Bug 679271

Summary: [RFE] kernel: RO/NX protections [rhel-6.2]
Product: Red Hat Enterprise Linux 6 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Phillip Lougher <plougher>
Status: CLOSED WONTFIX QA Contact: Evan McNabb <emcnabb>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: arozansk, dhoward, fhrbata, jrieden, lwang, peterm, riehecky, tcallawa, wgomerin
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 679270 Environment:
Last Closed: 2015-10-13 22:11:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 679270, 679272    
Bug Blocks: 767187, 1270638    

Description Eugene Teo (Security Response) 2011-02-22 05:32:04 UTC 
+++ This bug was initially created as a clone of Bug #679270 +++

Description of problem:
1) x86: Add NX protection for kernel data

This patch expands functionality of CONFIG_DEBUG_RODATA to set main (static) kernel data area as NX.
    
The following steps are taken to achieve this:  
     1. Linker script is adjusted so .text always starts and ends on a page bound
     2. Linker script is adjusted so .rodata always start and end on a page boundary
     3. NX is set for all pages from _etext through _end in mark_rodata_ro.
     4. free_init_pages() sets released memory NX in arch/x86/mm/init.c
     5. bios rom is set to x when pcibios is used.

http://git.kernel.org/linus/5bd5a452662bc37c54fb6828db1a3faf87e6511c

2) x86: Add RO/NX protection for loadable kernel modules

This patch is a logical extension of the protection provided by CONFIG_DEBUG_RODATA to LKMs. The protection is provided by splitting module_core and module_init into three logical parts each and setting appropriate page access permissions for each individual section:    
     1. Code: RO+X
     2. RO data: RO+NX
     3. RW data: RW+NX
    
In order to achieve proper protection, layout_sections() have been modified to align each of the three parts mentioned above onto page boundary. Next, the corresponding page access permissions are set right before successful exit from load_module(). Further, free_module() and sys_init_module have been modified to set module_core and module_init as RW+NX right before calling module_free().
    
By default, the original section layout and access flags are preserved. When compiled with CONFIG_DEBUG_SET_MODULE_RONX=y, the patch will page-align each group of sections to ensure that each page contains only one type of content and will enforce RO/NX for each group of pages.

http://git.kernel.org/linus/84e1c6bb38eb318e456558b610396d9f1afaabf0

3) x86: Fix jump label with RO/NX module protection crash
    
If we use jump table in module init, there are marked as removed in __jump_table section after init is done.
    
But we already applied ro permissions on the module, so we can't modify a read only section (crash in remove_jump_label_module_init).
    
Make the __jump_table section rw.

http://git.kernel.org/linus/8969691343354bdd80eff5405a0f879edbf013d6
Comment 1 Suzanne Logcher 2011-03-28 20:30:32 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains 
unresolved, it has been rejected as it is not proposed as an 
exception or blocker.  It has been moved to RHEL 6.2 since 
it is a FutureFeature request.
Comment 2 Suzanne Forsberg 2011-04-05 15:20:59 UTC 
Removing the 6.0.z? flag since this BZ has been moved to RHEL 6.2. If zstream is requested, it should be requested for 6.1.z.
Comment 3 Eugene Teo (Security Response) 2011-04-06 08:07:45 UTC 
(In reply to comment #2)
> Removing the 6.0.z? flag since this BZ has been moved to RHEL 6.2. If zstream
> is requested, it should be requested for 6.1.z.

Done, thanks.
Comment 8 RHEL Program Management 2012-05-03 05:17:53 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.