The following patches bring ARM vDSO read-only patches from Linus's master branch into the 4.4 stable kernel. All of the patches applied cleanly to the 4.4 stable tree.
The easiest way to test this is to enable -DDEBUG on arch/arm/kernel/vdso.o, and see the kernel address of the vDSO page. Then, using CONFIG_ARM_PTDUMP, look at the mappings, and ensure this page is in RO after applying these patches.
There is a demonstrated x86 exploit that uses this to gain root, and this could be done in a similar manner on ARM.
I'll follow the patches with a pull request.
David Brown (1): ARM/vdso: Mark the vDSO code read-only after init
Kees Cook (6): asm-generic: Consolidate mark_rodata_ro() mm/init: Add 'rodata=off' boot cmdline parameter to disable read-only kernel mappings x86/mm: Always enable CONFIG_DEBUG_RODATA and remove the Kconfig option arch: Introduce post-init read-only memory lkdtm: Verify that '__ro_after_init' works correctly x86/vdso: Mark the vDSO code read-only after init
Documentation/kernel-parameters.txt | 4 ++++ arch/arm/include/asm/cacheflush.h | 1 - arch/arm/vdso/vdso.S | 3 +-- arch/arm64/include/asm/cacheflush.h | 4 ---- arch/parisc/include/asm/cache.h | 3 +++ arch/parisc/include/asm/cacheflush.h | 4 ---- arch/x86/Kconfig | 3 +++ arch/x86/Kconfig.debug | 18 +++--------------- arch/x86/entry/vdso/vdso2c.h | 2 +- arch/x86/include/asm/cacheflush.h | 6 ------ arch/x86/include/asm/kvm_para.h | 7 ------- arch/x86/include/asm/sections.h | 2 +- arch/x86/kernel/ftrace.c | 6 +++--- arch/x86/kernel/kgdb.c | 8 ++------ arch/x86/kernel/test_nx.c | 2 -- arch/x86/kernel/test_rodata.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 25 +++++++++++-------------- arch/x86/mm/init_32.c | 3 --- arch/x86/mm/init_64.c | 3 --- arch/x86/mm/pageattr.c | 2 +- drivers/misc/lkdtm.c | 29 ++++++++++++++++++++++++++--- include/asm-generic/vmlinux.lds.h | 1 + include/linux/cache.h | 14 ++++++++++++++ include/linux/init.h | 4 ++++ init/main.c | 27 +++++++++++++++++++++++---- kernel/debug/kdb/kdb_bp.c | 4 +--- 26 files changed, 103 insertions(+), 84 deletions(-)