From 1c12c4cf9411eb130b245fa8d0fbbaf989477c7b Mon Sep 17 00:00:00 2001 From: Venki Pallipadi Date: Wed, 14 May 2008 16:05:51 -0700 Subject: mprotect: prevent alteration of the PAT bits There is a defect in mprotect, which lets the user change the page cache type bits by-passing the kernel reserve_memtype and free_memtype wrappers. Fix the problem by not letting mprotect change the PAT bits. Signed-off-by: Venkatesh Pallipadi Signed-off-by: Suresh Siddha Signed-off-by: Ingo Molnar Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/asm-x86/pgtable.h | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'include/asm-x86/pgtable.h') diff --git a/include/asm-x86/pgtable.h b/include/asm-x86/pgtable.h index 801b31f71452..55c3a0e3a8ce 100644 --- a/include/asm-x86/pgtable.h +++ b/include/asm-x86/pgtable.h @@ -57,7 +57,8 @@ #define _KERNPG_TABLE (_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED | \ _PAGE_DIRTY) -#define _PAGE_CHG_MASK (PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY) +#define _PAGE_CHG_MASK (PTE_MASK | _PAGE_PCD | _PAGE_PWT | \ + _PAGE_ACCESSED | _PAGE_DIRTY) #define _PAGE_CACHE_MASK (_PAGE_PCD | _PAGE_PWT) #define _PAGE_CACHE_WB (0) @@ -288,12 +289,21 @@ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) * Chop off the NX bit (if present), and add the NX portion of * the newprot (if present): */ - val &= _PAGE_CHG_MASK & ~_PAGE_NX; - val |= pgprot_val(newprot) & __supported_pte_mask; + val &= _PAGE_CHG_MASK; + val |= pgprot_val(newprot) & (~_PAGE_CHG_MASK) & __supported_pte_mask; return __pte(val); } +/* mprotect needs to preserve PAT bits when updating vm_page_prot */ +#define pgprot_modify pgprot_modify +static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot) +{ + pgprotval_t preservebits = pgprot_val(oldprot) & _PAGE_CHG_MASK; + pgprotval_t addbits = pgprot_val(newprot); + return __pgprot(preservebits | addbits); +} + #define pte_pgprot(x) __pgprot(pte_val(x) & (0xfff | _PAGE_NX)) #define canon_pgprot(p) __pgprot(pgprot_val(p) & __supported_pte_mask) -- cgit v1.2.3 From 86aaf4fd4ea25ddde05772d03b93dbce23c0ead1 Mon Sep 17 00:00:00 2001 From: Jeremy Fitzhardinge Date: Tue, 20 May 2008 08:26:22 +0100 Subject: x86: clarify use of _PAGE_CHG_MASK _PAGE_CHG_MASK is defined as the set of bits not updated by pte_modify(); specifically, the pfn itself, and the Accessed and Dirty bits (which are updated by hardware). Signed-off-by: Jeremy Fitzhardinge Tested-by: Hugh Dickins Signed-off-by: Linus Torvalds --- include/asm-x86/pgtable.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/asm-x86/pgtable.h') diff --git a/include/asm-x86/pgtable.h b/include/asm-x86/pgtable.h index 55c3a0e3a8ce..b816134f753a 100644 --- a/include/asm-x86/pgtable.h +++ b/include/asm-x86/pgtable.h @@ -57,6 +57,7 @@ #define _KERNPG_TABLE (_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED | \ _PAGE_DIRTY) +/* Set of bits not changed in pte_modify */ #define _PAGE_CHG_MASK (PTE_MASK | _PAGE_PCD | _PAGE_PWT | \ _PAGE_ACCESSED | _PAGE_DIRTY) -- cgit v1.2.3 From ba23cef5c23cf1e9298032037d919157553d1211 Mon Sep 17 00:00:00 2001 From: Jeremy Fitzhardinge Date: Tue, 20 May 2008 08:26:23 +0100 Subject: x86: use PTE_MASK rather than ad-hoc mask Use ~PTE_MASK to extract the non-pfn parts of the pte (ie, the pte flags), rather than constructing an ad-hoc mask. Signed-off-by: Jeremy Fitzhardinge Tested-by: Hugh Dickins Signed-off-by: Linus Torvalds --- include/asm-x86/pgtable.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/asm-x86/pgtable.h') diff --git a/include/asm-x86/pgtable.h b/include/asm-x86/pgtable.h index b816134f753a..97c271b2910b 100644 --- a/include/asm-x86/pgtable.h +++ b/include/asm-x86/pgtable.h @@ -305,7 +305,7 @@ static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot) return __pgprot(preservebits | addbits); } -#define pte_pgprot(x) __pgprot(pte_val(x) & (0xfff | _PAGE_NX)) +#define pte_pgprot(x) __pgprot(pte_val(x) & ~PTE_MASK) #define canon_pgprot(p) __pgprot(pgprot_val(p) & __supported_pte_mask) -- cgit v1.2.3