Kernel: Harden memory mapping of the kernel image

We now map the kernel's text and rodata segments read+execute. We also make the data and bss segments non-executable. Thanks to q3k for the idea! :^)
Author: https://github.com/awesomekling Commit: https://github.com/SerenityOS/serenity/commit/8e7420ddf28
2020-01-06 13:53:30 +01:00 · 2020-01-06 13:53:30 +01:00 · 8e7420ddf2 · 2024-07-19 10:18:26 +09:00
commit 8e7420ddf2
parent 47cc3e68c6
2 changed files with 26 additions and 5 deletions
--- a/Kernel/VM/MemoryManager.cpp
+++ b/Kernel/VM/MemoryManager.cpp
@ -68,20 +68,35 @@ void MemoryManager::initialize_paging()
            auto& pte = ensure_pte(kernel_page_directory(), VirtualAddress(i));
            pte.set_execute_disabled(true);
        }
+        // Disable execution from 2MB through 8MB (kmalloc, kmalloc_eternal, slabs, page tables, ...)
+        for (size_t i = 1; i < 4; ++i) {
+            auto& pte = kernel_page_directory().table().directory(0)[i];
+            pte.set_execute_disabled(true);
+        }
    }

-    // Disable execution from 2MB through 8MB (kmalloc, kmalloc_eternal, slabs, page tables, ...)
-    for (size_t i = 1; i < 4; ++i) {
-        auto& pte = kernel_page_directory().table().directory(0)[i];
-        if (g_cpu_supports_nx)
+    // Disable writing to the kernel text and rodata segments.
+    extern u32 start_of_kernel_text;
+    extern u32 start_of_kernel_data;
+    for (size_t i = (u32)&start_of_kernel_text; i < (u32)&start_of_kernel_data; i += PAGE_SIZE) {
+        auto& pte = ensure_pte(kernel_page_directory(), VirtualAddress(i));
+        pte.set_writable(false);
+    }
+
+    if (g_cpu_supports_nx) {
+        // Disable execution of the kernel data and bss segments.
+        extern u32 end_of_kernel_bss;
+        for (size_t i = (u32)&start_of_kernel_data; i < (u32)&end_of_kernel_bss; i += PAGE_SIZE) {
+            auto& pte = ensure_pte(kernel_page_directory(), VirtualAddress(i));
            pte.set_execute_disabled(true);
+        }
    }

    // FIXME: We should move everything kernel-related above the 0xc0000000 virtual mark.

    // Basic physical memory map:
    // 0      -> 1 MB           We're just leaving this alone for now.
-    // 1      -> 3 MB           Kernel image.
+    // 1      -> 2 MB           Kernel image.
    // (last page before 2MB)   Used by quickmap_page().
    // 2 MB   -> 4 MB           kmalloc_eternal() space.
    // 4 MB   -> 7 MB           kmalloc() space.
--- a/Kernel/linker.ld
+++ b/Kernel/linker.ld
@ -9,8 +9,10 @@ SECTIONS
        Arch/i386/Boot/boot.ao
 		*(.multiboot)
 		*(.page_tables)
+        start_of_kernel_text = .;
 		*(.text)
 		*(.text.startup)
+        end_of_kernel_text = .;
 	}

 	.rodata BLOCK(4K) : ALIGN(4K)
@ -24,12 +26,16 @@ SECTIONS

 	.data BLOCK(4K) : ALIGN(4K)
 	{
+        start_of_kernel_data = .;
 		*(.data)
+        end_of_kernel_data = .;
 	}

 	.bss BLOCK(4K) : ALIGN(4K)
 	{
+        start_of_kernel_bss = .;
 		*(COMMON)
 		*(.bss)
+        end_of_kernel_bss = .;
 	}
 }