/10] x86/mm: do not forbid _PAGE_RW before init for __ro_after_init
From: Dave Hansen __ro_after_init data gets stuck in the .rodata section. That's normally fine because the kernel itself manages the R/W properties. But, if we run __change_page_attr() on an area which is __ro_after_init, the .rodata checks will trigger and force the area to be immediately read-only, even if it is early-ish in boot. This caused problems when trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: it cleared _PAGE_GLOBAL like I asked, but also took it up on itself to clear _PAGE_RW. The kernel then oopses the next time it wrote to a __ro_after_init data structure. To fix this, add the kernel_set_to_readonly check, just like we have for kernel text, just a few lines below in this function. Signed-off-by: Dave Hansen Cc: Andrea Arcangeli Cc: Andy Lutomirski Cc: Linus Torvalds Cc: Kees Cook Cc: Hugh Dickins Cc: Juergen Gross Cc: x...@kernel.org Cc: Nadav Amit --- b/arch/x86/mm/pageattr.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff -puN arch/x86/mm/pageattr.c~check-kernel_set_to_readonly arch/x86/mm/pageattr.c --- a/arch/x86/mm/pageattr.c~check-kernel_set_to_readonly 2018-02-22 12:36:21.531036546 -0800 +++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:21.535036546 -0800 @@ -298,9 +298,11 @@ static inline pgprot_t static_protection /* * The .rodata section needs to be read-only. Using the pfn -* catches all aliases. +* catches all aliases. This also includes __ro_after_init, +* so do not enforce until kernel_set_to_readonly is true. */ - if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + if (kernel_set_to_readonly && + within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, __pa_symbol(__end_rodata) >> PAGE_SHIFT)) pgprot_val(forbidden) |= _PAGE_RW; _