On 16 March 2016 at 23:10, David Brown <david.brown@linaro.org> wrote:
The following patches bring ARM vDSO read-only patches from Linus's
master branch into the 4.4 stable kernel.  All of the patches applied
cleanly to the 4.4 stable tree.

Applied and pushed out for test, I'll give it another spin tomorrow and push it out to the main branch assuming all is well.

The easiest way to test this is to enable -DDEBUG on
arch/arm/kernel/vdso.o, and see the kernel address of the vDSO page.
Then, using CONFIG_ARM_PTDUMP, look at the mappings, and ensure this
page is in RO after applying these patches.

There is a demonstrated x86 exploit that uses this to gain root, and
this could be done in a similar manner on ARM.

I'll follow the patches with a pull request.

David Brown (1):
  ARM/vdso: Mark the vDSO code read-only after init

Kees Cook (6):
  asm-generic: Consolidate mark_rodata_ro()
  mm/init: Add 'rodata=off' boot cmdline parameter to disable read-only
    kernel mappings
  x86/mm: Always enable CONFIG_DEBUG_RODATA and remove the Kconfig
    option
  arch: Introduce post-init read-only memory
  lkdtm: Verify that '__ro_after_init' works correctly
  x86/vdso: Mark the vDSO code read-only after init

 Documentation/kernel-parameters.txt  |  4 ++++
 arch/arm/include/asm/cacheflush.h    |  1 -
 arch/arm/vdso/vdso.S                 |  3 +--
 arch/arm64/include/asm/cacheflush.h  |  4 ----
 arch/parisc/include/asm/cache.h      |  3 +++
 arch/parisc/include/asm/cacheflush.h |  4 ----
 arch/x86/Kconfig                     |  3 +++
 arch/x86/Kconfig.debug               | 18 +++---------------
 arch/x86/entry/vdso/vdso2c.h         |  2 +-
 arch/x86/include/asm/cacheflush.h    |  6 ------
 arch/x86/include/asm/kvm_para.h      |  7 -------
 arch/x86/include/asm/sections.h      |  2 +-
 arch/x86/kernel/ftrace.c             |  6 +++---
 arch/x86/kernel/kgdb.c               |  8 ++------
 arch/x86/kernel/test_nx.c            |  2 --
 arch/x86/kernel/test_rodata.c        |  2 +-
 arch/x86/kernel/vmlinux.lds.S        | 25 +++++++++++--------------
 arch/x86/mm/init_32.c                |  3 ---
 arch/x86/mm/init_64.c                |  3 ---
 arch/x86/mm/pageattr.c               |  2 +-
 drivers/misc/lkdtm.c                 | 29 ++++++++++++++++++++++++++---
 include/asm-generic/vmlinux.lds.h    |  1 +
 include/linux/cache.h                | 14 ++++++++++++++
 include/linux/init.h                 |  4 ++++
 init/main.c                          | 27 +++++++++++++++++++++++----
 kernel/debug/kdb/kdb_bp.c            |  4 +---
 26 files changed, 103 insertions(+), 84 deletions(-)

--
2.7.2