Page MenuHomeFreeBSD
Differential D17783

Restrict setting PTE execute permissions on RISC-V.
ClosedPublic
Actions

Authored by jhb on Oct 31 2018, 6:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 31, 9:32 AM
Unknown Object (File)
Sep 27 2024, 4:38 PM
Unknown Object (File)
Sep 26 2024, 7:48 PM
Unknown Object (File)
Sep 21 2024, 3:54 PM
Unknown Object (File)
Sep 21 2024, 12:56 AM
Unknown Object (File)
Sep 18 2024, 2:44 PM
Unknown Object (File)
Sep 18 2024, 2:23 AM
Unknown Object (File)
Sep 18 2024, 1:16 AM
View All 42 Files
Subscribers
imp

Details

Reviewers
br
markj
Commits
rS340030: Restrict setting PTE execute permissions on RISC-V.
Summary

Previously, RISC-V was enabling execute permissions in PTEs for any
readable page. Now, execute permissions are only enabled if they
were explicitly specified (e.g. via PROT_EXEC to mmap). The one
exception is that the initial kernel mapping in locore still maps all
of the kernel RWX.

While here, change the fault type passed to vm_fault and pmap_fault_fixup
to only include a single VM_PROT_* value representing the faulting access
to match other architectures rather than passing a bitmask.

Test Plan
  • booted under qemu and then used kgdb to examine PTE permissions

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Oct 31 2018, 6:42 PM
Harbormaster completed remote builds in B20542: Diff 49841.Oct 31 2018, 6:42 PM
jhb added a comment.Oct 31 2018, 6:58 PM

The testing bit needs more detail but wanted to post that in a followup comment. I used the 'pmap_dump_perms' gdb script from https://github.com/bsdjhb/kdbg/blob/master/gdb/gdb6.riscv to example both the user and kernel page tables for a process. First, here is the user memory map for that process:

PID              START                END PRT  RES PRES REF SHD FLAG TP PATH
758            0x10000            0x51000 r-x   65   69   4   2 CN-- vn /bin/csh
758            0x51000            0x54000 rw-    3    0   1   0 CN-- vn /bin/csh
758            0x54000            0x7b000 rw-    9    9   1   0 C--- df 
758         0x40051000         0x40066000 r-x   21   22  29  14 CN-- vn /libexec/ld-elf.so.1
758         0x40066000         0x40067000 rw-    1    0   1   0 CN-- vn /libexec/ld-elf.so.1
758         0x40067000         0x40089000 rw-   31   31   1   0 C--- df 
758         0x40089000         0x400d0000 r-x   71   76   6   3 CN-- vn /lib/libncursesw.so.8
758         0x400d0000         0x400d5000 rw-    5    0   1   0 CN-- vn /lib/libncursesw.so.8
758         0x400d5000         0x400d6000 rw-    1    1   1   0 CN-- df 
758         0x400d6000         0x400e1000 r-x   11   11  10   5 CN-- vn /lib/libcrypt.so.5
758         0x400e1000         0x400e2000 rw-    1    0   1   0 CN-- vn /lib/libcrypt.so.5
758         0x400e2000         0x400f3000 rw-    0    0   0   0 ---- -- 
758         0x400f3000         0x4022f000 r-x  316  344  28  13 CN-- vn /lib/libc.so.7
758         0x4022f000         0x4023f000 rw-   16    0   1   0 CN-- vn /lib/libc.so.7
758         0x4023f000         0x403a2000 rw-   53   53   1   0 C--- df 
758         0x403a2000         0x403a4000 r-x    2    2   4   2 CN-- vn /usr/lib/i18n/libiconv_std.so.4
758         0x403a4000         0x403a5000 rw-    1    0   1   0 CN-- vn /usr/lib/i18n/libiconv_std.so.4
758         0x403a5000         0x403c6000 rw-    2    2   1   0 CN-- df 
758         0x403c6000         0x403c7000 r-x    1    2   4   2 CN-- vn /usr/lib/i18n/libUTF8.so.4
758         0x403c7000         0x403c8000 rw-    1    0   1   0 CN-- vn /usr/lib/i18n/libUTF8.so.4
758         0x403c8000         0x403cf000 rw-    1    1   1   0 CN-- df 
758         0x403cf000         0x403d0000 r-x    1    2   4   2 CN-- vn /usr/lib/i18n/libmapper_646.so.4
758         0x403d0000         0x403d1000 rw-    1    0   1   0 CN-- vn /usr/lib/i18n/libmapper_646.so.4
758         0x403d1000         0x403f4000 rw-   17   17   1   0 C--- df 
758         0x403f4000         0x403fe000 rw-    4    4   1   0 CN-- df 
758         0x403fe000         0x40400000 rw-    2    2   1   0 CN-- df 
758         0x40400000         0x40c00000 rw-   18   18   1   0 CN-- df 
758         0x40c00000         0x40cf3000 rw-  196  196   1   0 CN-- df 
758         0x40cf3000         0x40d6f000 rw-   21   21   1   0 CN-- df 
758       0x3fbffff000       0x3ffffdf000 ---    0    0   0   0 ---- -- 
758       0x3ffffdf000       0x3ffffff000 rwx    6    6   1   0 C--D df

For kernel, I had loaded a single kernel module to make sure the module was executable:

# kldstat 
Id Refs Address                Size Name
 1    3 0xffffffc000000000   716740 kernel
 2    1 0xffffffc0013a1000     3000 nmdm.ko

Here then is an annotated dump of the page table permissions. I've annotated all the places that had execute permission set:

0x11000 - 0x50fff: R-X  (/bin/csh)
0x69000 - 0x69fff: R--
0x7a000 - 0x7afff: R--
0x40051000 - 0x40059fff: R-X (/libexec/ld-elf.so.1)
0x40061000 - 0x40065fff: R-X (/libexec/ld-elf.so.1)
0x40067000 - 0x40067fff: R--
0x4006a000 - 0x4006afff: R--
0x40086000 - 0x40086fff: R--
0x40088000 - 0x40088fff: R--
0x40089000 - 0x400a0fff: R-X (/lib/libncursesw.so.8)
0x400a3000 - 0x400a3fff: R-X (")
0x400a6000 - 0x400acfff: R-X (")
0x400b6000 - 0x400b6fff: R-X (")
0x400b9000 - 0x400bafff: R-X (")
0x400be000 - 0x400cffff: R-X (/lib/libncursesw.so.8)
0x400d6000 - 0x400e0fff: R-X (/lib/libcrypt.so.5)
0x400f3000 - 0x4022dfff: R-X (/lib/libc.so.7)
0x4023b000 - 0x4023dfff: R--
0x40243000 - 0x40243fff: R--
0x4024c000 - 0x4024cfff: R--
0x40256000 - 0x40257fff: R--
0x40358000 - 0x40359fff: R--
0x40368000 - 0x4036bfff: R--
0x4036e000 - 0x4036ffff: R--
0x40371000 - 0x40371fff: R--
0x40377000 - 0x40377fff: R--
0x4037a000 - 0x4037afff: R--
0x40380000 - 0x40380fff: R--
0x4038e000 - 0x4038efff: R--
0x403a2000 - 0x403a3fff: R-X (/usr/lib/i18n/libiconv_std.so.4)
0x403c6000 - 0x403c6fff: R-X (/usr/lib/i18n/libUTF8.so.4)
0x403cf000 - 0x403cffff: R-X (/usr/lib/i18n/libmapper_646.so.4)
0x403e0000 - 0x403e8fff: R--
0x403f5000 - 0x403f5fff: R--
0x403fd000 - 0x403fdfff: R--
0x40402000 - 0x40402fff: R--
0x40404000 - 0x40404fff: R--
0x40507000 - 0x40507fff: R--
0x4050a000 - 0x4050afff: R--
0x4060c000 - 0x4060cfff: R--
0x40cd3000 - 0x40cd3fff: R--
0x40cdd000 - 0x40cddfff: R--
0x40cec000 - 0x40cedfff: R--
0x3fffff9000 - 0x3fffff9fff: R-X (stack)
0x3fffffc000 - 0x3fffffcfff: R-X (stack)
0xffffffc000000000 - 0xffffffc0007fffff: RWX (kernel)
0xffffffc000801000 - 0xffffffc000810fff: R--
0xffffffc001000000 - 0xffffffc0013a0fff: RW-
0xffffffc0013a1000 - 0xffffffc0013a3fff: RWX (nmdm.ko)
0xffffffc001c00000 - 0xffffffc0023fefff: RW-
0xffffffc002801000 - 0xffffffc002809fff: RW-
0xffffffc002811000 - 0xffffffc002811fff: RW-
0xffffffc002819000 - 0xffffffc002821fff: RW-
0xffffffc002829000 - 0xffffffc002829fff: RW-
0xffffffc002831000 - 0xffffffc002839fff: RW-
0xffffffc002841000 - 0xffffffc002851fff: RW-
0xffffffc002859000 - 0xffffffc002861fff: RW-
0xffffffc002869000 - 0xffffffc002869fff: RW-
0xffffffc002871000 - 0xffffffc002889fff: RW-
0xffffffc002891000 - 0xffffffc0028a1fff: RW-
0xffffffc0028a9000 - 0xffffffc0028a9fff: RW-
0xffffffc0028b9000 - 0xffffffc0028b9fff: RW-
0xffffffc0028c1000 - 0xffffffc0028c1fff: RW-
0xffffffc0028c5000 - 0xffffffc0028c5fff: RW-
0xffffffc0028c9000 - 0xffffffc0028d0fff: RW-
0xffffffc0028e9000 - 0xffffffc0028f0fff: RW-
0xffffffc002909000 - 0xffffffc00290afff: RW-
0xffffffc002911000 - 0xffffffc002912fff: RW-
0xffffffc002959000 - 0xffffffc002960fff: RW-
0xffffffc002981000 - 0xffffffc002981fff: RW-
0xffffffc002989000 - 0xffffffc002991fff: RW-
0xffffffc0029a1000 - 0xffffffc0029a1fff: RW-
0xffffffc0029b1000 - 0xffffffc0029b1fff: RW-
0xffffffc0029c1000 - 0xffffffc0029c1fff: RW-
0xffffffc0029c9000 - 0xffffffc0029cbfff: RW-
0xffffffc0029d1000 - 0xffffffc0029d9fff: RW-
0xffffffc0029e9000 - 0xffffffc0029f0fff: RW-
0xffffffc002a39000 - 0xffffffc002a3cfff: RW-
0xffffffc002a49000 - 0xffffffc002a58fff: RW-
0xffffffc002a71000 - 0xffffffc002a79fff: RW-
0xffffffc002a89000 - 0xffffffc002aa8fff: RW-
0xffffffc002ab9000 - 0xffffffc002ab9fff: RW-
0xffffffc002ac1000 - 0xffffffc002ac1fff: RW-
0xffffffc002ac9000 - 0xffffffc002ad0fff: RW-
0xffffffc002af9000 - 0xffffffc002af9fff: RW-
0xffffffc002b19000 - 0xffffffc002b21fff: RW-
0xffffffc002b31000 - 0xffffffc002b31fff: RW-
0xffffffc002b49000 - 0xffffffc002b4afff: RW-
0xffffffc002b51000 - 0xffffffc002b51fff: RW-
0xffffffc002b71000 - 0xffffffc002b78fff: RW-
0xffffffc002b81000 - 0xffffffc002b99fff: RW-
0xffffffc002ba1000 - 0xffffffc002ba8fff: RW-
0xffffffc002bb1000 - 0xffffffc002bb8fff: RW-
0xffffffc002bd1000 - 0xffffffc002bd8fff: RW-
0xffffffc002be9000 - 0xffffffc002bf1fff: RW-
0xffffffc002c09000 - 0xffffffc002c09fff: RW-
0xffffffc002c41000 - 0xffffffc002c44fff: RW-
0xffffffc002c49000 - 0xffffffc002c51fff: RW-
0xffffffc002c69000 - 0xffffffc002c70fff: RW-
0xffffffc002d61000 - 0xffffffc002d70fff: RW-
0xffffffc002d81000 - 0xffffffc002db0fff: RW-
0xffffffc019e4a000 - 0xffffffc019e4dfff: RW-
0xffffffc019e4f000 - 0xffffffc019e52fff: RW-
0xffffffc019e54000 - 0xffffffc019e57fff: RW-
0xffffffc019e59000 - 0xffffffc019e5cfff: RW-
0xffffffc019e5e000 - 0xffffffc019e61fff: RW-
0xffffffc019e63000 - 0xffffffc019e66fff: RW-
0xffffffc019e68000 - 0xffffffc019e6bfff: RW-
0xffffffc019e6d000 - 0xffffffc019e70fff: RW-
0xffffffc019e72000 - 0xffffffc019e75fff: RW-
0xffffffc019e77000 - 0xffffffc019e7afff: RW-
0xffffffc019e7c000 - 0xffffffc019e7ffff: RW-
0xffffffc019e81000 - 0xffffffc019e84fff: RW-
0xffffffc019e86000 - 0xffffffc019e89fff: RW-
0xffffffc019e8b000 - 0xffffffc019e8efff: RW-
0xffffffc019e90000 - 0xffffffc019e93fff: RW-
0xffffffc019e95000 - 0xffffffc019e98fff: RW-
0xffffffc019e9a000 - 0xffffffc019e9dfff: RW-
0xffffffc019e9f000 - 0xffffffc019ea2fff: RW-
0xffffffc019ea4000 - 0xffffffc019ea7fff: RW-
0xffffffc019ea9000 - 0xffffffc019eadfff: RW-
0xffffffc019eaf000 - 0xffffffc019eb3fff: RW-
0xffffffc019eb5000 - 0xffffffc019eb9fff: RW-
0xffffffc019ebb000 - 0xffffffc019ebefff: RW-
0xffffffc019ec0000 - 0xffffffc019ec3fff: RW-
0xffffffc019ec5000 - 0xffffffc019ecefff: RW-
0xffffffc019ed0000 - 0xffffffc019ed4fff: RW-
0xffffffc019ed6000 - 0xffffffc019ed9fff: RW-
0xffffffc019edb000 - 0xffffffc019edefff: RW-
0xffffffc019ee0000 - 0xffffffc019ee3fff: RW-
0xffffffc019ee5000 - 0xffffffc019ee8fff: RW-
0xffffffc019eea000 - 0xffffffc019eedfff: RW-
0xffffffc019eef000 - 0xffffffc019ef2fff: RW-
0xffffffc019ef4000 - 0xffffffc019ef7fff: RW-
0xffffffc019ef9000 - 0xffffffc019efcfff: RW-
0xffffffc019efe000 - 0xffffffc019f01fff: RW-
0xffffffc019f03000 - 0xffffffc019f06fff: RW-
0xffffffc019f08000 - 0xffffffc019f0bfff: RW-
0xffffffc019f0d000 - 0xffffffc019f10fff: RW-
0xffffffc019f12000 - 0xffffffc019f15fff: RW-
0xffffffc019f17000 - 0xffffffc019f1afff: RW-
0xffffffc019f1c000 - 0xffffffc019f1ffff: RW-
0xffffffc019f21000 - 0xffffffc019f24fff: RW-
0xffffffc019f26000 - 0xffffffc019f29fff: RW-
0xffffffc019f2b000 - 0xffffffc019f2efff: RW-
0xffffffc019f30000 - 0xffffffc019f33fff: RW-
0xffffffc019f35000 - 0xffffffc019f38fff: RW-
0xffffffc019f3a000 - 0xffffffc019f3dfff: RW-
0xffffffc019f3f000 - 0xffffffc019f42fff: RW-
0xffffffc019f44000 - 0xffffffc019f47fff: RW-
0xffffffc019f49000 - 0xffffffc019f4cfff: RW-
0xffffffc019f4e000 - 0xffffffc019f51fff: RW-
0xffffffc019f53000 - 0xffffffc019f56fff: RW-
0xffffffc019f58000 - 0xffffffc019f5bfff: RW-
0xffffffc019f5d000 - 0xffffffc019f60fff: RW-
0xffffffc019f62000 - 0xffffffc019f65fff: RW-
0xffffffc019f67000 - 0xffffffc019f6afff: RW-
0xffffffc019f6c000 - 0xffffffc019f6ffff: RW-
0xffffffc019f71000 - 0xffffffc019f74fff: RW-
0xffffffc019f76000 - 0xffffffc019f79fff: RW-
0xffffffc019f7b000 - 0xffffffc019f7efff: RW-
0xffffffc019f80000 - 0xffffffc019f83fff: RW-
0xffffffc019f85000 - 0xffffffc019f88fff: RW-
0xffffffc019f8a000 - 0xffffffc019f8dfff: RW-
0xffffffc019f8f000 - 0xffffffc019f92fff: RW-
0xffffffc019f94000 - 0xffffffc019f97fff: RW-
0xffffffc019f99000 - 0xffffffc019f9cfff: RW-
0xffffffc019f9e000 - 0xffffffc019fa1fff: RW-
0xffffffc019fa3000 - 0xffffffc019fa6fff: RW-
0xffffffc019fa8000 - 0xffffffc019fabfff: RW-
0xffffffc019fad000 - 0xffffffc019fb0fff: RW-
0xffffffc019fb2000 - 0xffffffc019fb5fff: RW-
0xffffffc019fb7000 - 0xffffffc019fbafff: RW-
0xffffffc019fbc000 - 0xffffffc019fbffff: RW-
0xffffffc019fc1000 - 0xffffffc019fc4fff: RW-
0xffffffc019fc6000 - 0xffffffc019fc9fff: RW-
0xffffffc019fcb000 - 0xffffffc019fcefff: RW-
0xffffffc019fd0000 - 0xffffffc019fd3fff: RW-
0xffffffc019fd5000 - 0xffffffc019fd8fff: RW-
0xffffffc019fda000 - 0xffffffc019fddfff: RW-
0xffffffc019fdf000 - 0xffffffc019fe2fff: RW-
0xffffffc019fe4000 - 0xffffffc019fe7fff: RW-
0xffffffc019fe9000 - 0xffffffc019fecfff: RW-
0xffffffc019fee000 - 0xffffffc019ff1fff: RW-
0xffffffc019ff3000 - 0xffffffc019ff6fff: RW-
0xffffffc019ff8000 - 0xffffffc019ffbfff: RW-
0xffffffc019ffd000 - 0xffffffc01a000fff: RW-
0xffffffc01a187000 - 0xffffffc01a187fff: RWX (exec_map)
0xffffffc01a1c8000 - 0xffffffc01a1c8fff: RWX (exec_map)
0xffffffc01a249000 - 0xffffffc01a24afff: RWX (pipe_map)
0xffffffc01a24d000 - 0xffffffc01a24dfff: RWX (pipe_map)
0xffffffc01c220000 - 0xffffffc02021ffff: RW-
0xffffffc020400000 - 0xffffffc03fffffff: RWX (no entry in kernel_map, no idea what this is)
0xffffffc7ffc00000 - 0xffffffc7ffdfffff: RW-
0xffffffc7fffff000 - 0xffffffc7ffffffff: RW-
0xffffffd000000000 - 0xffffffd07fffffff: RW-
jhb added a comment.Oct 31 2018, 6:59 PM

The page table dump does suggest some additional followup work. I've looked at exec_map and pipe_map and they are mapped RWX on all architectures. They shouldn't ever require X permission though, and that's an MI change to fix. We should figure out what is needed to use non-executable stacks on riscv though.

markj accepted this revision.Nov 1 2018, 2:39 PM
In D17783#380061, @jhb wrote:

The page table dump does suggest some additional followup work. I've looked at exec_map and pipe_map and they are mapped RWX on all architectures. They shouldn't ever require X permission though, and that's an MI change to fix.

This diff seems to do the trick: https://people.freebsd.org/~markj/patches/pipe_exec_rw.diff

sys/riscv/riscv/pmap.c
2470 ↗(On Diff #49841)

The parens aren't needed.

This revision is now accepted and ready to land.Nov 1 2018, 2:39 PM
markj mentioned this in D17782: Set PTE_A and PTE_D for user mappings in pmap_enter()..Nov 1 2018, 2:39 PM
jhb added a comment.Nov 1 2018, 10:19 PM
In D17783#380395, @markj wrote:
In D17783#380061, @jhb wrote:

The page table dump does suggest some additional followup work. I've looked at exec_map and pipe_map and they are mapped RWX on all architectures. They shouldn't ever require X permission though, and that's an MI change to fix.

This diff seems to do the trick: https://people.freebsd.org/~markj/patches/pipe_exec_rw.diff

Yes, that diff looks correct to me. I haven't tested it at all though. :)

jhb marked an inline comment as done.Nov 1 2018, 10:23 PM
Closed by commit rS340030: Restrict setting PTE execute permissions on RISC-V. (authored by jhb). · Explain WhyNov 1 2018, 10:23 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: imp. · View Herald TranscriptNov 1 2018, 10:23 PM

Revision Contents
Changeset List

PathSize
head/
sys/
riscv/
include/
2 lines
riscv/
2 lines
17 lines
6 lines

Diff 49909

View Options

head/sys/riscv/include/pte.h

Loading...
View Options

head/sys/riscv/riscv/locore.S

Loading...
View Options

head/sys/riscv/riscv/pmap.c

Loading...
View Options

head/sys/riscv/riscv/trap.c

Loading...