FS#24043 - [kernel26] Enable CONFIG_DEBUG_RODATA

Attached to Project: Arch Linux
Opened by Jamie Nguyen (jnguyen) - Monday, 02 May 2011, 10:14 GMT
Last edited by Tobias Powalowski (tpowa) - Thursday, 12 May 2011, 14:02 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

The default advice given in kconfig for CONFIG_DEBUG_RODATA is:

If in doubt, say "Y".

Info taken from Kees Cook blog [1]:

The Linux kernel attempts to protect portions of its memory
from unexpected modification (through potential future exploits)
by setting areas read-only where the compiler has allowed it.
This ... reduces the number of easily writable kernel memory
targets for attackers.

CONFIG_DEBUG_RODATA=y is the default in RHEL/CentOS (they disable for debug kernel) [2] and in Debian/Ubuntu [3].

I am running a working Arch Linux kernel with this option enabled:

zcat /proc/config.gz | grep RODATA
CONFIG_DEBUG_RODATA=y
# CONFIG_DEBUG_RODATA_TEST is not set


Package versions:
* kernel26 2.6.38.4-1


[1] http://www.outflux.net/blog/archives/2011/04/27/non-executable-kernel-memory-progress/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=591885
[3] https://wiki.ubuntu.com/Security/Features#rodata
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Thursday, 12 May 2011, 14:02 GMT
Reason for closing:  Implemented
Additional comments about closing:  2.6.38.6-1
Comment by Frank Phillips (fphillips) - Tuesday, 03 May 2011, 06:00 GMT
From http://cateee.net/lkddb/web-lkddb/DEBUG_RODATA.html :

X86 - Mark the kernel read-only data as write-protected in the pagetables, in order to catch accidental (and incorrect) writes to such const data. This is recommended so that we can catch kernel bugs sooner. If in doubt, say "Y".

X86_64 - Mark the kernel read-only data as write-protected in the pagetables, in order to catch accidental (and incorrect) writes to such const data. This option may have a slight performance impact because a portion of the kernel code won't be covered by a 2MB TLB anymore. If in doubt, say "N".
Comment by Jamie Nguyen (jnguyen) - Tuesday, 03 May 2011, 07:14 GMT
@fphillips:

I could be wrong, but the file "arch/x86_64/Kconfig.debug" that your quote is taken from does not actually currently exist, so the website must be wrong or out of date. Running "make menuconfig" for a x86_64 build of the kernel will result in the same advice: If in doubt, say "Y". It is also selected by default on a vanilla Linux kernel build.

Discussion continued here:

http://mailman.archlinux.org/pipermail/arch-dev-public/2011-May/020166.html
Comment by Thomas Bächler (brain0) - Tuesday, 03 May 2011, 09:00 GMT
On x86_64, I get this help message:

'Mark the kernel read-only data as write-protected in the pagetables,
in order to catch accidental (and incorrect) writes to such const
data. This is recommended so that we can catch kernel bugs sooner.
If in doubt, say "Y".'

There is nothing about a performance impact, the message you quoted for x86_64 does not exist.

Loading...