Xen project Mailing List

[PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 24 Mar 2023 22:08:24 +0000

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Fri, 24 Mar 2023 22:09:05 +0000

Ironport-data: A9a23:05ABa6P4UPBTG6XvrR3Zl8FynXyQoLVcMsEvi/4bfWQNrUoigz0Cm 2dLW2mFPv2JYGL3e412PNmz/R9Vv5fWytdiSAto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvLrRC9H5qyo42tD5ABmPpingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0sVxG0VL8 +YGFG0iVhe52/ia7ey7QMA506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w2Nk+ojx5nYz/7DLoXmuuyi2a5WDpfsF+P/oI84nTJzRw327/oWDbQUoXSGZoNxxzI/ Aoq+UzLHREnLt7OxACXzX2pgKzXsD/6dL0NQejQGvlC3wTImz175ActfUS/iem0jAi5Qd03A 1wZ/G8ioLY/8GSvT8LhRFuorXicpBkeVtFMVeog52ml6IDZ/gKYDWgsVSNaZZots8peeNAx/ gbXxZWzX2Up6eDLDyvHrd94sA9eJwA2K3UmYCkeUzdYzOHkmt0poj+RTtxKRfvdYsLOJd3g/ 9ybhHFg2ORN05NRjP3TEUPv2Gz1+MWQJuIhzkCOBz/+sFskDGKwT9bwgWU3+8qsO2pworOpm HEf0/aT4+kVZX1mvHzcGb5ddF1FChvsDdE9vbKMN8N7n9hV0yT/Fb28GRknTKuTDu4KeCXyf GjYsh5L6ZlYMROCNPEoMtzhUJxznPO5SLwJs8w4ifIQCqWdiSfdpH0+DaJu9zmFfLcQfVEXZ s7ALJfE4YcyAqV71jumL9ogPUsQ7nlmnwv7HMmrpylLJJLCPBZ5v59ZagrRBg34hYvYyDjoH yF3bZHbkEQECbCmP0E6M+c7dDg3EJTyPriuw+Q/SwJJClQO9L0JYxMJ/Y4cRg==

Ironport-hdrordr: A9a23:bV1R3qnxxq2pE0NBLIM0sW4gufTpDfLr3DAbv31ZSRFFG/Fxl6 iV7ZImPH7P6Ar5PUtKpTnuAsi9qB/nhPtICOoqTM6ftWvdyROVxehZhOOMrQEIcxeOjdK1vp 0QF5SWZueAamRSvILW2iT9NfAKqePqzEmvv43j5kYody1RL4tHyChYJDqhOnBXYi4DP7YFfa DshfZvln6ueXEadMSpCmNtZYX+jtfWjo/hZRIcJzNP0njtsQ+V

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

While we've been diligent to ensure that the main text/data/rodata mappings have suitable restrictions, their aliases via the directmap were left fully read/write. Worse, we even had pieces of code making use of this as a feature. Restrict the permissions for .text/rodata, as we have no legitimate need for writeability of these areas via the directmap alias. Note that the compile-time allocated pagetables do get written through their directmap alias, so need to remain writeable. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> v2: * Update comments and commit message for clarity, and over changes. Notes: * The stubs are still have RX via one alias, RW via another, and these need to stay. We should harden this using PKS (available on SPR and later) to block incidental writes. * Backing memory for livepatch text/rodata needs similar treatment. * For backporting, this patch depends on c/s e7f147bf4ac7 ("x86/crash: Drop manual hooking of exception_table[]") and c/s e7db635f4428 ("x86/pv-shim: Don't modify the hypercall table"). No compile error will occur from getting these dependencies wrong. --- xen/arch/x86/setup.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2b44a3ae26dd..b29229933d8c 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -1667,6 +1667,16 @@ void __init noreturn __start_xen(unsigned long mbi_p) destroy_xen_mappings((unsigned long)&__2M_rwdata_end, ROUNDUP((unsigned long)&__2M_rwdata_end, MB(2))); + /* + * Mark all of .text and .rodata as RO in the directmap - we don't want + * these sections writeable via any alias. The compile-time allocated + * pagetables are written via their directmap alias, so data/bss needs to + * remain writeable. + */ + modify_xen_mappings((unsigned long)__va(__pa(_start)), + (unsigned long)__va(__pa(__2M_rodata_end)), + PAGE_HYPERVISOR_RO); + nr_pages = 0; for ( i = 0; i < e820.nr_map; i++ ) if ( e820.map[i].type == E820_RAM ) -- 2.30.2

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.