Commit af1b3cf2 authored by Vincenzo Frascino's avatar Vincenzo Frascino Committed by Will Deacon

arm64: compat: Add KUSER_HELPERS config option

When kuser helpers are enabled the kernel maps the relative code at
a fixed address (0xffff0000). Making configurable the option to disable
them means that the kernel can remove this mapping and any access to
this memory area results in a sigfault.

Add a KUSER_HELPERS config option that can be used to disable the
mapping when it is turned off.

This option can be turned off if and only if the applications are
designed specifically for the platform and they do not make use of the
kuser helpers code.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
[will: Use IS_ENABLED() instead of #ifdef]
Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
parent 1255a734
...@@ -1498,6 +1498,34 @@ config COMPAT ...@@ -1498,6 +1498,34 @@ config COMPAT
If you want to execute 32-bit userspace applications, say Y. If you want to execute 32-bit userspace applications, say Y.
config KUSER_HELPERS
bool "Enable kuser helpers page for 32 bit applications."
depends on COMPAT
default y
help
Warning: disabling this option may break 32-bit user programs.
Provide kuser helpers to compat tasks. The kernel provides
helper code to userspace in read only form at a fixed location
to allow userspace to be independent of the CPU type fitted to
the system. This permits binaries to be run on ARMv4 through
to ARMv8 without modification.
See Documentation/arm/kernel_user_helpers.txt for details.
However, the fixed address nature of these helpers can be used
by ROP (return orientated programming) authors when creating
exploits.
If all of the binaries and libraries which run on your platform
are built specifically for your platform, and make no use of
these helpers, then you can turn this option off to hinder
such exploits. However, in that case, if a binary or library
relying on those helpers is run, it will not function correctly.
Say N here only if you are absolutely certain that you do not
need these helpers; otherwise, the safe option is to say Y.
config SYSVIPC_COMPAT config SYSVIPC_COMPAT
def_bool y def_bool y
depends on COMPAT && SYSVIPC depends on COMPAT && SYSVIPC
......
...@@ -27,8 +27,9 @@ OBJCOPYFLAGS := --prefix-symbols=__efistub_ ...@@ -27,8 +27,9 @@ OBJCOPYFLAGS := --prefix-symbols=__efistub_
$(obj)/%.stub.o: $(obj)/%.o FORCE $(obj)/%.stub.o: $(obj)/%.o FORCE
$(call if_changed,objcopy) $(call if_changed,objcopy)
obj-$(CONFIG_COMPAT) += sys32.o kuser32.o signal32.o \ obj-$(CONFIG_COMPAT) += sys32.o signal32.o \
sigreturn32.o sys_compat.o sigreturn32.o sys_compat.o
obj-$(CONFIG_KUSER_HELPERS) += kuser32.o
obj-$(CONFIG_FUNCTION_TRACER) += ftrace.o entry-ftrace.o obj-$(CONFIG_FUNCTION_TRACER) += ftrace.o entry-ftrace.o
obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_ARM64_MODULE_PLTS) += module-plts.o obj-$(CONFIG_ARM64_MODULE_PLTS) += module-plts.o
......
...@@ -6,10 +6,9 @@ ...@@ -6,10 +6,9 @@
* Copyright (C) 2005-2011 Nicolas Pitre <nico@fluxnic.net> * Copyright (C) 2005-2011 Nicolas Pitre <nico@fluxnic.net>
* Copyright (C) 2012-2018 ARM Ltd. * Copyright (C) 2012-2018 ARM Ltd.
* *
* Each segment is 32-byte aligned and will be moved to the top of the high * The kuser helpers below are mapped at a fixed address by
* vector page. New segments (if ever needed) must be added in front of * aarch32_setup_additional_pages() and are provided for compatibility
* existing ones. This mechanism should be used only for things that are * reasons with 32 bit (aarch32) applications that need them.
* really small and justified, and not be abused freely.
* *
* See Documentation/arm/kernel_user_helpers.txt for formal definitions. * See Documentation/arm/kernel_user_helpers.txt for formal definitions.
*/ */
......
...@@ -74,6 +74,9 @@ static int aarch32_alloc_kuser_vdso_page(void) ...@@ -74,6 +74,9 @@ static int aarch32_alloc_kuser_vdso_page(void)
int kuser_sz = __kuser_helper_end - __kuser_helper_start; int kuser_sz = __kuser_helper_end - __kuser_helper_start;
unsigned long vdso_page; unsigned long vdso_page;
if (!IS_ENABLED(CONFIG_KUSER_HELPERS))
return 0;
vdso_page = get_zeroed_page(GFP_ATOMIC); vdso_page = get_zeroed_page(GFP_ATOMIC);
if (!vdso_page) if (!vdso_page)
return -ENOMEM; return -ENOMEM;
...@@ -112,6 +115,9 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm) ...@@ -112,6 +115,9 @@ static int aarch32_kuser_helpers_setup(struct mm_struct *mm)
{ {
void *ret; void *ret;
if (!IS_ENABLED(CONFIG_KUSER_HELPERS))
return 0;
/* /*
* Avoid VM_MAYWRITE for compatibility with arch/arm/, where it's * Avoid VM_MAYWRITE for compatibility with arch/arm/, where it's
* not safe to CoW the page containing the CPU exception vectors. * not safe to CoW the page containing the CPU exception vectors.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment