Skip to content

Commit aa9571b

Browse files
roxellgregkh
roxell
authored and
gregkh
committed
arm64: kprobe: make page to RO mode when allocate it
[ Upstream commit 9668668 ] Commit 1404d6f ("arm64: dump: Add checking for writable and exectuable pages") has successfully identified code that leaves a page with W+X permissions. [ 3.245140] arm64/mm: Found insecure W+X mapping at address (____ptrval____)/0xffff000000d90000 [ 3.245771] WARNING: CPU: 0 PID: 1 at ../arch/arm64/mm/dump.c:232 note_page+0x410/0x420 [ 3.246141] Modules linked in: [ 3.246653] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0-rc5-next-20180928-00001-ge70ae259b853-dirty hardkernel#62 [ 3.247008] Hardware name: linux,dummy-virt (DT) [ 3.247347] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 3.247623] pc : note_page+0x410/0x420 [ 3.247898] lr : note_page+0x410/0x420 [ 3.248071] sp : ffff00000804bcd0 [ 3.248254] x29: ffff00000804bcd0 x28: ffff000009274000 [ 3.248578] x27: ffff00000921a000 x26: ffff80007dfff000 [ 3.248845] x25: ffff0000093f5000 x24: ffff000009526f6a [ 3.249109] x23: 0000000000000004 x22: ffff000000d91000 [ 3.249396] x21: ffff000000d90000 x20: 0000000000000000 [ 3.249661] x19: ffff00000804bde8 x18: 0000000000000400 [ 3.249924] x17: 0000000000000000 x16: 0000000000000000 [ 3.250271] x15: ffffffffffffffff x14: 295f5f5f5f6c6176 [ 3.250594] x13: 7274705f5f5f5f28 x12: 2073736572646461 [ 3.250941] x11: 20746120676e6970 x10: 70616d20582b5720 [ 3.251252] x9 : 6572756365736e69 x8 : 3039643030303030 [ 3.251519] x7 : 306666666678302f x6 : ffff0000095467b2 [ 3.251802] x5 : 0000000000000000 x4 : 0000000000000000 [ 3.252060] x3 : 0000000000000000 x2 : ffffffffffffffff [ 3.252323] x1 : 4d151327adc50b00 x0 : 0000000000000000 [ 3.252664] Call trace: [ 3.252953] note_page+0x410/0x420 [ 3.253186] walk_pgd+0x12c/0x238 [ 3.253417] ptdump_check_wx+0x68/0xf8 [ 3.253637] mark_rodata_ro+0x68/0x98 [ 3.253847] kernel_init+0x38/0x160 [ 3.254103] ret_from_fork+0x10/0x18 kprobes allocates a writable executable page with module_alloc() in order to store executable code. Reworked to that when allocate a page it sets mode RO. Inspired by commit 63fef14 ("kprobes/x86: Make insn buffer always ROX and use text_poke()"). Suggested-by: Arnd Bergmann <[email protected]> Suggested-by: Ard Biesheuvel <[email protected]> Acked-by: Will Deacon <[email protected]> Acked-by: Masami Hiramatsu <[email protected]> Reviewed-by: Laura Abbott <[email protected]> Signed-off-by: Anders Roxell <[email protected]> [[email protected]: removed unnecessary casts] Signed-off-by: Catalin Marinas <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
1 parent bc32d90 commit aa9571b

File tree

1 file changed

+20
-7
lines changed

1 file changed

+20
-7
lines changed

arch/arm64/kernel/probes/kprobes.c

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,9 @@
2323
#include <linux/slab.h>
2424
#include <linux/stop_machine.h>
2525
#include <linux/sched/debug.h>
26+
#include <linux/set_memory.h>
2627
#include <linux/stringify.h>
28+
#include <linux/vmalloc.h>
2729
#include <asm/traps.h>
2830
#include <asm/ptrace.h>
2931
#include <asm/cacheflush.h>
@@ -42,10 +44,21 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk);
4244
static void __kprobes
4345
post_kprobe_handler(struct kprobe_ctlblk *, struct pt_regs *);
4446

47+
static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
48+
{
49+
void *addrs[1];
50+
u32 insns[1];
51+
52+
addrs[0] = addr;
53+
insns[0] = opcode;
54+
55+
return aarch64_insn_patch_text(addrs, insns, 1);
56+
}
57+
4558
static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
4659
{
4760
/* prepare insn slot */
48-
p->ainsn.api.insn[0] = cpu_to_le32(p->opcode);
61+
patch_text(p->ainsn.api.insn, p->opcode);
4962

5063
flush_icache_range((uintptr_t) (p->ainsn.api.insn),
5164
(uintptr_t) (p->ainsn.api.insn) +
@@ -118,15 +131,15 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p)
118131
return 0;
119132
}
120133

121-
static int __kprobes patch_text(kprobe_opcode_t *addr, u32 opcode)
134+
void *alloc_insn_page(void)
122135
{
123-
void *addrs[1];
124-
u32 insns[1];
136+
void *page;
125137

126-
addrs[0] = (void *)addr;
127-
insns[0] = (u32)opcode;
138+
page = vmalloc_exec(PAGE_SIZE);
139+
if (page)
140+
set_memory_ro((unsigned long)page, 1);
128141

129-
return aarch64_insn_patch_text(addrs, insns, 1);
142+
return page;
130143
}
131144

132145
/* arm kprobe: install breakpoint in text */

0 commit comments

Comments
 (0)