On Wed, Aug 10, 2016 at 12:41 PM, Arnd Bergmann <arnd@xxxxxxxx> wrote: > On Wednesday, August 10, 2016 11:32:07 AM CEST Kees Cook wrote: >> On Wed, Aug 10, 2016 at 2:43 AM, Russell King - ARM Linux >> <linux@xxxxxxxxxxxxxxx> wrote: >> > On Fri, Jun 03, 2016 at 11:40:24AM -0700, Kees Cook wrote: >> >> @@ -1309,16 +1309,11 @@ void __init arm_mm_memblock_reserve(void) >> >> * Any other function or debugging method which may touch any device _will_ >> >> * crash the kernel. >> >> */ >> >> +static char vectors[PAGE_SIZE * 2] __ro_after_init __aligned(PAGE_SIZE); >> >> static void __init devicemaps_init(const struct machine_desc *mdesc) >> >> { >> >> struct map_desc map; >> >> unsigned long addr; >> >> - void *vectors; >> >> - >> >> - /* >> >> - * Allocate the vector page early. >> >> - */ >> >> - vectors = early_alloc(PAGE_SIZE * 2); >> > >> > This one is not appropriate. We _do_ write to these pages after init >> > for FIQ handler updates. See set_fiq_handler(). >> >> Ah, interesting. I guess none of that hardware is being tested on >> linux-next. > > Right. The OMAP1 Amstrad Delta is a somewhat obscure machine, and that > would be the most likely candidate to run into this. > > RiscPC also has FIQ support, but I have not heard of anyone other > than Russell still using one with a modern kernel, and I doubt he > tests linux-next on it. > > The s3c24xx and imx machines that could use FIQ probably don't > use it in practice, last time I checked, I didn't see any DTS file > or platform data definition in the kernel that activated that > code path. > >> I'll drop that chunk and resubmit. > > Good enough for now, but it may be worth revisiting this, as the > vector page might be a good target for an attack if you have a > way to overwrite a few bytes in the kernel. > > Note that there are two mappings for the pages, and as Russell > mentioned, the TLS emulation writes to the other one that is > at a fixed virtual address. > > It might be better to start by making the fixed mapping readonly, > as KASLR doesn't protect that one at all, and change the TLS > code accordingly. That sounds good (anyone want to work on this?). Does arm64 need a similar vector page protection? -Kees -- Kees Cook Nexus Security -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html