This is a note to let you know that I've just added the patch titled ARM: ensure the signal page contains defined contents to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: arm-ensure-the-signal-page-contains-defined-contents.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 9c698bff66ab4914bb3d71da7dc6112519bde23e Mon Sep 17 00:00:00 2001 From: Russell King <rmk+kernel@xxxxxxxxxxxxxxx> Date: Fri, 29 Jan 2021 10:19:07 +0000 Subject: ARM: ensure the signal page contains defined contents From: Russell King <rmk+kernel@xxxxxxxxxxxxxxx> commit 9c698bff66ab4914bb3d71da7dc6112519bde23e upstream. Ensure that the signal page contains our poison instruction to increase the protection against ROP attacks and also contains well defined contents. Acked-by: Will Deacon <will@xxxxxxxxxx> Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxx> Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/arm/kernel/signal.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -625,18 +625,20 @@ struct page *get_signal_page(void) addr = page_address(page); + /* Poison the entire page */ + memset32(addr, __opcode_to_mem_arm(0xe7fddef1), + PAGE_SIZE / sizeof(u32)); + /* Give the signal return code some randomness */ offset = 0x200 + (get_random_int() & 0x7fc); signal_return_offset = offset; - /* - * Copy signal return handlers into the vector page, and - * set sigreturn to be a pointer to these. - */ + /* Copy signal return handlers into the page */ memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); - ptr = (unsigned long)addr + offset; - flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); + /* Flush out all instructions in this page */ + ptr = (unsigned long)addr; + flush_icache_range(ptr, ptr + PAGE_SIZE); return page; } Patches currently in stable-queue which might be from rmk+kernel@xxxxxxxxxxxxxxx are queue-4.9/lib-string.c-add-multibyte-memset-functions.patch queue-4.9/arm-ensure-the-signal-page-contains-defined-contents.patch