Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4f00b901 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'x86-security-for-linus' of... 

Merge branch 'x86-security-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'x86-security-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  module: Move RO/NX module protection to after ftrace module update
  x86: Resume trampoline must be executable
  x86: Add RO/NX protection for loadable kernel modules
  x86: Add NX protection for kernel data
  x86: Fix improper large page preservation
parents b4c6e2ea 94462ad3

arch/x86/Kconfig.debug

+11 −0
Original line number Diff line number Diff line
@@ -117,6 +117,17 @@ config DEBUG_RODATA_TEST 
	  feature as well as for the change_page_attr() infrastructure.

	  If in doubt, say "N"



config DEBUG_SET_MODULE_RONX

	bool "Set loadable kernel module data as NX and text as RO"

	depends on MODULES

	---help---

	  This option helps catch unintended modifications to loadable

	  kernel module's text and read-only data. It also prevents execution

	  of module data. Such protection may interfere with run-time code

	  patching and dynamic kernel tracing - and they might also protect

	  against certain classes of kernel exploits.

	  If in doubt, say "N".



config DEBUG_NX_TEST

	tristate "Testcase for the NX non-executable stack feature"

	depends on DEBUG_KERNEL && m

arch/x86/include/asm/pci.h

+1 −0
Original line number Diff line number Diff line
@@ -65,6 +65,7 @@ extern unsigned long pci_mem_start; 


#define PCIBIOS_MIN_CARDBUS_IO	0x4000



extern int pcibios_enabled;

void pcibios_config_init(void);

struct pci_bus *pcibios_scan_root(int bus);

arch/x86/kernel/ftrace.c

+3 −0
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 
#include <linux/sched.h>

#include <linux/init.h>

#include <linux/list.h>

#include <linux/module.h>



#include <trace/syscall.h>
@@ -49,6 +50,7 @@ static DEFINE_PER_CPU(int, save_modifying_code); 
int ftrace_arch_code_modify_prepare(void)

{

	set_kernel_text_rw();

	set_all_modules_text_rw();

	modifying_code = 1;

	return 0;

}
@@ -56,6 +58,7 @@ int ftrace_arch_code_modify_prepare(void) 
int ftrace_arch_code_modify_post_process(void)

{

	modifying_code = 0;

	set_all_modules_text_ro();

	set_kernel_text_ro();

	return 0;

}

arch/x86/kernel/vmlinux.lds.S

+6 −2
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ jiffies_64 = jiffies; 


PHDRS {

	text PT_LOAD FLAGS(5);          /* R_E */

	data PT_LOAD FLAGS(7);          /* RWE */

	data PT_LOAD FLAGS(6);          /* RW_ */

#ifdef CONFIG_X86_64

	user PT_LOAD FLAGS(5);          /* R_E */

#ifdef CONFIG_SMP
@@ -116,6 +116,10 @@ SECTIONS 


	EXCEPTION_TABLE(16) :text = 0x9090



#if defined(CONFIG_DEBUG_RODATA)

	/* .text should occupy whole number of pages */

	. = ALIGN(PAGE_SIZE);

#endif

	X64_ALIGN_DEBUG_RODATA_BEGIN

	RO_DATA(PAGE_SIZE)

	X64_ALIGN_DEBUG_RODATA_END
@@ -335,7 +339,7 @@ SECTIONS 
		__bss_start = .;

		*(.bss..page_aligned)

		*(.bss)

		. = ALIGN(4);

		. = ALIGN(PAGE_SIZE);

		__bss_stop = .;

	}

arch/x86/mm/init.c

+2 −1
Original line number Diff line number Diff line
@@ -364,8 +364,9 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) 
	/*

	 * We just marked the kernel text read only above, now that

	 * we are going to free part of that, we need to make that

	 * writeable first.

	 * writeable and non-executable first.

	 */

	set_memory_nx(begin, (end - begin) >> PAGE_SHIFT);

	set_memory_rw(begin, (end - begin) >> PAGE_SHIFT);



	printk(KERN_INFO "Freeing %s: %luk freed\n", what, (end - begin) >> 10);