ARM: move vector stubs

Move the machine vector stubs into the page above the vector page, which we can prevent from being visible to userspace. Also move the reset stub, and place the swi vector at a location that the 'ldr' can get to it. This hides pointers into the kernel which could give valuable information to attackers, and reduces the number of exploitable instructions at a fixed address. Cc: <stable@vger.kernel.org> Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
author: Russell King <rmk+kernel@arm.linux.org.uk> 2013-07-04 06:40:32 -0400
committer: Russell King <rmk+kernel@arm.linux.org.uk> 2013-07-31 16:31:36 -0400
commit: 19accfd373847ac3d10623c5d20f948846299741 (patch)
tree: 682dd44ea1710afbb7e61a24185ffa4c9a0fb0da /arch/arm/kernel
parent: 5b43e7a383d69381ffe53423e46dd0fafae07da3 (diff)
2 files changed, 26 insertions, 28 deletions
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 02437345289a..79a41fa978f5 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -944,9 +944,9 @@ __kuser_helper_end:
 /*
 * Vector stubs.
 *
- * This code is copied to 0xffff0200 so we can use branches in the
+ * This code is copied to 0xffff1000 so we can use branches in the
- * vectors, rather than ldr's.  Note that this code must not
+ * vectors, rather than ldr's.  Note that this code must not exceed
- * exceed 0x300 bytes.
+ * a page size.
 *
 * Common stub entry macro:
 *   Enter in IRQ mode, spsr = SVC/USR CPSR, lr = SVC/USR PC
@@ -995,6 +995,15 @@ ENDPROC(vector_\name)
        .globl  __stubs_start
 __stubs_start:
+        @ This must be the first word
+        .word   vector_swi
+vector_rst:
+ ARM(   swi     SYS_ERROR0      )
+ THUMB( svc     #0              )
+ THUMB( nop                     )
+        b       vector_und
 /*
 * Interrupt dispatcher
 */
@@ -1089,6 +1098,16 @@ __stubs_start:
        .align  5
 /*=============================================================================
+ * Address exception handler
+ *-----------------------------------------------------------------------------
+ * These aren't too critical.
+ * (they're not supposed to happen, and won't happen in 32-bit data mode).
+ */
+vector_addrexcptn:
+        b       vector_addrexcptn
+/*=============================================================================
 * Undefined FIQs
 *-----------------------------------------------------------------------------
 * Enter in FIQ mode, spsr = ANY CPSR, lr = ANY PC
@@ -1101,35 +1120,14 @@ __stubs_start:
 vector_fiq:
        subs    pc, lr, #4
-/*=============================================================================
- * Address exception handler
- *-----------------------------------------------------------------------------
- * These aren't too critical.
- * (they're not supposed to happen, and won't happen in 32-bit data mode).
- */
-vector_addrexcptn:
-        b       vector_addrexcptn
-/*
- * We group all the following data together to optimise
- * for CPUs with separate I & D caches.
- */
-        .align  5
-.LCvswi:
-        .word   vector_swi
        .globl  __stubs_end
 __stubs_end:
-        .equ    stubs_offset, __vectors_start + 0x200 - __stubs_start
+        .equ    stubs_offset, __vectors_start + 0x1000 - __stubs_start
        .globl  __vectors_start
 __vectors_start:
- ARM(   swi     SYS_ERROR0      )
+        W(b)    vector_rst + stubs_offset
- THUMB( svc     #0              )
- THUMB( nop                     )
        W(b)    vector_und + stubs_offset
        W(ldr)  pc, .LCvswi + stubs_offset
        W(b)    vector_pabt + stubs_offset
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 9433e8a12b5e..2c8c7fa78b8c 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -837,7 +837,7 @@ void __init early_trap_init(void *vectors_base)
         * are visible to the instruction stream.
         */
        memcpy((void *)vectors, __vectors_start, __vectors_end - __vectors_start);
-        memcpy((void *)vectors + 0x200, __stubs_start, __stubs_end - __stubs_start);
+        memcpy((void *)vectors + 0x1000, __stubs_start, __stubs_end - __stubs_start);
        memcpy((void *)vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
        /*
@@ -852,7 +852,7 @@ void __init early_trap_init(void *vectors_base)
        memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE),
               sigreturn_codes, sizeof(sigreturn_codes));
-        flush_icache_range(vectors, vectors + PAGE_SIZE);
+        flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
        modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
 #else /* ifndef CONFIG_CPU_V7M */
        /*
author	Russell King <rmk+kernel@arm.linux.org.uk>	2013-07-04 06:40:32 -0400
committer	Russell King <rmk+kernel@arm.linux.org.uk>	2013-07-31 16:31:36 -0400
commit	19accfd373847ac3d10623c5d20f948846299741 (patch)
tree	682dd44ea1710afbb7e61a24185ffa4c9a0fb0da /arch/arm/kernel
parent	5b43e7a383d69381ffe53423e46dd0fafae07da3 (diff)