On Mon, Apr 30, 2018 at 10:19 AM, Laura Abbott <[email protected]> wrote: > On 04/30/2018 08:59 AM, Jeffrey Hugo wrote: >> >> load_module() creates W+X mappings via __vmalloc_node_range() (from >> layout_and_allocate()->move_module()->module_alloc()) by using >> PAGE_KERNEL_EXEC. These mappings are later cleaned up via >> "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). >> >> This is a problem because call_rcu_sched() queues work, which can be run >> after debug_checkwx() is run, resulting in a race condition. If hit, the >> race results in a nasty splat about insecure W+X mappings, which results >> in a poor user experience as these are not the mappings that >> debug_checkwx() is intended to catch. >> >> This issue is observed on multiple arm64 platforms, and has been >> artificially triggered on an x86 platform. >> >> Address the race by flushing the queued work before running the >> arch-defined mark_rodata_ro() which then calls debug_checkwx(). >> >> Reported-by: Timur Tabi <[email protected]> >> Reported-by: Jan Glauber <[email protected]> >> Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") >> Signed-off-by: Jeffrey Hugo <[email protected]> >> Acked-by: Kees Cook <[email protected]> >> Acked-by: Ingo Molnar <[email protected]> >> Acked-by: Will Deacon <[email protected]> >> --- >> > > Acked-by: Laura Abbott <[email protected]> > > If you don't have a tree for this to go through, I might suggest having > Kees take it.
akpm has taken the W^X stuff in the past, but I'm happy to do so. Just let me know either way. :) -Kees -- Kees Cook Pixel Security
