[PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages

[PATCH 0/3] WX Checking for arm64 · Laura Abbott <hidden> · 2016-09-29
[PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Laura Abbott <hidden> · 2016-09-29
Re: [PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
Re: [PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Laura Abbott <hidden> · 2016-09-30
Re: [PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
Re: [PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Laura Abbott <hidden> · 2016-09-30
Re: [PATCH 1/3] arm64: dump: Make ptdump debugfs a separate option · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
[PATCH 2/3] arm64: dump: Make the page table dumping seq_file optional · Laura Abbott <hidden> · 2016-09-29
Re: [PATCH 2/3] arm64: dump: Make the page table dumping seq_file optional · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
[PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Laura Abbott <hidden> · 2016-09-29
Re: [PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
Re: [PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
Re: [PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Kees Cook <hidden> · 2016-09-30
Re: [PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Mark Rutland <mark.rutland@arm.com> · 2016-09-30
Re: [PATCH 3/3] arm64: dump: Add checking for writable and exectuable pages · Kees Cook <hidden> · 2016-09-30
Re: [kernel-hardening] [PATCH 0/3] WX Checking for arm64 · Kees Cook <hidden> · 2016-09-30

From: mark.rutland@arm.com (Mark Rutland)
Date: 2016-09-30 15:58:42
Also in: lkml

On Thu, Sep 29, 2016 at 02:32:57PM -0700, Laura Abbott wrote:

quoted hunk ↗ jump to hunk

@@ -219,6 +223,15 @@ static void note_page(struct pg_state *st, unsigned long addr, unsigned level,
 		unsigned long delta;
 
 		if (st->current_prot) {
+			if (st->check_wx &&
+			((st->current_prot & PTE_RDONLY) != PTE_RDONLY) &&
+			((st->current_prot & PTE_PXN) != PTE_PXN)) {
+				WARN_ONCE(1, "arm64/mm: Found insecure W+X mapping at address %p/%pS\n",
+					 (void *)st->start_address,
+					 (void *)st->start_address);
+				st->wx_pages += (addr - st->start_address) / PAGE_SIZE;
+			}
+

Would it be worth verifying that all kernel mappings are UXN, too?

ARMv8 allows execute-only mappings, and a !UXN mapping could result in an info
leak (e.g. pointers in MOVZ+MOVK sequences), or potential asynchronous issues
(e.g. user instruction fetches accessing read-destructive device registers).
All kernel mappings *should* be UXN.

Thanks,
Mark.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help