From patchwork Thu Jan 17 00:32:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 10767271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CF9B46C2 for ; Thu, 17 Jan 2019 00:34:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 365962DE41 for ; Thu, 17 Jan 2019 00:34:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 29DEB2E297; Thu, 17 Jan 2019 00:34:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A68E42DE41 for ; Thu, 17 Jan 2019 00:34:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BD9528E0013; Wed, 16 Jan 2019 19:33:41 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id B6B658E0010; Wed, 16 Jan 2019 19:33:41 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4B4BB8E0010; Wed, 16 Jan 2019 19:33:41 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) by kanga.kvack.org (Postfix) with ESMTP id D3E1D8E000E for ; Wed, 16 Jan 2019 19:33:40 -0500 (EST) Received: by mail-pf1-f198.google.com with SMTP id m3so6004626pfj.14 for ; Wed, 16 Jan 2019 16:33:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=c13Wr+3Necp9qzFvMVo2W40U43LJE4xOuse7XO7h/k8=; b=h7Bcyyfe5yodGYMjyUblA3Eli5pVSjGQ54kAQ2PkeyfG9P9tvstnIfDqY1BALBXQo4 ERy4rLHs8t5kx6aIupYCXVZg5sCYREZGYPhMHYJjsc3JgK/ccnYBFro571Q2l/wWIc4C otShlm4MvVfHYlgFaP+EFeeLBEHL9EIhBFhBYBFPvgNiVQ47JjRGhKBYi+QmToPvtmsN XnPO2tmEgTSKt3Dzt0zXeMlGX8FgXfidtGRMMWH61+dPAOiPq3I3l/89dYAsMdX9UwDW YdB3e9icrVByTj5mQYSbCc94OperSJMAm3OcsQ6IWFigCOB4Xka/oR4aDDU9ZUsrN1Yf vGyw== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: AJcUukcJhsYYWRtDcTSzjXvTrIudKNnTzsBDd5saNfil9I0/drB4OIVJ Zcz7NLKEk3sfCLMzNfKBdcuY3C63KXrK/iHbKkDHrLlgiWecrhE+LWJoAdz/5wBNXS2Rydn5WL+ MzGaZUprBZ3YRmVORJWx/nafBEJ2PpQRp0FtXE+TcsFm+uH39iodJ8TT7i1c29drizA== X-Received: by 2002:a17:902:b48b:: with SMTP id y11mr12374115plr.200.1547685220513; Wed, 16 Jan 2019 16:33:40 -0800 (PST) X-Google-Smtp-Source: ALg8bN622EIZuJQkVDR+UJuKPFKeA/AUfDVMHH51rytokT9iU4mOIq7xlDXfeBTW1gVa+sC4Nmuj X-Received: by 2002:a17:902:b48b:: with SMTP id y11mr12374015plr.200.1547685219292; Wed, 16 Jan 2019 16:33:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547685219; cv=none; d=google.com; s=arc-20160816; b=cxXc6Zv5JipJedxliAHstej527F8lUGTOa8u0xpAyxLYIJCoBFYGscjhiZvadEaGZC W6C0hJULyr51NAZYnJI0s6+wnFpzp0j9ah1ocOtbhip2Hr+iTh9fbLubIz6g5gDVLfM5 S6bOfVjw0PQQzz292QkUjlprHmrTntOVcu6qae2o6HHBeOHEmq7pyoC0SfzvInoby52T u3yMYwpY6fBbyCMM0U/ncQWCwXAtm21rhdy980rhT/GauVmQINV35A3IfF1puGkSO0p9 kbbmwjcqwrz2qfxLnY7MlzZnAYmSyAmfABMYewuU29KdDi4d+C5vGnwzxYzEyECVFlaV EuIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=c13Wr+3Necp9qzFvMVo2W40U43LJE4xOuse7XO7h/k8=; b=Ch8FbCwKElVYAaKQQX/7u32mMr1K2M20yK2GUsnFoghVIu9XnkAh2Y+Me8ptJD0PMJ i/y2XNTdXoxrHmz+nx6aLzAWN+Y9wT2hHBGFGRrvMkUdrjTeWsqqfdUrkbsYwdHmOhZc tRDc2Lv6rhTlXFDpm8ES64RpCRGZNXP9SRdD7aidVKcPrFnz3yyk6wsJkE1/3L7uCAgI uvRXG8g8x1sjTAver4cfzm/oU9+TRi7487SC1Dj2ozStLVRpjiOdkn6PlejalT7Dy4aA 4cgrYHKiBwSbw24IaeatPF5CTX+kCEW24RagwYNFIUD7dpIiscKUy0pftSRtvgLfuCfB sEEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga04.intel.com (mga04.intel.com. [192.55.52.120]) by mx.google.com with ESMTPS id q20si7678846pll.255.2019.01.16.16.33.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jan 2019 16:33:39 -0800 (PST) Received-SPF: pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.120 as permitted sender) client-ip=192.55.52.120; Authentication-Results: mx.google.com; spf=pass (google.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2019 16:33:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,488,1539673200"; d="scan'208";a="292166037" Received: from rpedgeco-desk5.jf.intel.com ([10.54.75.79]) by orsmga005.jf.intel.com with ESMTP; 16 Jan 2019 16:33:36 -0800 From: Rick Edgecombe To: Andy Lutomirski , Ingo Molnar Cc: linux-kernel@vger.kernel.org, x86@kernel.org, hpa@zytor.com, Thomas Gleixner , Borislav Petkov , Nadav Amit , Dave Hansen , Peter Zijlstra , linux_dti@icloud.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, akpm@linux-foundation.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, will.deacon@arm.com, ard.biesheuvel@linaro.org, kristen@linux.intel.com, deneen.t.dock@intel.com, Nadav Amit , Masami Hiramatsu , Rick Edgecombe Subject: [PATCH 09/17] x86/kprobes: Instruction pages initialization enhancements Date: Wed, 16 Jan 2019 16:32:51 -0800 Message-Id: <20190117003259.23141-10-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190117003259.23141-1-rick.p.edgecombe@intel.com> References: <20190117003259.23141-1-rick.p.edgecombe@intel.com> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Nadav Amit This patch is a preparatory patch for a following patch that makes module allocated pages non-executable. The patch sets the page as executable after allocation. In the future, we may get better protection of executables. For example, by using hypercalls to request the hypervisor to protect VM executable pages from modifications using nested page-tables. This would allow us to ensure the executable has not changed between allocation and its write-protection. While at it, do some small cleanup of what appears to be unnecessary masking. Cc: Masami Hiramatsu Signed-off-by: Nadav Amit Signed-off-by: Rick Edgecombe Acked-by: Masami Hiramatsu --- arch/x86/kernel/kprobes/core.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c index 4ba75afba527..fac692e36833 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -431,8 +431,20 @@ void *alloc_insn_page(void) void *page; page = module_alloc(PAGE_SIZE); - if (page) - set_memory_ro((unsigned long)page & PAGE_MASK, 1); + if (page == NULL) + return NULL; + + /* + * First make the page read-only, and then only then make it executable + * to prevent it from being W+X in between. + */ + set_memory_ro((unsigned long)page, 1); + + /* + * TODO: Once additional kernel code protection mechanisms are set, ensure + * that the page was not maliciously altered and it is still zeroed. + */ + set_memory_x((unsigned long)page, 1); return page; } @@ -440,8 +452,12 @@ void *alloc_insn_page(void) /* Recover page to RW mode before releasing it */ void free_insn_page(void *page) { - set_memory_nx((unsigned long)page & PAGE_MASK, 1); - set_memory_rw((unsigned long)page & PAGE_MASK, 1); + /* + * First make the page non-executable, and then only then make it + * writable to prevent it from being W+X in between. + */ + set_memory_nx((unsigned long)page, 1); + set_memory_rw((unsigned long)page, 1); module_memfree(page); }