Thread (12 messages) 12 messages, 6 authors, 2011-01-21

Re: [PATCH 3/3 V13] RO/NX protection for loadable kernel

From: Xiaotian Feng <hidden>
Date: 2011-01-21 02:35:54
Also in: lkml 

On Fri, Jan 21, 2011 at 4:32 AM, matthieu castet
[off-list ref] wrote:
Xiaotian Feng a écrit :
quoted
On Thu, Dec 23, 2010 at 5:35 AM,  [off-list ref] wrote:
quoted
On Wed, 22 Dec 2010 13:40:19 +0100, Ingo Molnar said:
quoted
* mat [off-list ref] wrote:
quoted
Le Wed, 8 Dec 2010 14:19:51 -0800,
Kees Cook [off-list ref] a écrit :
quoted
On Fri, Nov 26, 2010 at 06:23:55PM +0100, mat wrote:
quoted
could you try the attached patch ?

on module load, we sort the __jump_table section. So we should make
it writable.


Matthieu
diff --git a/arch/x86/include/asm/jump_label.h
b/arch/x86/include/asm/jump_label.h index f52d42e..574dbc2 100644
--- a/arch/x86/include/asm/jump_label.h
+++ b/arch/x86/include/asm/jump_label.h
@@ -14,7 +14,7 @@
       do
{                                                       \ asm
goto("1:"                                       \
JUMP_LABEL_INITIAL_NOP                  \
-                       ".pushsection __jump_table,  \"a\" \n\t"\
+                       ".pushsection __jump_table,  \"aw\" \n\t"\
                       _ASM_PTR "1b, %l[" #label "], %c0 \n\t" \
                       ".popsection \n\t"                      \
                       : :  "i" (key) :  : label);
\
Acked-by: Kees Cook <redacted>

Can this please get committed to tip?
I think it is not need anymore with  Steven Rostedt patch [1]

Matthieu

[1]
quoted
quoted
Here we set the text read only before we call the notifiers. The
function tracer changes the calls to mcount into nops via a notifier
call so this must be done after the module notifiers.
What's the status of this bug?

If we still need the patch then please submit it standalone with a
proper subject
line, with acks/signoffs added, etc.
Steve Rostedt's patch that moves the setting of the page permissions
seems to
make this patch no longer necessary.  I tripped over this same issue, but
the
version in the latest -mmotm does not need it, as it includes Steve's
fix.
I'm facing a boot failure (panic'ed on remove_jump_label_module_init)
on 2.6.37 (latest commit 3c0cb7c), which is 100% reproducible.
With this patch applied, I can boot my machine successfully, so I do
think this patch is needed.
Could you confirm that this patch fix the problem ?
Yes, I already applied this patch, and my system works fine now.

Matthieu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help