mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-25 05:34:00 +08:00
ARM: 8502/1: mm: mark section-aligned portion of rodata NX
When rodata is large enough that it crosses a section boundary after the kernel text, mark the rest NX. This is as close to full NX of rodata as we can get without splitting page tables or doing section alignment via CONFIG_DEBUG_ALIGN_RODATA. When the config is: CONFIG_DEBUG_RODATA=y # CONFIG_DEBUG_ALIGN_RODATA is not set Before: ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80a00000 9M ro x SHD 0x80a00000-0xa0000000 502M RW NX SHD After: ---[ Kernel Mapping ]--- 0x80000000-0x80100000 1M RW NX SHD 0x80100000-0x80700000 6M ro x SHD 0x80700000-0x80a00000 3M ro NX SHD 0x80a00000-0xa0000000 502M RW NX SHD Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This commit is contained in:
parent
02afa9a87b
commit
64ac2e74f0
@ -12,9 +12,7 @@
|
|||||||
#include <asm/thread_info.h>
|
#include <asm/thread_info.h>
|
||||||
#include <asm/memory.h>
|
#include <asm/memory.h>
|
||||||
#include <asm/page.h>
|
#include <asm/page.h>
|
||||||
#ifdef CONFIG_DEBUG_RODATA
|
|
||||||
#include <asm/pgtable.h>
|
#include <asm/pgtable.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
#define PROC_INFO \
|
#define PROC_INFO \
|
||||||
. = ALIGN(4); \
|
. = ALIGN(4); \
|
||||||
@ -319,6 +317,13 @@ SECTIONS
|
|||||||
STABS_DEBUG
|
STABS_DEBUG
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Without CONFIG_DEBUG_ALIGN_RODATA, __start_rodata_section_aligned will
|
||||||
|
* be the first section-aligned location after __start_rodata. Otherwise,
|
||||||
|
* it will be equal to __start_rodata.
|
||||||
|
*/
|
||||||
|
__start_rodata_section_aligned = ALIGN(__start_rodata, 1 << SECTION_SHIFT);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* These must never be empty
|
* These must never be empty
|
||||||
* If you have to comment these two assert statements out, your
|
* If you have to comment these two assert statements out, your
|
||||||
|
@ -582,6 +582,9 @@ struct section_perm {
|
|||||||
pmdval_t clear;
|
pmdval_t clear;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* First section-aligned location at or after __start_rodata. */
|
||||||
|
extern char __start_rodata_section_aligned[];
|
||||||
|
|
||||||
static struct section_perm nx_perms[] = {
|
static struct section_perm nx_perms[] = {
|
||||||
/* Make pages tables, etc before _stext RW (set NX). */
|
/* Make pages tables, etc before _stext RW (set NX). */
|
||||||
{
|
{
|
||||||
@ -599,16 +602,14 @@ static struct section_perm nx_perms[] = {
|
|||||||
.mask = ~PMD_SECT_XN,
|
.mask = ~PMD_SECT_XN,
|
||||||
.prot = PMD_SECT_XN,
|
.prot = PMD_SECT_XN,
|
||||||
},
|
},
|
||||||
#ifdef CONFIG_DEBUG_ALIGN_RODATA
|
|
||||||
/* Make rodata NX (set RO in ro_perms below). */
|
/* Make rodata NX (set RO in ro_perms below). */
|
||||||
{
|
{
|
||||||
.name = "rodata NX",
|
.name = "rodata NX",
|
||||||
.start = (unsigned long)__start_rodata,
|
.start = (unsigned long)__start_rodata_section_aligned,
|
||||||
.end = (unsigned long)__init_begin,
|
.end = (unsigned long)__init_begin,
|
||||||
.mask = ~PMD_SECT_XN,
|
.mask = ~PMD_SECT_XN,
|
||||||
.prot = PMD_SECT_XN,
|
.prot = PMD_SECT_XN,
|
||||||
},
|
},
|
||||||
#endif
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct section_perm ro_perms[] = {
|
static struct section_perm ro_perms[] = {
|
||||||
|
Loading…
Reference in New Issue
Block a user