x86-64: Give vvars their own page

Move vvars out of the vsyscall page into their own page and mark it NX. Without this patch, an attacker who can force a daemon to call some fixed address could wait until the time contains, say, 0xCD80, and then execute the current time. Signed-off-by: Andy Lutomirski <luto@mit.edu> Cc: Jesper Juhl <jj@chaosbits.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Arjan van de Ven <arjan@infradead.org> Cc: Jan Beulich <JBeulich@novell.com> Cc: richard -rw- weinberger <richard.weinberger@gmail.com> Cc: Mikael Pettersson <mikpe@it.uu.se> Cc: Andi Kleen <andi@firstfloor.org> Cc: Brian Gerst <brgerst@gmail.com> Cc: Louis Rilling <Louis.Rilling@kerlabs.com> Cc: Valdis.Kletnieks@vt.edu Cc: pageexec@freemail.hu Link: http://lkml.kernel.org/r/b1460f81dc4463d66ea3f2b5ce240f58d48effec.1307292171.git.luto@mit.edu Signed-off-by: Ingo Molnar <mingo@elte.hu>
author: Andy Lutomirski <luto@MIT.EDU> 2011-06-05 13:50:19 -0400
committer: Ingo Molnar <mingo@elte.hu> 2011-06-05 15:30:32 -0400
commit: 9fd67b4ed0714ab718f1f9bd14c344af336a6df7 (patch)
tree: 7dae7e978b68479b6ee316d92b81d703cee3a894 /arch
parent: 8b4777a4b50cb0c84c1152eac85d24415fb6ff7d (diff)
5 files changed, 35 insertions, 23 deletions
diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
index 4729b2b63117..460c74e4852c 100644
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -78,6 +78,7 @@ enum fixed_addresses {
        VSYSCALL_LAST_PAGE,
        VSYSCALL_FIRST_PAGE = VSYSCALL_LAST_PAGE
                            + ((VSYSCALL_END-VSYSCALL_START) >> PAGE_SHIFT) - 1,
+        VVAR_PAGE,
        VSYSCALL_HPET,
 #endif
        FIX_DBGP_BASE,
diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
index d56187c6b838..6a29aed65902 100644
--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -108,6 +108,7 @@
 #define __PAGE_KERNEL_UC_MINUS          (__PAGE_KERNEL | _PAGE_PCD)
 #define __PAGE_KERNEL_VSYSCALL          (__PAGE_KERNEL_RX | _PAGE_USER)
 #define __PAGE_KERNEL_VSYSCALL_NOCACHE  (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
+#define __PAGE_KERNEL_VVAR              (__PAGE_KERNEL_RO | _PAGE_USER)
 #define __PAGE_KERNEL_LARGE             (__PAGE_KERNEL | _PAGE_PSE)
 #define __PAGE_KERNEL_LARGE_NOCACHE     (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
 #define __PAGE_KERNEL_LARGE_EXEC        (__PAGE_KERNEL_EXEC | _PAGE_PSE)
@@ -130,6 +131,7 @@
 #define PAGE_KERNEL_LARGE_EXEC          __pgprot(__PAGE_KERNEL_LARGE_EXEC)
 #define PAGE_KERNEL_VSYSCALL            __pgprot(__PAGE_KERNEL_VSYSCALL)
 #define PAGE_KERNEL_VSYSCALL_NOCACHE    __pgprot(__PAGE_KERNEL_VSYSCALL_NOCACHE)
+#define PAGE_KERNEL_VVAR                __pgprot(__PAGE_KERNEL_VVAR)
 #define PAGE_KERNEL_IO                  __pgprot(__PAGE_KERNEL_IO)
 #define PAGE_KERNEL_IO_NOCACHE          __pgprot(__PAGE_KERNEL_IO_NOCACHE)
diff --git a/arch/x86/include/asm/vvar.h b/arch/x86/include/asm/vvar.h
index a4eaca4a6133..de656ac2af41 100644
--- a/arch/x86/include/asm/vvar.h
+++ b/arch/x86/include/asm/vvar.h
@@ -10,15 +10,14 @@
 * In normal kernel code, they are used like any other variable.
 * In user code, they are accessed through the VVAR macro.
 *
- * Each of these variables lives in the vsyscall page, and each
+ * These variables live in a page of kernel data that has an extra RO
- * one needs a unique offset within the little piece of the page
+ * mapping for userspace.  Each variable needs a unique offset within
- * reserved for vvars.  Specify that offset in DECLARE_VVAR.
+ * that page; specify that offset with the DECLARE_VVAR macro.  (If
- * (There are 896 bytes available.  If you mess up, the linker will
+ * you mess up, the linker will catch it.)
- * catch it.)
 */
-/* Offset of vars within vsyscall page */
+/* Base address of vvars.  This is not ABI. */
-#define VSYSCALL_VARS_OFFSET (3072 + 128)
+#define VVAR_ADDRESS (-10*1024*1024 - 4096)
 #if defined(__VVAR_KERNEL_LDS)
@@ -26,17 +25,17 @@
 * right place.
 */
 #define DECLARE_VVAR(offset, type, name) \
-        EMIT_VVAR(name, VSYSCALL_VARS_OFFSET + offset)
+        EMIT_VVAR(name, offset)
 #else
 #define DECLARE_VVAR(offset, type, name)                                \
        static type const * const vvaraddr_ ## name =                   \
-                (void *)(VSYSCALL_START + VSYSCALL_VARS_OFFSET + (offset));
+                (void *)(VVAR_ADDRESS + (offset));
 #define DEFINE_VVAR(type, name)                                         \
-        type __vvar_ ## name                                            \
+        type name                                                       \
-        __attribute__((section(".vsyscall_var_" #name), aligned(16)))
+        __attribute__((section(".vvar_" #name), aligned(16)))
 #define VVAR(name) (*vvaraddr_ ## name)
@@ -49,4 +48,3 @@ DECLARE_VVAR(16, int, vgetcpu_mode)
 DECLARE_VVAR(128, struct vsyscall_gtod_data, vsyscall_gtod_data)
 #undef DECLARE_VVAR
-#undef VSYSCALL_VARS_OFFSET
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 89aed99aafce..98b378dc7f86 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -161,12 +161,6 @@ SECTIONS
 #define VVIRT_OFFSET (VSYSCALL_ADDR - __vsyscall_0)
 #define VVIRT(x) (ADDR(x) - VVIRT_OFFSET)
-#define EMIT_VVAR(x, offset) .vsyscall_var_ ## x        \
-        ADDR(.vsyscall_0) + offset                      \
-        : AT(VLOAD(.vsyscall_var_ ## x)) {              \
-                *(.vsyscall_var_ ## x)                  \
-        }                                               \
-        x = VVIRT(.vsyscall_var_ ## x);
        . = ALIGN(4096);
        __vsyscall_0 = .;
@@ -192,19 +186,31 @@ SECTIONS
                *(.vsyscall_3)
        }
-#define __VVAR_KERNEL_LDS
+        . = ALIGN(__vsyscall_0 + PAGE_SIZE, PAGE_SIZE);
-#include <asm/vvar.h>
-#undef __VVAR_KERNEL_LDS
-        . = __vsyscall_0 + PAGE_SIZE;
 #undef VSYSCALL_ADDR
 #undef VLOAD_OFFSET
 #undef VLOAD
 #undef VVIRT_OFFSET
 #undef VVIRT
+        __vvar_page = .;
+        .vvar : AT(ADDR(.vvar) - LOAD_OFFSET) {
+              /* Place all vvars at the offsets in asm/vvar.h. */
+#define EMIT_VVAR(name, offset)                 \
+                . = offset;             \
+                *(.vvar_ ## name)
+#define __VVAR_KERNEL_LDS
+#include <asm/vvar.h>
+#undef __VVAR_KERNEL_LDS
 #undef EMIT_VVAR
+        } :data
+       . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
 #endif /* CONFIG_X86_64 */
        /* Init code and data - will be freed after init */
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index 3e682184d76c..3cf1cef75a6a 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -284,9 +284,14 @@ void __init map_vsyscall(void)
 {
        extern char __vsyscall_0;
        unsigned long physaddr_page0 = __pa_symbol(&__vsyscall_0);
+        extern char __vvar_page;
+        unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
        /* Note that VSYSCALL_MAPPED_PAGES must agree with the code below. */
        __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_page0, PAGE_KERNEL_VSYSCALL);
+        __set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
+        BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) !=
+                     (unsigned long)VVAR_ADDRESS);
 }
 static int __init vsyscall_init(void)
author	Andy Lutomirski <luto@MIT.EDU>	2011-06-05 13:50:19 -0400
committer	Ingo Molnar <mingo@elte.hu>	2011-06-05 15:30:32 -0400
commit	9fd67b4ed0714ab718f1f9bd14c344af336a6df7 (patch)
tree	7dae7e978b68479b6ee316d92b81d703cee3a894 /arch
parent	8b4777a4b50cb0c84c1152eac85d24415fb6ff7d (diff)