2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* (C) Copyright 2002 Linus Torvalds
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
* Portions based on the vdso-randomization code from exec-shield:
|
|
|
|
* Copyright(C) 2005-2006, Red Hat, Inc., Ingo Molnar
|
2005-04-17 05:20:36 +07:00
|
|
|
*
|
|
|
|
* This file contains the needed initializations to support sysenter.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/smp.h>
|
|
|
|
#include <linux/thread_info.h>
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/gfp.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/elf.h>
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
#include <linux/mm.h>
|
2007-07-30 05:36:13 +07:00
|
|
|
#include <linux/err.h>
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
#include <linux/module.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
#include <asm/cpufeature.h>
|
|
|
|
#include <asm/msr.h>
|
|
|
|
#include <asm/pgtable.h>
|
|
|
|
#include <asm/unistd.h>
|
2007-05-03 00:27:12 +07:00
|
|
|
#include <asm/elf.h>
|
2007-05-03 00:27:12 +07:00
|
|
|
#include <asm/tlbflush.h>
|
2008-01-30 19:30:42 +07:00
|
|
|
#include <asm/vdso.h>
|
2008-01-30 19:30:43 +07:00
|
|
|
#include <asm/proto.h>
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
enum {
|
|
|
|
VDSO_DISABLED = 0,
|
|
|
|
VDSO_ENABLED = 1,
|
|
|
|
VDSO_COMPAT = 2,
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT_VDSO
|
|
|
|
#define VDSO_DEFAULT VDSO_COMPAT
|
|
|
|
#else
|
|
|
|
#define VDSO_DEFAULT VDSO_ENABLED
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#ifdef CONFIG_X86_64
|
|
|
|
#define vdso_enabled sysctl_vsyscall32
|
|
|
|
#define arch_setup_additional_pages syscall32_setup_pages
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is the difference between the prelinked addresses in the vDSO images
|
|
|
|
* and the VDSO_HIGH_BASE address where CONFIG_COMPAT_VDSO places the vDSO
|
|
|
|
* in the user address space.
|
|
|
|
*/
|
|
|
|
#define VDSO_ADDR_ADJUST (VDSO_HIGH_BASE - (unsigned long)VDSO32_PRELINK)
|
|
|
|
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
/*
|
|
|
|
* Should the kernel map a VDSO page into processes and pass its
|
|
|
|
* address down to glibc upon exec()?
|
|
|
|
*/
|
2007-05-03 00:27:12 +07:00
|
|
|
unsigned int __read_mostly vdso_enabled = VDSO_DEFAULT;
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
|
|
|
|
static int __init vdso_setup(char *s)
|
|
|
|
{
|
|
|
|
vdso_enabled = simple_strtoul(s, NULL, 0);
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
/*
|
|
|
|
* For consistency, the argument vdso32=[012] affects the 32-bit vDSO
|
|
|
|
* behavior on both 64-bit and 32-bit kernels.
|
|
|
|
* On 32-bit kernels, vdso=[012] means the same thing.
|
|
|
|
*/
|
|
|
|
__setup("vdso32=", vdso_setup);
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#ifdef CONFIG_X86_32
|
|
|
|
__setup_param("vdso=", vdso32_setup, vdso_setup, 0);
|
|
|
|
|
|
|
|
EXPORT_SYMBOL_GPL(vdso_enabled);
|
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
static __init void reloc_symtab(Elf32_Ehdr *ehdr,
|
|
|
|
unsigned offset, unsigned size)
|
|
|
|
{
|
|
|
|
Elf32_Sym *sym = (void *)ehdr + offset;
|
|
|
|
unsigned nsym = size / sizeof(*sym);
|
|
|
|
unsigned i;
|
|
|
|
|
|
|
|
for(i = 0; i < nsym; i++, sym++) {
|
|
|
|
if (sym->st_shndx == SHN_UNDEF ||
|
|
|
|
sym->st_shndx == SHN_ABS)
|
|
|
|
continue; /* skip */
|
|
|
|
|
|
|
|
if (sym->st_shndx > SHN_LORESERVE) {
|
|
|
|
printk(KERN_INFO "VDSO: unexpected st_shndx %x\n",
|
|
|
|
sym->st_shndx);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch(ELF_ST_TYPE(sym->st_info)) {
|
|
|
|
case STT_OBJECT:
|
|
|
|
case STT_FUNC:
|
|
|
|
case STT_SECTION:
|
|
|
|
case STT_FILE:
|
2008-01-30 19:30:43 +07:00
|
|
|
sym->st_value += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static __init void reloc_dyn(Elf32_Ehdr *ehdr, unsigned offset)
|
|
|
|
{
|
|
|
|
Elf32_Dyn *dyn = (void *)ehdr + offset;
|
|
|
|
|
|
|
|
for(; dyn->d_tag != DT_NULL; dyn++)
|
|
|
|
switch(dyn->d_tag) {
|
|
|
|
case DT_PLTGOT:
|
|
|
|
case DT_HASH:
|
|
|
|
case DT_STRTAB:
|
|
|
|
case DT_SYMTAB:
|
|
|
|
case DT_RELA:
|
|
|
|
case DT_INIT:
|
|
|
|
case DT_FINI:
|
|
|
|
case DT_REL:
|
|
|
|
case DT_DEBUG:
|
|
|
|
case DT_JMPREL:
|
|
|
|
case DT_VERSYM:
|
|
|
|
case DT_VERDEF:
|
|
|
|
case DT_VERNEED:
|
|
|
|
case DT_ADDRRNGLO ... DT_ADDRRNGHI:
|
|
|
|
/* definitely pointers needing relocation */
|
2008-01-30 19:30:43 +07:00
|
|
|
dyn->d_un.d_ptr += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case DT_ENCODING ... OLD_DT_LOOS-1:
|
|
|
|
case DT_LOOS ... DT_HIOS-1:
|
|
|
|
/* Tags above DT_ENCODING are pointers if
|
|
|
|
they're even */
|
|
|
|
if (dyn->d_tag >= DT_ENCODING &&
|
|
|
|
(dyn->d_tag & 1) == 0)
|
2008-01-30 19:30:43 +07:00
|
|
|
dyn->d_un.d_ptr += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
break;
|
|
|
|
|
|
|
|
case DT_VERDEFNUM:
|
|
|
|
case DT_VERNEEDNUM:
|
|
|
|
case DT_FLAGS_1:
|
|
|
|
case DT_RELACOUNT:
|
|
|
|
case DT_RELCOUNT:
|
|
|
|
case DT_VALRNGLO ... DT_VALRNGHI:
|
|
|
|
/* definitely not pointers */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case OLD_DT_LOOS ... DT_LOOS-1:
|
|
|
|
case DT_HIOS ... DT_VALRNGLO-1:
|
|
|
|
default:
|
|
|
|
if (dyn->d_tag > DT_ENCODING)
|
|
|
|
printk(KERN_INFO "VDSO: unexpected DT_tag %x\n",
|
|
|
|
dyn->d_tag);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static __init void relocate_vdso(Elf32_Ehdr *ehdr)
|
|
|
|
{
|
|
|
|
Elf32_Phdr *phdr;
|
|
|
|
Elf32_Shdr *shdr;
|
|
|
|
int i;
|
|
|
|
|
2008-05-03 17:18:01 +07:00
|
|
|
BUG_ON(memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0 ||
|
2008-01-30 19:30:43 +07:00
|
|
|
!elf_check_arch_ia32(ehdr) ||
|
2007-05-03 00:27:12 +07:00
|
|
|
ehdr->e_type != ET_DYN);
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
ehdr->e_entry += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
/* rebase phdrs */
|
|
|
|
phdr = (void *)ehdr + ehdr->e_phoff;
|
|
|
|
for (i = 0; i < ehdr->e_phnum; i++) {
|
2008-01-30 19:30:43 +07:00
|
|
|
phdr[i].p_vaddr += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
/* relocate dynamic stuff */
|
|
|
|
if (phdr[i].p_type == PT_DYNAMIC)
|
|
|
|
reloc_dyn(ehdr, phdr[i].p_offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* rebase sections */
|
|
|
|
shdr = (void *)ehdr + ehdr->e_shoff;
|
|
|
|
for(i = 0; i < ehdr->e_shnum; i++) {
|
|
|
|
if (!(shdr[i].sh_flags & SHF_ALLOC))
|
|
|
|
continue;
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
shdr[i].sh_addr += VDSO_ADDR_ADJUST;
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
if (shdr[i].sh_type == SHT_SYMTAB ||
|
|
|
|
shdr[i].sh_type == SHT_DYNSYM)
|
|
|
|
reloc_symtab(ehdr, shdr[i].sh_offset,
|
|
|
|
shdr[i].sh_size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
static struct page *vdso32_pages[1];
|
|
|
|
|
|
|
|
#ifdef CONFIG_X86_64
|
|
|
|
|
2008-07-11 08:13:36 +07:00
|
|
|
#define vdso32_sysenter() (boot_cpu_has(X86_FEATURE_SYSENTER32))
|
2008-07-12 16:22:00 +07:00
|
|
|
#define vdso32_syscall() (boot_cpu_has(X86_FEATURE_SYSCALL32))
|
2008-01-30 19:30:43 +07:00
|
|
|
|
|
|
|
/* May not be __init: called during resume */
|
|
|
|
void syscall32_cpu_init(void)
|
|
|
|
{
|
|
|
|
/* Load these always in case some future AMD CPU supports
|
|
|
|
SYSENTER from compat mode too. */
|
|
|
|
checking_wrmsrl(MSR_IA32_SYSENTER_CS, (u64)__KERNEL_CS);
|
|
|
|
checking_wrmsrl(MSR_IA32_SYSENTER_ESP, 0ULL);
|
|
|
|
checking_wrmsrl(MSR_IA32_SYSENTER_EIP, (u64)ia32_sysenter_target);
|
|
|
|
|
|
|
|
wrmsrl(MSR_CSTAR, ia32_cstar_target);
|
|
|
|
}
|
|
|
|
|
|
|
|
#define compat_uses_vma 1
|
|
|
|
|
|
|
|
static inline void map_compat_vdso(int map)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* CONFIG_X86_32 */
|
|
|
|
|
|
|
|
#define vdso32_sysenter() (boot_cpu_has(X86_FEATURE_SEP))
|
2008-07-12 16:22:00 +07:00
|
|
|
#define vdso32_syscall() (0)
|
2008-01-30 19:30:43 +07:00
|
|
|
|
2005-06-26 04:54:53 +07:00
|
|
|
void enable_sep_cpu(void)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
int cpu = get_cpu();
|
|
|
|
struct tss_struct *tss = &per_cpu(init_tss, cpu);
|
|
|
|
|
2005-06-26 04:54:53 +07:00
|
|
|
if (!boot_cpu_has(X86_FEATURE_SEP)) {
|
|
|
|
put_cpu();
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2007-05-03 00:27:13 +07:00
|
|
|
tss->x86_tss.ss1 = __KERNEL_CS;
|
2008-01-30 19:31:02 +07:00
|
|
|
tss->x86_tss.sp1 = sizeof(struct tss_struct) + (unsigned long) tss;
|
2005-04-17 05:20:36 +07:00
|
|
|
wrmsr(MSR_IA32_SYSENTER_CS, __KERNEL_CS, 0);
|
2008-01-30 19:31:02 +07:00
|
|
|
wrmsr(MSR_IA32_SYSENTER_ESP, tss->x86_tss.sp1, 0);
|
2008-01-30 19:30:43 +07:00
|
|
|
wrmsr(MSR_IA32_SYSENTER_EIP, (unsigned long) ia32_sysenter_target, 0);
|
2005-04-17 05:20:36 +07:00
|
|
|
put_cpu();
|
|
|
|
}
|
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
static struct vm_area_struct gate_vma;
|
|
|
|
|
|
|
|
static int __init gate_vma_init(void)
|
|
|
|
{
|
|
|
|
gate_vma.vm_mm = NULL;
|
|
|
|
gate_vma.vm_start = FIXADDR_USER_START;
|
|
|
|
gate_vma.vm_end = FIXADDR_USER_END;
|
|
|
|
gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
|
|
|
|
gate_vma.vm_page_prot = __P101;
|
coredump: remove VM_ALWAYSDUMP flag
The motivation for this patchset was that I was looking at a way for a
qemu-kvm process, to exclude the guest memory from its core dump, which
can be quite large. There are already a number of filter flags in
/proc/<pid>/coredump_filter, however, these allow one to specify 'types'
of kernel memory, not specific address ranges (which is needed in this
case).
Since there are no more vma flags available, the first patch eliminates
the need for the 'VM_ALWAYSDUMP' flag. The flag is used internally by
the kernel to mark vdso and vsyscall pages. However, it is simple
enough to check if a vma covers a vdso or vsyscall page without the need
for this flag.
The second patch then replaces the 'VM_ALWAYSDUMP' flag with a new
'VM_NODUMP' flag, which can be set by userspace using new madvise flags:
'MADV_DONTDUMP', and unset via 'MADV_DODUMP'. The core dump filters
continue to work the same as before unless 'MADV_DONTDUMP' is set on the
region.
The qemu code which implements this features is at:
http://people.redhat.com/~jbaron/qemu-dump/qemu-dump.patch
In my testing the qemu core dump shrunk from 383MB -> 13MB with this
patch.
I also believe that the 'MADV_DONTDUMP' flag might be useful for
security sensitive apps, which might want to select which areas are
dumped.
This patch:
The VM_ALWAYSDUMP flag is currently used by the coredump code to
indicate that a vma is part of a vsyscall or vdso section. However, we
can determine if a vma is in one these sections by checking it against
the gate_vma and checking for a non-NULL return value from
arch_vma_name(). Thus, freeing a valuable vma bit.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Avi Kivity <avi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-24 05:02:51 +07:00
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#define compat_uses_vma 0
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
static void map_compat_vdso(int map)
|
|
|
|
{
|
|
|
|
static int vdso_mapped;
|
|
|
|
|
|
|
|
if (map == vdso_mapped)
|
|
|
|
return;
|
|
|
|
|
|
|
|
vdso_mapped = map;
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
__set_fixmap(FIX_VDSO, page_to_pfn(vdso32_pages[0]) << PAGE_SHIFT,
|
2007-05-03 00:27:12 +07:00
|
|
|
map ? PAGE_READONLY_EXEC : PAGE_NONE);
|
|
|
|
|
|
|
|
/* flush stray tlbs */
|
|
|
|
flush_tlb_all();
|
|
|
|
}
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#endif /* CONFIG_X86_64 */
|
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
int __init sysenter_setup(void)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2007-02-09 05:20:42 +07:00
|
|
|
void *syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
|
2007-05-03 00:27:12 +07:00
|
|
|
const void *vsyscall;
|
|
|
|
size_t vsyscall_len;
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
vdso32_pages[0] = virt_to_page(syscall_page);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#ifdef CONFIG_X86_32
|
2007-05-03 00:27:12 +07:00
|
|
|
gate_vma_init();
|
2008-01-30 19:30:43 +07:00
|
|
|
#endif
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2008-07-12 16:22:00 +07:00
|
|
|
if (vdso32_syscall()) {
|
|
|
|
vsyscall = &vdso32_syscall_start;
|
|
|
|
vsyscall_len = &vdso32_syscall_end - &vdso32_syscall_start;
|
|
|
|
} else if (vdso32_sysenter()){
|
2008-01-30 19:30:43 +07:00
|
|
|
vsyscall = &vdso32_sysenter_start;
|
|
|
|
vsyscall_len = &vdso32_sysenter_end - &vdso32_sysenter_start;
|
2008-07-12 16:22:00 +07:00
|
|
|
} else {
|
|
|
|
vsyscall = &vdso32_int80_start;
|
|
|
|
vsyscall_len = &vdso32_int80_end - &vdso32_int80_start;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
memcpy(syscall_page, vsyscall, vsyscall_len);
|
|
|
|
relocate_vdso(syscall_page);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
|
|
|
|
/* Setup a VMA at program startup for the vsyscall page */
|
2008-12-25 19:38:35 +07:00
|
|
|
int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
{
|
|
|
|
struct mm_struct *mm = current->mm;
|
|
|
|
unsigned long addr;
|
2007-05-03 00:27:16 +07:00
|
|
|
int ret = 0;
|
2007-05-03 00:27:12 +07:00
|
|
|
bool compat;
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
|
2008-04-09 15:30:06 +07:00
|
|
|
if (vdso_enabled == VDSO_DISABLED)
|
|
|
|
return 0;
|
|
|
|
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
down_write(&mm->mmap_sem);
|
|
|
|
|
2007-05-03 00:27:12 +07:00
|
|
|
/* Test compat mode once here, in case someone
|
|
|
|
changes it via sysctl */
|
|
|
|
compat = (vdso_enabled == VDSO_COMPAT);
|
|
|
|
|
|
|
|
map_compat_vdso(compat);
|
|
|
|
|
|
|
|
if (compat)
|
|
|
|
addr = VDSO_HIGH_BASE;
|
|
|
|
else {
|
|
|
|
addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
|
|
|
|
if (IS_ERR_VALUE(addr)) {
|
|
|
|
ret = addr;
|
|
|
|
goto up_fail;
|
|
|
|
}
|
2008-01-30 19:30:43 +07:00
|
|
|
}
|
2007-05-03 00:27:12 +07:00
|
|
|
|
2009-06-05 19:04:51 +07:00
|
|
|
current->mm->context.vdso = (void *)addr;
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
if (compat_uses_vma || !compat) {
|
2007-05-03 00:27:12 +07:00
|
|
|
/*
|
|
|
|
* MAYWRITE to allow gdb to COW and set breakpoints
|
|
|
|
*/
|
|
|
|
ret = install_special_mapping(mm, addr, PAGE_SIZE,
|
|
|
|
VM_READ|VM_EXEC|
|
coredump: remove VM_ALWAYSDUMP flag
The motivation for this patchset was that I was looking at a way for a
qemu-kvm process, to exclude the guest memory from its core dump, which
can be quite large. There are already a number of filter flags in
/proc/<pid>/coredump_filter, however, these allow one to specify 'types'
of kernel memory, not specific address ranges (which is needed in this
case).
Since there are no more vma flags available, the first patch eliminates
the need for the 'VM_ALWAYSDUMP' flag. The flag is used internally by
the kernel to mark vdso and vsyscall pages. However, it is simple
enough to check if a vma covers a vdso or vsyscall page without the need
for this flag.
The second patch then replaces the 'VM_ALWAYSDUMP' flag with a new
'VM_NODUMP' flag, which can be set by userspace using new madvise flags:
'MADV_DONTDUMP', and unset via 'MADV_DODUMP'. The core dump filters
continue to work the same as before unless 'MADV_DONTDUMP' is set on the
region.
The qemu code which implements this features is at:
http://people.redhat.com/~jbaron/qemu-dump/qemu-dump.patch
In my testing the qemu core dump shrunk from 383MB -> 13MB with this
patch.
I also believe that the 'MADV_DONTDUMP' flag might be useful for
security sensitive apps, which might want to select which areas are
dumped.
This patch:
The VM_ALWAYSDUMP flag is currently used by the coredump code to
indicate that a vma is part of a vsyscall or vdso section. However, we
can determine if a vma is in one these sections by checking it against
the gate_vma and checking for a non-NULL return value from
arch_vma_name(). Thus, freeing a valuable vma bit.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Avi Kivity <avi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-24 05:02:51 +07:00
|
|
|
VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
|
2008-01-30 19:30:43 +07:00
|
|
|
vdso32_pages);
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
if (ret)
|
|
|
|
goto up_fail;
|
|
|
|
}
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
|
|
|
|
current_thread_info()->sysenter_return =
|
2008-01-30 19:30:42 +07:00
|
|
|
VDSO32_SYMBOL(addr, SYSENTER_RETURN);
|
2007-05-03 00:27:12 +07:00
|
|
|
|
|
|
|
up_fail:
|
2009-06-05 19:04:51 +07:00
|
|
|
if (ret)
|
|
|
|
current->mm->context.vdso = NULL;
|
|
|
|
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
up_write(&mm->mmap_sem);
|
2007-05-03 00:27:12 +07:00
|
|
|
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#ifdef CONFIG_X86_64
|
|
|
|
|
2010-06-17 03:30:42 +07:00
|
|
|
subsys_initcall(sysenter_setup);
|
2008-01-30 19:30:43 +07:00
|
|
|
|
2008-01-30 19:31:55 +07:00
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
/* Register vsyscall32 into the ABI table */
|
|
|
|
#include <linux/sysctl.h>
|
|
|
|
|
|
|
|
static ctl_table abi_table2[] = {
|
|
|
|
{
|
|
|
|
.procname = "vsyscall32",
|
|
|
|
.data = &sysctl_vsyscall32,
|
|
|
|
.maxlen = sizeof(int),
|
|
|
|
.mode = 0644,
|
|
|
|
.proc_handler = proc_dointvec
|
|
|
|
},
|
|
|
|
{}
|
|
|
|
};
|
|
|
|
|
|
|
|
static ctl_table abi_root_table2[] = {
|
|
|
|
{
|
|
|
|
.procname = "abi",
|
|
|
|
.mode = 0555,
|
|
|
|
.child = abi_table2
|
|
|
|
},
|
|
|
|
{}
|
|
|
|
};
|
|
|
|
|
|
|
|
static __init int ia32_binfmt_init(void)
|
|
|
|
{
|
|
|
|
register_sysctl_table(abi_root_table2);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
__initcall(ia32_binfmt_init);
|
|
|
|
#endif
|
|
|
|
|
2008-01-30 19:30:43 +07:00
|
|
|
#else /* CONFIG_X86_32 */
|
|
|
|
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
const char *arch_vma_name(struct vm_area_struct *vma)
|
|
|
|
{
|
|
|
|
if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
|
|
|
|
return "[vdso]";
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2011-03-14 02:49:15 +07:00
|
|
|
struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
{
|
2011-03-14 02:49:15 +07:00
|
|
|
/*
|
|
|
|
* Check to see if the corresponding task was created in compat vdso
|
|
|
|
* mode.
|
|
|
|
*/
|
2007-05-03 00:27:12 +07:00
|
|
|
if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
|
|
|
|
return &gate_vma;
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2011-03-14 02:49:16 +07:00
|
|
|
int in_gate_area(struct mm_struct *mm, unsigned long addr)
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
{
|
2011-03-14 02:49:16 +07:00
|
|
|
const struct vm_area_struct *vma = get_gate_vma(mm);
|
2007-07-21 22:10:21 +07:00
|
|
|
|
|
|
|
return vma && addr >= vma->vm_start && addr < vma->vm_end;
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
}
|
|
|
|
|
2011-03-14 02:49:17 +07:00
|
|
|
int in_gate_area_no_mm(unsigned long addr)
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 16:53:50 +07:00
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2008-01-30 19:30:43 +07:00
|
|
|
|
|
|
|
#endif /* CONFIG_X86_64 */
|