[PATCH v7 13/14] module: Do not set nx for module memory before freeing
Nadav Amit
namit at vmware.com
Thu Dec 6 18:56:14 UTC 2018
> On Dec 6, 2018, at 10:52 AM, Andy Lutomirski <luto at kernel.org> wrote:
>
> On Wed, Dec 5, 2018 at 12:52 AM Nadav Amit <namit at vmware.com> wrote:
>> When module memory is about to be freed, there is no apparent reason to
>> make it (and its data) executable, but that's exactly what is done
>> today. This is not efficient and not secure.
>>
>> There are various theories why it was done, but none of them seem as
>> something that really require it today. nios2 uses kmalloc for module
>> memory, but anyhow it does not change the PTEs of the module memory. In
>> x86, changing vmalloc'd memory mappings also modifies the direct mapping
>> alias, but the NX-bit is not modified in such way.
>>
>> So let's remove it. Andy suggested that the changes of the PTEs can be
>> avoided (excluding the direct-mapping alias), which is true. However,
>> in x86 it requires some cleanup of the contiguous page allocator, which
>> is outside of the scope of this patch-set.
>
>
> I'm okay with this, but I'd like to see Rick's stuff get rebased on
> top of it and clean it up for real.
Sorry for my laziness. It just seems that every small thing I touch in
regard to W^X or text_poke() is broken, and I need to finish some other
“chores” first.
More information about the Linux-security-module-archive
mailing list