arm64: kaslr: Put kernel vectors address in separate data page

Commit 6c27c4082f4f upstream.

The literal pool entry for identifying the vectors base is the only piece
of information in the trampoline page that identifies the true location
of the kernel.

This patch moves it into a page-aligned region of the .rodata section
and maps this adjacent to the trampoline text via an additional fixmap
entry, which protects against any accidental leakage of the trampoline
contents.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Laura Abbott <labbott@redhat.com>
Tested-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3882b5f63f3cfff225cee691dcb8357bf6714d07)

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h
index 8119b49be98dc2edb27b17a1e1b4db842e79f03e..ec1e6d6fa14ccd4c14a735a8732a7a468c709276 100644 (file)
--- a/arch/arm64/include/asm/fixmap.h
+++ b/arch/arm64/include/asm/fixmap.h
@@ -59,6 +59,7 @@ enum fixed_addresses {
 #endif /* CONFIG_ACPI_APEI_GHES */
 
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+       FIX_ENTRY_TRAMP_DATA,
        FIX_ENTRY_TRAMP_TEXT,
 #define TRAMP_VALIAS           (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
 #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 5bd7d51965e665b64cfba3f0e1145226dc3a3c75..d79bc9c5c500583f7fbe1d3c5236aac481cf8466 100644 (file)
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -984,7 +984,13 @@ alternative_else_nop_endif
        msr     tpidrro_el0, x30        // Restored in kernel_ventry
        .endif
        tramp_map_kernel        x30
+#ifdef CONFIG_RANDOMIZE_BASE
+       adr     x30, tramp_vectors + PAGE_SIZE
+alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
+       ldr     x30, [x30]
+#else
        ldr     x30, =vectors
+#endif
        prfm    plil1strm, [x30, #(1b - tramp_vectors)]
        msr     vbar_el1, x30
        add     x30, x30, #(1b - tramp_vectors)
@@ -1027,6 +1033,14 @@ END(tramp_exit_compat)
 
        .ltorg
        .popsection                             // .entry.tramp.text
+#ifdef CONFIG_RANDOMIZE_BASE
+       .pushsection ".rodata", "a"
+       .align PAGE_SHIFT
+       .globl  __entry_tramp_data_start
+__entry_tramp_data_start:
+       .quad   vectors
+       .popsection                             // .rodata
+#endif /* CONFIG_RANDOMIZE_BASE */
 #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
 
 /*

diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 7bbb54d7bdd13486c285db5c7de6a38a03dede3c..3aaf374b0f46305a5ed2462aadee486ecd9d721b 100644 (file)
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -250,7 +250,10 @@ ASSERT(__idmap_text_end - (__idmap_text_start & ~(SZ_4K - 1)) <= SZ_4K,
 ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1))
        <= SZ_4K, "Hibernate exit text too big or misaligned")
 #endif
-
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE,
+       "Entry trampoline text too big")
+#endif
 /*
  * If padding is applied before .head.text, virt<->phys conversions will fail.
  */

diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 3b9af178f791baa946cbd8b899a6f029c1691724..606c3654186ffa13d2e530d28d9621af7ff5bfb4 100644 (file)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -541,8 +541,16 @@ static int __init map_entry_trampoline(void)
        __create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
                             prot, pgd_pgtable_alloc, 0);
 
-       /* ...as well as the kernel page table */
+       /* Map both the text and data into the kernel page table */
        __set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
+       if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
+               extern char __entry_tramp_data_start[];
+
+               __set_fixmap(FIX_ENTRY_TRAMP_DATA,
+                            __pa_symbol(__entry_tramp_data_start),
+                            PAGE_KERNEL_RO);
+       }
+
        return 0;
 }
 core_initcall(map_entry_trampoline);