ARM: allow kuser helpers to be removed from the vector page

Provide a kernel configuration option to allow the kernel user helpers
to be removed from the vector page, thereby preventing their use with
ROP (return orientated programming) attacks.  This option is only
visible for CPU architectures which natively support all the operations
which kernel user helpers would normally provide, and must be enabled
with caution.

Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

3 files changed, 51 insertions, 9 deletions

diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 94caefb550bf..d40d0ef389db 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -753,6 +753,7 @@ ENDPROC(__switch_to)
         .endr
         .endm
 
+#ifdef CONFIG_KUSER_HELPERS
         .align  5
         .globl  __kuser_helper_start
 __kuser_helper_start:
@@ -939,6 +940,8 @@ __kuser_helper_version:				@ 0xffff0ffc
         .globl  __kuser_helper_end
 __kuser_helper_end:
 
+#endif
+
  THUMB( .thumb  )
 
 /*
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 2c8c7fa78b8c..e3ca35ccd38e 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -800,15 +800,26 @@ void __init trap_init(void)
         return;
 }
 
-static void __init kuser_get_tls_init(unsigned long vectors)
+#ifdef CONFIG_KUSER_HELPERS
+static void __init kuser_init(void *vectors)
 {
+        extern char __kuser_helper_start[], __kuser_helper_end[];
+        int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+
+        memcpy(vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
+
         /*
          * vectors + 0xfe0 = __kuser_get_tls
          * vectors + 0xfe8 = hardware TLS instruction at 0xffff0fe8
          */
         if (tls_emu || has_tls_reg)
-                memcpy((void *)vectors + 0xfe0, (void *)vectors + 0xfe8, 4);
+                memcpy(vectors + 0xfe0, vectors + 0xfe8, 4);
+}
+#else
+static void __init kuser_init(void *vectors)
+{
 }
+#endif
 
 void __init early_trap_init(void *vectors_base)
 {
@@ -816,8 +827,6 @@ void __init early_trap_init(void *vectors_base)
         unsigned long vectors = (unsigned long)vectors_base;
         extern char __stubs_start[], __stubs_end[];
         extern char __vectors_start[], __vectors_end[];
-        extern char __kuser_helper_start[], __kuser_helper_end[];
-        int kuser_sz = __kuser_helper_end - __kuser_helper_start;
         unsigned i;
 
         vectors_page = vectors_base;
@@ -838,12 +847,8 @@ void __init early_trap_init(void *vectors_base)
          */
         memcpy((void *)vectors, __vectors_start, __vectors_end - __vectors_start);
         memcpy((void *)vectors + 0x1000, __stubs_start, __stubs_end - __stubs_start);
-        memcpy((void *)vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
 
-        /*
-         * Do processor specific fixups for the kuser helpers
-         */
-        kuser_get_tls_init(vectors);
+        kuser_init(vectors_base);
 
         /*
          * Copy signal return handlers into the vector page, and
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 6cacdc8dd654..db5c2cab8fda 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -421,24 +421,28 @@ config CPU_32v3
         select CPU_USE_DOMAINS if MMU
         select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
         select TLS_REG_EMUL if SMP || !MMU
+        select NEED_KUSER_HELPERS
 
 config CPU_32v4
         bool
         select CPU_USE_DOMAINS if MMU
         select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
         select TLS_REG_EMUL if SMP || !MMU
+        select NEED_KUSER_HELPERS
 
 config CPU_32v4T
         bool
         select CPU_USE_DOMAINS if MMU
         select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
         select TLS_REG_EMUL if SMP || !MMU
+        select NEED_KUSER_HELPERS
 
 config CPU_32v5
         bool
         select CPU_USE_DOMAINS if MMU
         select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
         select TLS_REG_EMUL if SMP || !MMU
+        select NEED_KUSER_HELPERS
 
 config CPU_32v6
         bool
@@ -776,6 +780,7 @@ config CPU_BPREDICT_DISABLE
 
 config TLS_REG_EMUL
         bool
+        select NEED_KUSER_HELPERS
         help
           An SMP system using a pre-ARMv6 processor (there are apparently
           a few prototypes like that in existence) and therefore access to
@@ -783,11 +788,40 @@ config TLS_REG_EMUL
 
 config NEEDS_SYSCALL_FOR_CMPXCHG
         bool
+        select NEED_KUSER_HELPERS
         help
           SMP on a pre-ARMv6 processor?  Well OK then.
           Forget about fast user space cmpxchg support.
           It is just not possible.
 
+config NEED_KUSER_HELPERS
+        bool
+
+config KUSER_HELPERS
+        bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
+        default y
+        help
+          Warning: disabling this option may break user programs.
+
+          Provide kuser helpers in the vector page.  The kernel provides
+          helper code to userspace in read only form at a fixed location
+          in the high vector page to allow userspace to be independent of
+          the CPU type fitted to the system.  This permits binaries to be
+          run on ARMv4 through to ARMv7 without modification.
+
+          However, the fixed address nature of these helpers can be used
+          by ROP (return orientated programming) authors when creating
+          exploits.
+
+          If all of the binaries and libraries which run on your platform
+          are built specifically for your platform, and make no use of
+          these helpers, then you can turn this option off.  However,
+          when such an binary or library is run, it will receive a SIGILL
+          signal, which will terminate the program.
+
+          Say N here only if you are absolutely certain that you do not
+          need these helpers; otherwise, the safe option is to say Y.
+
 config DMA_CACHE_RWFO
         bool "Enable read/write for ownership DMA cache maintenance"
         depends on CPU_V6K && SMP