| Message ID | 20101119215737.GB4490@outflux.net |
|---|---|
| State | Rejected |
| Delegated to: | Andy Whitcroft |
| Headers | show |
On 11/19/2010 02:57 PM, Kees Cook wrote: > This pulls in the module RO/NX protections currently living in tip > x86/security. > > The following changes since commit 04c5cc1a4894c3b9d16af7977f5fc4baf230864c: > > UBUNTU: Start new release (2010-11-18 18:12:54 +0000) > > are available in the git repository at: > git://kernel.ubuntu.com/kees/ubuntu-natty.git master > > Kees Cook (1): > UBUNTU: [Config] update config for CONFIG_DEBUG_SET_MODULE_RONX > > Matthieu CASTET (3): > x86: Fix improper large page preservation > x86: Add NX protection for kernel data > x86: Add RO/NX protection for loadable kernel modules > > arch/x86/Kconfig.debug | 11 ++ > arch/x86/include/asm/pci.h | 1 + > arch/x86/kernel/ftrace.c | 3 + > arch/x86/kernel/vmlinux.lds.S | 8 +- > arch/x86/mm/init.c | 3 +- > arch/x86/mm/init_32.c | 20 +++- > arch/x86/mm/init_64.c | 3 +- > arch/x86/mm/pageattr.c | 33 ++++-- > arch/x86/pci/pcbios.c | 23 ++++ > debian.master/config/config.common.ubuntu | 1 + > debian.master/config/enforce | 1 + > include/linux/module.h | 11 ++- > kernel/module.c | 171 ++++++++++++++++++++++++++++- > 13 files changed, 270 insertions(+), 19 deletions(-) > Pulled and uploaded in 2.6.37-6.15
On Fri, Nov 19, 2010 at 01:57:37PM -0800, Kees Cook wrote: > This pulls in the module RO/NX protections currently living in tip > x86/security. > > The following changes since commit 04c5cc1a4894c3b9d16af7977f5fc4baf230864c: > > UBUNTU: Start new release (2010-11-18 18:12:54 +0000) > > are available in the git repository at: > git://kernel.ubuntu.com/kees/ubuntu-natty.git master > > Kees Cook (1): > UBUNTU: [Config] update config for CONFIG_DEBUG_SET_MODULE_RONX > > Matthieu CASTET (3): > x86: Fix improper large page preservation > x86: Add NX protection for kernel data > x86: Add RO/NX protection for loadable kernel modules > > arch/x86/Kconfig.debug | 11 ++ > arch/x86/include/asm/pci.h | 1 + > arch/x86/kernel/ftrace.c | 3 + > arch/x86/kernel/vmlinux.lds.S | 8 +- > arch/x86/mm/init.c | 3 +- > arch/x86/mm/init_32.c | 20 +++- > arch/x86/mm/init_64.c | 3 +- > arch/x86/mm/pageattr.c | 33 ++++-- > arch/x86/pci/pcbios.c | 23 ++++ > debian.master/config/config.common.ubuntu | 1 + > debian.master/config/enforce | 1 + > include/linux/module.h | 11 ++- > kernel/module.c | 171 ++++++++++++++++++++++++++++- > 13 files changed, 270 insertions(+), 19 deletions(-) This patch seems to render all significant loadable modules un-loadable. I was unable to capture the kernel trace, but it appeared to be a relocation failure so I am suspicious that the kernel dynamic linker was unable to write to the modules to complete loading. For one of my ethernet cards it was also triggering ftrace breakage; ftrace_update_code was failing. I have backed out this patch for the time being. -apw
Hi Andy,
On Mon, Nov 22, 2010 at 02:14:19PM +0000, Andy Whitcroft wrote:
> This patch seems to render all significant loadable modules un-loadable.
?? I had no problem at all. I tested with that patch on multiple systems.
:( Can you post details to lkml so the author can poke at it?
-Kees
This pulls in the module RO/NX protections currently living in tip x86/security. The following changes since commit 04c5cc1a4894c3b9d16af7977f5fc4baf230864c: UBUNTU: Start new release (2010-11-18 18:12:54 +0000) are available in the git repository at: git://kernel.ubuntu.com/kees/ubuntu-natty.git master Kees Cook (1): UBUNTU: [Config] update config for CONFIG_DEBUG_SET_MODULE_RONX Matthieu CASTET (3): x86: Fix improper large page preservation x86: Add NX protection for kernel data x86: Add RO/NX protection for loadable kernel modules arch/x86/Kconfig.debug | 11 ++ arch/x86/include/asm/pci.h | 1 + arch/x86/kernel/ftrace.c | 3 + arch/x86/kernel/vmlinux.lds.S | 8 +- arch/x86/mm/init.c | 3 +- arch/x86/mm/init_32.c | 20 +++- arch/x86/mm/init_64.c | 3 +- arch/x86/mm/pageattr.c | 33 ++++-- arch/x86/pci/pcbios.c | 23 ++++ debian.master/config/config.common.ubuntu | 1 + debian.master/config/enforce | 1 + include/linux/module.h | 11 ++- kernel/module.c | 171 ++++++++++++++++++++++++++++- 13 files changed, 270 insertions(+), 19 deletions(-)