FS#41347 : [linux] 3.16.x enable RO/NX protection for kernel modules

FS#41347 - [linux] 3.16.x enable RO/NX protection for kernel modules

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Saturday, 26 July 2014, 08:27 GMT
Last edited by Tobias Powalowski (tpowa) - Wednesday, 13 August 2014, 15:32 GMT

Task Type	Feature Request
Category	Packages: Core
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Thomas Bächler (brain0)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Daniel Micay (thestinger) (2014-07-26)
Private	No

Details

The CONFIG_DEBUG_RODATA option is already enabled, adding enforced write protection for constant data in the core kernel. It would be nice to enable CONFIG_DEBUG_SET_MODULE_RONX too for the same protections in kernel modules.

It's a somewhat useful exploit mitigation along with catching bugs earlier. The cost is a bit of extra memory usage for modules due to the sections needing to be aligned to page boundaries. Debian, Fedora, OpenSUSE and Ubuntu enable this so it's unlikely to cause any issues.

http://thread.gmane.org/gmane.linux.kernel/945148

This task depends upon

Closed by Tobias Powalowski (tpowa)
Wednesday, 13 August 2014, 15:32 GMT
Reason for closing: Fixed
Additional comments about closing: on trunk

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#41347 - [linux] 3.16.x enable RO/NX protection for kernel modules

Details

Loading...