evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ANDROID: arm64: fix leftover RWX when using CONFIG_UNMAP_KERNEL_AT_EL0

Browse source 
With CONFIG_UNMAP_KERNEL_AT_EL0 enabled, before this change, there was an RWX
mapping at a fixed `fixmap` address (as discovered using CONFIG_ARM64_PTDUMP).

0xffff7ffffe7fc000-0xffff7ffffe7fd000 4K RW x SHD AF UXN MEM/NORMAL

Having PAGE_KERNEL_ROX by default for this fixmap makes sense for a security
POV, for reducing the ability to load and run shellcode.

Originally, the commit that introduced CONFIG_UNMAP_KERNEL_AT_EL0, had the following:

     pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC;

However rodata_enabled is not available in arch/arm64 on this early version of
the kernel.

Change-Id: I21f26df498fb591fc28e32f4dfad671a9ed3d8d3
Fixes: 39685f556c ("FROMLIST: arm64: mm: Map entry trampoline into
trampoline and kernel page tables")
Signed-off-by: Dan Aloni <daloni@magicleap.com>
This commit is contained in:
Dan Aloni 2019-08-15 15:28:18 +03:00 committed by Todd Kjos
parent e005abce58
commit fdfc07c137
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
arch/arm64/mm/mmu.c
View file

@ -499,7 +499,7 @@ static int __init map_entry_trampoline(void)
{
extern char __entry_tramp_text_start[];
pgprot_t prot = PAGE_KERNEL_EXEC;
pgprot_t prot = PAGE_KERNEL_ROX;
phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
/* The trampoline is always mapped and can therefore be global */