6 files changed, 88 insertions, 3 deletions

diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index d8c0d3266173..3e0baf726eef 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -65,10 +65,14 @@ config EARLY_PRINTK_EFI
           This is useful for kernel debugging when your machine crashes very
           early before the console code is initialized.
 
+config X86_PTDUMP_CORE
+        def_bool n
+
 config X86_PTDUMP
         bool "Export kernel pagetable layout to userspace via debugfs"
         depends on DEBUG_KERNEL
         select DEBUG_FS
+        select X86_PTDUMP_CORE
         ---help---
           Say Y here if you want to show the kernel pagetable layout in a
           debugfs file. This information is only useful for kernel developers
@@ -79,7 +83,8 @@ config X86_PTDUMP
 
 config EFI_PGT_DUMP
         bool "Dump the EFI pagetable"
-        depends on EFI && X86_PTDUMP
+        depends on EFI
+        select X86_PTDUMP_CORE
         ---help---
           Enable this if you want to dump the EFI page table before
           enabling virtual mode. This can be used to debug miscellaneous
@@ -105,6 +110,35 @@ config DEBUG_RODATA_TEST
           feature as well as for the change_page_attr() infrastructure.
           If in doubt, say "N"
 
+config DEBUG_WX
+        bool "Warn on W+X mappings at boot"
+        depends on DEBUG_RODATA
+        default y
+        select X86_PTDUMP_CORE
+        ---help---
+          Generate a warning if any W+X mappings are found at boot.
+
+          This is useful for discovering cases where the kernel is leaving
+          W+X mappings after applying NX, as such mappings are a security risk.
+
+          Look for a message in dmesg output like this:
+
+            x86/mm: Checked W+X mappings: passed, no W+X pages found.
+
+          or like this, if the check failed:
+
+            x86/mm: Checked W+X mappings: FAILED, <N> W+X pages found.
+
+          Note that even if the check fails, your kernel is possibly
+          still fine, as W+X mappings are not a security hole in
+          themselves, what they do is that they make the exploitation
+          of other unfixed kernel bugs easier.
+
+          There is no runtime or memory usage effect of this option
+          once the kernel has booted up - it's a one time check.
+
+          If in doubt, say "Y".
+
 config DEBUG_SET_MODULE_RONX
         bool "Set loadable kernel module data as NX and text as RO"
         depends on MODULES
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 59fc3414c68b..c0b41f111a9a 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -19,6 +19,13 @@
 #include <asm/x86_init.h>
 
 void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd);
+void ptdump_walk_pgd_level_checkwx(void);
+
+#ifdef CONFIG_DEBUG_WX
+#define debug_checkwx() ptdump_walk_pgd_level_checkwx()
+#else
+#define debug_checkwx() do { } while (0)
+#endif
 
 /*
  * ZERO_PAGE is a global shared page that is always zero: used
diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
index a482d105172b..65c47fda26fc 100644
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
@@ -14,7 +14,7 @@ obj-$(CONFIG_SMP)		+= tlb.o
 obj-$(CONFIG_X86_32)            += pgtable_32.o iomap_32.o
 
 obj-$(CONFIG_HUGETLB_PAGE)      += hugetlbpage.o
-obj-$(CONFIG_X86_PTDUMP)        += dump_pagetables.o
+obj-$(CONFIG_X86_PTDUMP_CORE)   += dump_pagetables.o
 
 obj-$(CONFIG_HIGHMEM)           += highmem_32.o
 
diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
index 71ab2d741024..1bf417e9cc13 100644
--- a/arch/x86/mm/dump_pagetables.c
+++ b/arch/x86/mm/dump_pagetables.c
@@ -32,6 +32,8 @@ struct pg_state {
         const struct addr_marker *marker;
         unsigned long lines;
         bool to_dmesg;
+        bool check_wx;
+        unsigned long wx_pages;
 };
 
 struct addr_marker {
@@ -214,6 +216,16 @@ static void note_page(struct seq_file *m, struct pg_state *st,
                 const char *unit = units;
                 unsigned long delta;
                 int width = sizeof(unsigned long) * 2;
+                pgprotval_t pr = pgprot_val(st->current_prot);
+
+                if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) {
+                        WARN_ONCE(1,
+                                  "x86/mm: Found insecure W+X mapping at address %p/%pS\n",
+                                  (void *)st->start_address,
+                                  (void *)st->start_address);
+                        st->wx_pages += (st->current_address -
+                                         st->start_address) / PAGE_SIZE;
+                }
 
                 /*
                  * Now print the actual finished series
@@ -346,7 +358,8 @@ static void walk_pud_level(struct seq_file *m, struct pg_state *st, pgd_t addr,
 #define pgd_none(a)  pud_none(__pud(pgd_val(a)))
 #endif
 
-void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd)
+static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
+                                       bool checkwx)
 {
 #ifdef CONFIG_X86_64
         pgd_t *start = (pgd_t *) &init_level4_pgt;
@@ -362,6 +375,10 @@ void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd)
                 st.to_dmesg = true;
         }
 
+        st.check_wx = checkwx;
+        if (checkwx)
+                st.wx_pages = 0;
+
         for (i = 0; i < PTRS_PER_PGD; i++) {
                 st.current_address = normalize_addr(i * PGD_LEVEL_MULT);
                 if (!pgd_none(*start)) {
@@ -381,8 +398,26 @@ void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd)
         /* Flush out the last page */
         st.current_address = normalize_addr(PTRS_PER_PGD*PGD_LEVEL_MULT);
         note_page(m, &st, __pgprot(0), 0);
+        if (!checkwx)
+                return;
+        if (st.wx_pages)
+                pr_info("x86/mm: Checked W+X mappings: FAILED, %lu W+X pages found.\n",
+                        st.wx_pages);
+        else
+                pr_info("x86/mm: Checked W+X mappings: passed, no W+X pages found.\n");
+}
+
+void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd)
+{
+        ptdump_walk_pgd_level_core(m, pgd, false);
 }
 
+void ptdump_walk_pgd_level_checkwx(void)
+{
+        ptdump_walk_pgd_level_core(NULL, NULL, true);
+}
+
+#ifdef CONFIG_X86_PTDUMP
 static int ptdump_show(struct seq_file *m, void *v)
 {
         ptdump_walk_pgd_level(m, NULL);
@@ -400,10 +435,13 @@ static const struct file_operations ptdump_fops = {
         .llseek         = seq_lseek,
         .release        = single_release,
 };
+#endif
 
 static int pt_dump_init(void)
 {
+#ifdef CONFIG_X86_PTDUMP
         struct dentry *pe;
+#endif
 
 #ifdef CONFIG_X86_32
         /* Not a compile-time constant on x86-32 */
@@ -415,10 +453,12 @@ static int pt_dump_init(void)
         address_markers[FIXADDR_START_NR].start_address = FIXADDR_START;
 #endif
 
+#ifdef CONFIG_X86_PTDUMP
         pe = debugfs_create_file("kernel_page_tables", 0600, NULL, NULL,
                                  &ptdump_fops);
         if (!pe)
                 return -ENOMEM;
+#endif
 
         return 0;
 }
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
index 7562f42914b4..cb4ef3de61f9 100644
--- a/arch/x86/mm/init_32.c
+++ b/arch/x86/mm/init_32.c
@@ -957,6 +957,8 @@ void mark_rodata_ro(void)
         set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
 #endif
         mark_nxdata_nx();
+        if (__supported_pte_mask & _PAGE_NX)
+                debug_checkwx();
 }
 #endif
 
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 30564e2752d3..f8b157366700 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1150,6 +1150,8 @@ void mark_rodata_ro(void)
         free_init_pages("unused kernel",
                         (unsigned long) __va(__pa_symbol(rodata_end)),
                         (unsigned long) __va(__pa_symbol(_sdata)));
+
+        debug_checkwx();
 }
 
 #endif