Page MenuHomeFreeBSD

Teach vm.pmap.kernel_maps about both XN bits
ClosedPublic

Authored by andrew on Dec 6 2021, 5:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 15, 7:20 AM
Unknown Object (File)
Wed, Oct 23, 1:35 AM
Unknown Object (File)
Sep 27 2024, 12:56 PM
Unknown Object (File)
Sep 24 2024, 7:34 AM
Unknown Object (File)
Sep 21 2024, 4:51 AM
Unknown Object (File)
Sep 20 2024, 9:20 PM
Unknown Object (File)
Sep 18 2024, 2:55 PM
Unknown Object (File)
Sep 18 2024, 7:19 AM
Subscribers

Details

Summary

The arm64 vm.pmap.kernel_maps sysctl would only check the kernel XN bit
when printing the kernel mapping. It can also be useful to check none
of the mappings allow userspace to execute from a given virtual address.
To check for this add the user XN bit when getting the kernel maps.

While here fix the ATTR_S1_AP_USER check to use ATTR_S1_AP to shift the
value to the correct offset.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

andrew requested review of this revision.Dec 6 2021, 5:04 PM
This revision is now accepted and ready to land.Dec 6 2021, 5:27 PM

Is UXN ever legitimately unset for anything in the kernel maps?

It should always be set on kernel maps. I would expect any executable shared memory to be in the user address space.

Userspace can execute kernel code if it's missing, even if it can't read the memory, and we did have a bug in the past where the UXN bit was missing.

sys/arm64/arm64/pmap.c
7008

I would represent !PXN as 'x' rather than 'X', to match the case of the other permission letters. !UXN is abnormal so its representation ought to look strange as well.

7052–7053

Hum, I think this code isn't right for table descriptors, which have their own encoding for access permissions. So the output of the sysctl might incorrectly report a mapping as executable when execution is in fact disabled by an earlier table entry.

... though apparently it's possible to disable enforcement of table attributes (HPDS), huh.

This revision now requires review to proceed.Dec 7 2021, 1:15 PM
This revision is now accepted and ready to land.Dec 7 2021, 2:49 PM
This revision was automatically updated to reflect the committed changes.