Re: [PATCH] ARM: vdso: Mark vDSO code as read-only

From: David Brown
Date: Wed Feb 17 2016 - 00:20:21 EST

Next message: Richard Pospesel: "[PATCH] psmouse: added absolute touch event support to BYD touchpad driver"
Previous message: Sergey Senozhatsky: "Re: [PATCH] zsmalloc: drop unused member 'mapping_area->huge'"
In reply to: Kees Cook: "Re: [PATCH] ARM: vdso: Mark vDSO code as read-only"
Next in thread: Kees Cook: "Re: [PATCH] ARM: vdso: Mark vDSO code as read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 16, 2016 at 01:52:33PM -0800, Kees Cook wrote:

On Tue, Feb 16, 2016 at 1:36 PM, David Brown <david.brown@xxxxxxxxxx> wrote:

Although the arm vDSO is cleanly separated by code/data with the code
being read-only in userspace mappings, the code page is still writable
from the kernel. There have been exploits (such as
http://itszn.com/blog/?p=21) that take advantage of this on x86 to go
from a bad kernel write to full root.

Prevent this specific exploit on arm by putting the vDSO code page in
post-init read-only memory as well.

Is the vdso dynamically built at init time like on x86, or can this
just use .rodata directly?

On ARM, it is patched during init. Arm64's is just plain read-only.

David

Next message: Richard Pospesel: "[PATCH] psmouse: added absolute touch event support to BYD touchpad driver"
Previous message: Sergey Senozhatsky: "Re: [PATCH] zsmalloc: drop unused member 'mapping_area->huge'"
In reply to: Kees Cook: "Re: [PATCH] ARM: vdso: Mark vDSO code as read-only"
Next in thread: Kees Cook: "Re: [PATCH] ARM: vdso: Mark vDSO code as read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]