Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp658887ybc; Fri, 22 Nov 2019 11:00:03 -0800 (PST) X-Google-Smtp-Source: APXvYqxr2k/igjlfYQnwpJJbzJP8XoLzyfCzX+wY7Xk4O3iUP3ceeEc1LOnb1mnzP3JxZ5MpMzOu X-Received: by 2002:a17:906:4e99:: with SMTP id v25mr24178396eju.106.1574449202919; Fri, 22 Nov 2019 11:00:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574449202; cv=none; d=google.com; s=arc-20160816; b=LkWz2gY9mC0fS9/uiL3NYmUzbHwMgGUQ9jF6A98JsSRoPhlLROcDApRlsx+ZpQzFTu EWTT7scCoA7NYt8PrVhNblfH5JTv6JxmYA3bNrMvOaxUE5tKkeD7YIe1pgBV99oyjJpT r7g64/dOj59FXmUqF1lZEpauhI22FjDS2UmOMDvdYsnhif8X6V9r3hEwd6+rFNUhWmyw RAornVQlLRZRSOZYJd0Za3BU4WM0BOsb3pELi6vBxBHwrngO9ssNsafEJTREryJCgJ+F DSGsOSfKutl7tNHvAOejDiyhdYlNm6gtwlvA+dzw4URpcntsQ065Pg0BC5hbuc3SSpJT nd5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=SHVXHEGGxuqIpcBFwRHv/uk1e/S46AumK4IMAmbp/ok=; b=gZSyHrkNn6iGnA6Xuv3jX5OloSSpq9bL02mImxbJG+7Jlh9HNTcmyCDO4BRMiSjjVP ftY4wb8TkQprQSJ2gjMqW9ARM6f7CotQo+Nm8TyTXnF1HKFYq/vwicrLkD99ChryFC5I +wtxMkh/drYor8CFmq24+haesdWhhDSowt8qAX8oLtyyDPZ3RY6ArF5oNXnmeC5sVn2z v8ia09eCbj6UNmLbq3+zWOqxMXcTUxDUYErgerbMOd2o8OHKDEPGe5rSMhQEpskLek4H Kw0vPL7mR2inkfaVsl575FNodCTyqAeZEceDE/afWvRQ4mo2z0c5AFmuPkUfV6t4tse9 euKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cpZcy7Cy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b18si2352312edx.26.2019.11.22.10.59.38; Fri, 22 Nov 2019 11:00:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cpZcy7Cy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727047AbfKVSz1 (ORCPT + 99 others); Fri, 22 Nov 2019 13:55:27 -0500 Received: from mail-ua1-f74.google.com ([209.85.222.74]:53771 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727016AbfKVSz1 (ORCPT ); Fri, 22 Nov 2019 13:55:27 -0500 Received: by mail-ua1-f74.google.com with SMTP id 14so251239uar.20 for ; Fri, 22 Nov 2019 10:55:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=SHVXHEGGxuqIpcBFwRHv/uk1e/S46AumK4IMAmbp/ok=; b=cpZcy7CysRjVvEDBLriAw2P8/TU3cURqwBXnEv93B2t8l2xennSUdwg+CVfdB/gtFG fz8XtCFW0omCKPALWsT8iEKNvDcc2WzAa1h4wn8dmhXwwLbzyh7qRBwxDvwZ1MG4MXar TBLfcYUcznuWLGge0/XpeHXBj5Xmuy5Vdzy674qVErgGxUoHo+NNnvgQoTK4FikfXZjq B83jZXaoG++9UGZQl4PRYdgJfAV61M9O77iZe7MRy0pREg0kFwJE0FoMNy8AejyOOAWG Lpd6WqHkYN/K4PEOq2ZpUJ7Sn7oFXgWVqndd0MLXYT1vs7Sh159nYv9wwxbCIi8fjmTL ZrPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=SHVXHEGGxuqIpcBFwRHv/uk1e/S46AumK4IMAmbp/ok=; b=NrRkLqsSMqZhmuEpCIj4snoWpGrO7L8k8KqDItFpmmHwpsJEjB/eOfNZ95z8qZINKG T0oJE1zWbYbQ+Nl6DO8B4Jm/On6RDGGk5qK9P/05rd1uH3heOCRc2akW/lqUhffCnGz8 gc8zAmBouWmJbO9fhQ/FDo7zuS0BCUgw9c5t36wvfQGFaHD4A0yXGjrjqAVZszjcLxpt w1h9NBUy15bsiHvD1XEwu+BqaIf4W6b6nJLniTI62U2wcj51cYhCyODpQcr/0Jfzb0ne QyLgCwbUJtOS0hWTTxeWdytHqh32qKIdxSOZ79nOBl49yH8uLdq8SXjsnX1EhsOWPAhd W3/A== X-Gm-Message-State: APjAAAUd/KavxqZDm7sHatVR13XBjsRL8UF7DaxnTL7Q1HJyLIzuFaKE MJaHFEYig6Y7HBYSJT2HB5sgJ1hOdS/Hu4wAraM= X-Received: by 2002:a1f:e0c2:: with SMTP id x185mr10557825vkg.6.1574448926211; Fri, 22 Nov 2019 10:55:26 -0800 (PST) Date: Fri, 22 Nov 2019 10:55:21 -0800 Message-Id: <20191122185522.20582-1-ndesaulniers@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog Subject: [PATCH] arm: explicitly place .fixup in .text From: Nick Desaulniers To: linux@armlinux.org.uk Cc: nico@fluxnic.net, clang-built-linux@googlegroups.com, manojgupta@google.com, natechancellor@gmail.com, Kees Cook , stable@vger.kernel.org, Nick Desaulniers , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook There's an implicit dependency on the section ordering of the orphaned section .fixup that can break arm_copy_from_user if the linker places the .fixup section before the .text section. Since .fixup is not explicitly placed in the existing ARM linker scripts, the linker is free to order it anywhere with respect to the rest of the sections. Multiple users from different distros (Raspbian, CrOS) reported kernel panics executing seccomp() syscall with Linux kernels linked with LLD. Documentation/x86/exception-tables.rst alludes to the ordering dependency. The relevant quote: ``` NOTE: Due to the way that the exception table is built and needs to be ordered, only use exceptions for code in the .text section. Any other section will cause the exception table to not be sorted correctly, and the exceptions will fail. Things changed when 64-bit support was added to x86 Linux. Rather than double the size of the exception table by expanding the two entries from 32-bits to 64 bits, a clever trick was used to store addresses as relative offsets from the table itself. The assembly code changed from:: .long 1b,3b to: .long (from) - . .long (to) - . and the C-code that uses these values converts back to absolute addresses like this:: ex_insn_addr(const struct exception_table_entry *x) { return (unsigned long)&x->insn + x->insn; } ``` Since the addresses stored in the __ex_table are RELATIVE offsets and not ABSOLUTE addresses, ordering the fixup anywhere that's not immediately preceding .text causes the relative offset of the faulting instruction to be wrong, causing the wrong (or no) address of the fixup handler to looked up in __ex_table. x86 and arm64 place the .fixup section near the end of the .text section; follow their pattern. Cc: stable@vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/282 Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1020633#c36 Reported-by: Manoj Gupta Reported-by: Nathan Chancellor Signed-off-by: Kees Cook Signed-off-by: Nick Desaulniers Debugged-by: Nick Desaulniers Worded-by: Nick Desaulniers Tested-by: Manoj Gupta Tested-by: Nathan Chancellor --- arch/arm/kernel/vmlinux.lds.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/kernel/vmlinux.lds.h b/arch/arm/kernel/vmlinux.lds.h index 8247bc15addc..e130f7668cf0 100644 --- a/arch/arm/kernel/vmlinux.lds.h +++ b/arch/arm/kernel/vmlinux.lds.h @@ -74,6 +74,7 @@ LOCK_TEXT \ HYPERVISOR_TEXT \ KPROBES_TEXT \ + *(.fixup) \ *(.gnu.warning) \ *(.glue_7) \ *(.glue_7t) \ -- 2.24.0.432.g9d3f5f5b63-goog