Re: [RFC PATCH] x86/split_lock: Disable SLD if an unaware (out-of-tree) module enables VMX
From: Peter Zijlstra
Date: Mon Apr 06 2020 - 12:02:48 EST
On Mon, Apr 06, 2020 at 08:39:02AM -0700, Christoph Hellwig wrote:
> On Mon, Apr 06, 2020 at 08:24:11AM -0700, Christoph Hellwig wrote:
> > > and this
> > > removes __get_vm_area() and with the ability to custom ranges. It also
> > > removes map_vm_area() and replaces it with map_vm_area_nx() which kills
> > > adding executable maps.
>
> Also there seems to be various other ways to create exectuable mappings,
> pretty much everything in vmalloc.c that gets a pgprot_t..
Please feel free to use my pgprot_nx() and apply liberally on any
exported function.
But crucially, I don't think any of the still exported functions allows
getting memory in the text range, and if you want to run code outside of
the text range, things become _much_ harder. That said, modules
shouldn't be able to create executable code, full-stop (IMO).