On Wednesday, August 10, 2016 11:32:07 AM CEST Kees Cook wrote:
> On Wed, Aug 10, 2016 at 2:43 AM, Russell King - ARM Linux
> <linux@xxxxxxxxxxxxxxx> wrote:
> > On Fri, Jun 03, 2016 at 11:40:24AM -0700, Kees Cook wrote:
> >> @@ -1309,16 +1309,11 @@ void __init arm_mm_memblock_reserve(void)
> >> * Any other function or debugging method which may touch any device _will_
> >> * crash the kernel.
> >> */
> >> +static char vectors[PAGE_SIZE * 2] __ro_after_init __aligned(PAGE_SIZE);
> >> static void __init devicemaps_init(const struct machine_desc *mdesc)
> >> {
> >> struct map_desc map;
> >> unsigned long addr;
> >> - void *vectors;
> >> -
> >> - /*
> >> - * Allocate the vector page early.
> >> - */
> >> - vectors = early_alloc(PAGE_SIZE * 2);
> >
> > This one is not appropriate. We _do_ write to these pages after init
> > for FIQ handler updates. See set_fiq_handler().
>
> Ah, interesting. I guess none of that hardware is being tested on
> linux-next.
Right. The OMAP1 Amstrad Delta is a somewhat obscure machine, and that
would be the most likely candidate to run into this.
RiscPC also has FIQ support, but I have not heard of anyone other
than Russell still using one with a modern kernel, and I doubt he
tests linux-next on it.
The s3c24xx and imx machines that could use FIQ probably don't
use it in practice, last time I checked, I didn't see any DTS file
or platform data definition in the kernel that activated that
code path.
> I'll drop that chunk and resubmit.
Good enough for now, but it may be worth revisiting this, as the
vector page might be a good target for an attack if you have a
way to overwrite a few bytes in the kernel.
Note that there are two mappings for the pages, and as Russell
mentioned, the TLS emulation writes to the other one that is
at a fixed virtual address.
It might be better to start by making the fixed mapping readonly,
as KASLR doesn't protect that one at all, and change the TLS
code accordingly.
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-arch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
