From fdfc07c1377c447f3b3814ef4c335cf1c838d686 Mon Sep 17 00:00:00 2001 From: Dan Aloni Date: Thu, 15 Aug 2019 15:28:18 +0300 Subject: [PATCH] ANDROID: arm64: fix leftover RWX when using CONFIG_UNMAP_KERNEL_AT_EL0 With CONFIG_UNMAP_KERNEL_AT_EL0 enabled, before this change, there was an RWX mapping at a fixed `fixmap` address (as discovered using CONFIG_ARM64_PTDUMP). 0xffff7ffffe7fc000-0xffff7ffffe7fd000 4K RW x SHD AF UXN MEM/NORMAL Having PAGE_KERNEL_ROX by default for this fixmap makes sense for a security POV, for reducing the ability to load and run shellcode. Originally, the commit that introduced CONFIG_UNMAP_KERNEL_AT_EL0, had the following: pgprot_t prot = rodata_enabled ? PAGE_KERNEL_ROX : PAGE_KERNEL_EXEC; However rodata_enabled is not available in arch/arm64 on this early version of the kernel. Change-Id: I21f26df498fb591fc28e32f4dfad671a9ed3d8d3 Fixes: 39685f556c0c ("FROMLIST: arm64: mm: Map entry trampoline into trampoline and kernel page tables") Signed-off-by: Dan Aloni --- arch/arm64/mm/mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 1175bac2f86f..6914d0137b93 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -499,7 +499,7 @@ static int __init map_entry_trampoline(void) { extern char __entry_tramp_text_start[]; - pgprot_t prot = PAGE_KERNEL_EXEC; + pgprot_t prot = PAGE_KERNEL_ROX; phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start); /* The trampoline is always mapped and can therefore be global */