On Wed, Feb 17, 2016 at 3:43 PM, David Brown <david.brown@xxxxxxxxxx> wrote: > On Wed, Feb 17, 2016 at 03:00:52PM -0800, Kees Cook wrote: >> >> On Tue, Feb 16, 2016 at 9:20 PM, David Brown <david.brown@xxxxxxxxxx> >> wrote: >>> >>> On Tue, Feb 16, 2016 at 01:52:33PM -0800, Kees Cook wrote: >>>> >>>> >>>> On Tue, Feb 16, 2016 at 1:36 PM, David Brown <david.brown@xxxxxxxxxx> >>>> wrote: >>>>> >>>>> >>>>> Although the arm vDSO is cleanly separated by code/data with the code >>>>> being read-only in userspace mappings, the code page is still writable >>>>> from the kernel. There have been exploits (such as >>>>> http://itszn.com/blog/?p=21) that take advantage of this on x86 to go >>>>> from a bad kernel write to full root. >>>>> >>>>> Prevent this specific exploit on arm by putting the vDSO code page in >>>>> post-init read-only memory as well. >>>> >>>> >>>> >>>> Is the vdso dynamically built at init time like on x86, or can this >>>> just use .rodata directly? >>> >>> >>> >>> On ARM, it is patched during init. Arm64's is just plain read-only. >> >> >> Okay, great. I've added this to my postinit-readonly series (which I >> just refreshed and sent out again...) > > > However, this distinction between .rodata and .data..ro_after_init is > kind of fuzzy, anyway, since they both get made actually read-only at > the same time (post init). The patch actually does work fine with the > vDSO page in .rodata, since the patching happens during init. Yeah, in the ARM case, that's true. I think we should probably keep it marked "correctly" though. > Is there a possible future consideration to perhaps make .rodata read > only much earlier? Yeah, this will likely be a future improvement. Some architectures already mark .rodata before the mark_rodata_ro() call. Once we start to have more use of postinit-readonly, I suspect we'll see more clarification of when those things happen. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
