diff options
author | Russell King <rmk+kernel@armlinux.org.uk> | 2021-01-29 10:19:07 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-08-04 11:56:45 +0200 |
commit | 8db77dca7e1d1d1d6aa9334207ead57853832bb7 (patch) | |
tree | 7bc2352d1da45fb92fd1878b32af630ef7521f2a /arch | |
parent | 5ed05c554005c6fc0135e9252034589aba8bee98 (diff) |
ARM: ensure the signal page contains defined contents
commit 9c698bff66ab4914bb3d71da7dc6112519bde23e upstream.
Ensure that the signal page contains our poison instruction to increase
the protection against ROP attacks and also contains well defined
contents.
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/arm/kernel/signal.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 0a066f03b5ec..180c1782ad63 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -625,18 +625,20 @@ struct page *get_signal_page(void) addr = page_address(page); + /* Poison the entire page */ + memset32(addr, __opcode_to_mem_arm(0xe7fddef1), + PAGE_SIZE / sizeof(u32)); + /* Give the signal return code some randomness */ offset = 0x200 + (get_random_int() & 0x7fc); signal_return_offset = offset; - /* - * Copy signal return handlers into the vector page, and - * set sigreturn to be a pointer to these. - */ + /* Copy signal return handlers into the page */ memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); - ptr = (unsigned long)addr + offset; - flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); + /* Flush out all instructions in this page */ + ptr = (unsigned long)addr; + flush_icache_range(ptr, ptr + PAGE_SIZE); return page; } |