Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/arch
History
David Brown 170bf0a3f9 UPSTREAM: arm64: vdso: Mark vDSO code as read-only 
Although the arm64 vDSO is cleanly separated by code/data with the
code being read-only in userspace mappings, the code page is still
writable from the kernel.  There have been exploits (such as
http://itszn.com/blog/?p=21) that take advantage of this on x86 to go
from a bad kernel write to full root.

Prevent this specific exploit on arm64 by putting the vDSO code page
in read-only memory as well.

Before the change:
[    3.138366] vdso: 2 pages (1 code @ ffffffc000a71000, 1 data @ ffffffc000a70000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b6000        1752K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b6000-0xffffffc000c00000        2344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

After:
[    3.138368] vdso: 2 pages (1 code @ ffffffc0006de000, 1 data @ ffffffc000a74000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b8000        1760K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b8000-0xffffffc000c00000        2336K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the
PaX Team, Brad Spengler, and Kees Cook.

Signed-off-by: David Brown <david.brown@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[catalin.marinas@arm.com: removed superfluous __PAGE_ALIGNED_DATA]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Change-Id: Ib15f3b359e3a943d7a5e8793aa590bb2d0a589ba
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
 		2019-07-27 21:45:21 +02:00
..
alpha Safer ABI for O_TMPFILE 2018-12-03 11:52:36 +01:00
arc mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
arm ARM: dts: da850-evm: fix read access to SPI flash 2019-07-27 21:43:47 +02:00
arm64 UPSTREAM: arm64: vdso: Mark vDSO code as read-only 2019-07-27 21:45:21 +02:00
avr32
blackfin
c6x
cris
frv mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
h8300
hexagon
ia64 Import latest Samsung release 2017-04-18 03:43:52 +02:00
m32r This is the 3.10.98 stable release 2017-04-18 17:17:24 +02:00
m68k Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
metag
microblaze
mips mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
mn10300 This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
openrisc This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
parisc Safer ABI for O_TMPFILE 2018-12-03 11:52:36 +01:00
powerpc mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
s390 This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
score
sh mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
sparc Safer ABI for O_TMPFILE 2018-12-03 11:52:36 +01:00
tile mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
um This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
unicore32
x86 x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init() 2019-07-27 21:44:34 +02:00
xtensa mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
.gitignore
Kconfig FROMLIST: mm: mmap: Add new /proc tunable for mmap_base ASLR. 2016-05-18 14:36:00 +05:30