From: Russell Currey <rus...@russell.cc>
Optionally run W+X checks when dumping pagetable information to
debugfs' kernel_page_tables.
To use:
$ echo 1 > /sys/kernel/debug/check_wx_pages
$ cat /sys/kernel/debug/kernel_page_tables
and check the kernel log. Useful for testing strict module RWX.
To disable W+X checks:
$ echo 0 > /sys/kernel/debug/check_wx_pages
Update the Kconfig entry to reflect this.
Also fix a typo.
Reviewed-by: Kees Cook <keesc...@chromium.org>
Signed-off-by: Russell Currey <rus...@russell.cc>
[jpn: Change check_wx_pages to act as mode bit affecting
kernel_page_tables instead of triggering action on its own]
Signed-off-by: Jordan Niethe <jniet...@gmail.com>
---
v10: check_wx_pages now affects kernel_page_tables rather then triggers
its own action.
---
arch/powerpc/Kconfig.debug | 6 ++++--
arch/powerpc/mm/ptdump/ptdump.c | 34 ++++++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
index ae084357994e..56e99e9a30d9 100644
--- a/arch/powerpc/Kconfig.debug
+++ b/arch/powerpc/Kconfig.debug
@@ -371,7 +371,7 @@ config PPC_PTDUMP
If you are unsure, say N.
config PPC_DEBUG_WX
- bool "Warn on W+X mappings at boot"
+ bool "Warn on W+X mappings at boot & enable manual checks at runtime"
depends on PPC_PTDUMP && STRICT_KERNEL_RWX
help
Generate a warning if any W+X mappings are found at boot.
@@ -385,7 +385,9 @@ config PPC_DEBUG_WX
of other unfixed kernel bugs easier.
There is no runtime or memory usage effect of this option
- once the kernel has booted up - it's a one time check.
+ once the kernel has booted up, it only automatically checks once.
+
+ Enables the "check_wx_pages" debugfs entry for checking at runtime.
If in doubt, say "Y".
diff --git a/arch/powerpc/mm/ptdump/ptdump.c b/arch/powerpc/mm/ptdump/ptdump.c
index aca354fb670b..6592f7a48c96 100644
--- a/arch/powerpc/mm/ptdump/ptdump.c
+++ b/arch/powerpc/mm/ptdump/ptdump.c
@@ -4,7 +4,7 @@
*
* This traverses the kernel pagetables and dumps the
* information about the used sections of memory to
- * /sys/kernel/debug/kernel_pagetables.
+ * /sys/kernel/debug/kernel_page_tables.
*
* Derived from the arm64 implementation:
* Copyright (c) 2014, The Linux Foundation, Laura Abbott.
@@ -27,6 +27,8 @@
#include "ptdump.h"
+static bool check_wx;
+
/*
* To visualise what is happening,
*
@@ -410,6 +412,9 @@ static int ptdump_show(struct seq_file *m, void *v)
/* Traverse kernel page tables */
walk_pagetables(&st);
note_page(&st, 0, 0, 0, 0);
+
+ if (check_wx)
+ ptdump_check_wx();
return 0;
}
@@ -459,6 +464,33 @@ void ptdump_check_wx(void)
else
pr_info("Checked W+X mappings: passed, no W+X pages found\n");
}
+
+static int check_wx_debugfs_set(void *data, u64 val)
+{
+ if (val == 1ULL)
+ check_wx = true;
+ else if (val == 0ULL)
+ check_wx = false;
+ else
+ return -EINVAL;
+
+ return 0;
+}
+
+static int check_wx_debugfs_get(void *data, u64 *val)
+{
+ *val = check_wx ? 1 : 0;
+ return 0;
+}
+
+DEFINE_SIMPLE_ATTRIBUTE(check_wx_fops, check_wx_debugfs_get,
check_wx_debugfs_set, "%llu\n");
+
+static int ptdump_check_wx_init(void)
+{
+ return debugfs_create_file("check_wx_pages", 0200, NULL,
+ NULL, &check_wx_fops) ? 0 : -ENOMEM;
+}
+device_initcall(ptdump_check_wx_init);
#endif
static int ptdump_init(void)
--
2.25.1
