Building lkdtm with KASAN and Clang 11 or later results in the following
error when attempting to load the module:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle page fault for address: ffffffffc019cd70
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0011) - permissions violation
...
RIP: 0010:asan.module_ctor+0x0/0xffffffffffffa290 [lkdtm]
...
Call Trace:
do_init_module+0x17c/0x570
load_module+0xadee/0xd0b0
__x64_sys_finit_module+0x16c/0x1a0
do_syscall_64+0x34/0x50
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The reason is that rodata.o generates a dummy function that lives in
.rodata to validate that .rodata can't be executed; however, Clang 11
adds KASAN globals support by generating module constructors to
initialize globals redzones. When Clang 11 adds a module constructor to
rodata.o, it is also added to .rodata: any attempt to call it on
initialization results in the above error.
Therefore, disable KASAN instrumentation for rodata.o.
Signed-off-by: Marco Elver <[email protected]>
---
drivers/misc/lkdtm/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index c70b3822013f..1c4c7aca0026 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -11,6 +11,7 @@ lkdtm-$(CONFIG_LKDTM) += usercopy.o
lkdtm-$(CONFIG_LKDTM) += stackleak.o
lkdtm-$(CONFIG_LKDTM) += cfi.o
+KASAN_SANITIZE_rodata.o := n
KASAN_SANITIZE_stackleak.o := n
KCOV_INSTRUMENT_rodata.o := n
base-commit: 2c85ebc57b3e1817b6ce1a6b703928e113a90442
--
2.29.2.684.gfbc64c5ab5-goog
On Mon, Dec 14, 2020 at 8:15 PM Marco Elver <[email protected]> wrote:
>
> Building lkdtm with KASAN and Clang 11 or later results in the following
> error when attempting to load the module:
>
> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> BUG: unable to handle page fault for address: ffffffffc019cd70
> #PF: supervisor instruction fetch in kernel mode
> #PF: error_code(0x0011) - permissions violation
> ...
> RIP: 0010:asan.module_ctor+0x0/0xffffffffffffa290 [lkdtm]
> ...
> Call Trace:
> do_init_module+0x17c/0x570
> load_module+0xadee/0xd0b0
> __x64_sys_finit_module+0x16c/0x1a0
> do_syscall_64+0x34/0x50
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> The reason is that rodata.o generates a dummy function that lives in
> .rodata to validate that .rodata can't be executed; however, Clang 11
> adds KASAN globals support by generating module constructors to
> initialize globals redzones. When Clang 11 adds a module constructor to
> rodata.o, it is also added to .rodata: any attempt to call it on
> initialization results in the above error.
>
> Therefore, disable KASAN instrumentation for rodata.o.
>
> Signed-off-by: Marco Elver <[email protected]>
> ---
> drivers/misc/lkdtm/Makefile | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
> index c70b3822013f..1c4c7aca0026 100644
> --- a/drivers/misc/lkdtm/Makefile
> +++ b/drivers/misc/lkdtm/Makefile
> @@ -11,6 +11,7 @@ lkdtm-$(CONFIG_LKDTM) += usercopy.o
> lkdtm-$(CONFIG_LKDTM) += stackleak.o
> lkdtm-$(CONFIG_LKDTM) += cfi.o
>
> +KASAN_SANITIZE_rodata.o := n
> KASAN_SANITIZE_stackleak.o := n
> KCOV_INSTRUMENT_rodata.o := n
>
>
> base-commit: 2c85ebc57b3e1817b6ce1a6b703928e113a90442
> --
> 2.29.2.684.gfbc64c5ab5-goog
>
Reviewed-by: Andrey Konovalov <[email protected]>
Thanks for taking care of this!