Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2431554ybv; Fri, 21 Feb 2020 15:45:32 -0800 (PST) X-Google-Smtp-Source: APXvYqw93CzTTunSJweUx+fRgx0lT48608C27OC6GYHQCw+4aIMPQpcm4s+uZojqaV5Fyhsg011o X-Received: by 2002:a05:6830:11:: with SMTP id c17mr30162602otp.360.1582328732351; Fri, 21 Feb 2020 15:45:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582328732; cv=none; d=google.com; s=arc-20160816; b=F+9TCfliIUwkZwip5AHlBuXdBJQjT5MiK+37n792O0HOQrKzh/8SvdFK1sfLJqPhOZ EwmQuQX/naIiX+e60E8VPunlmHf+dZS7nMSCNNnVqvDksO7U5S5q0FOrqWKiqY8dZcXA i+j+aJfKHCpAWu1VycnKa5G9TDV6mdB/l3BtGLJ2VQy90ez6LxZe85om9ROa+Jy0yfF6 wW8gPcE31lLk/iYHt32hrsHeBzHEv4qV0QyTMOdUzb2/uYMK38Dyo9IAEo57xnewVTHF OLF6ulwvtD0XFf+aVqj8uSKdU6BzWgqKYHZykSPyuxLY5f16xHElhdLlzX3BQUnMDhfG dA4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=uJTTkgJ0ApNUncYuSSJwVR34vLOAuYqb/fwUecBCEgM=; b=W68FIVHWnS8evE8vBqqLs2F3UGuMzFSfVafNUJoDz4JaKMKgyNyVE5lXdOLmOEyJXY iQ/TQTg9BViJ+sr5rpbuq2oZt+o4smExykrC7CU52KMoZEpQ2s72l9bJzcgD6U7+Xk5f ropYI6mOeteyDv91AuQ3T44AtbVhKXtRD35lQyj7nzfuwwY5Q+Hnz64aX7woz3AnfQFY rUknLlcdWWPXrW3nCmIYNZnpRnFxC90UKsRere7yxujx6EWi7/Avp0J7ZlmlhGD+Wo8P k7UW2KuQNUXFOT5Ymx1RbiTCsYJx6ejCulLRK90/9g5KHubPqWN1UkYJOA9/kNBrNvDr +MlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ej5tQ3TP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t127si1526597oih.45.2020.02.21.15.45.18; Fri, 21 Feb 2020 15:45:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ej5tQ3TP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729541AbgBUXoo (ORCPT + 99 others); Fri, 21 Feb 2020 18:44:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:60798 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726802AbgBUXoo (ORCPT ); Fri, 21 Feb 2020 18:44:44 -0500 Received: from devnote2 (NE2965lan1.rev.em-net.ne.jp [210.141.244.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CF46A20722; Fri, 21 Feb 2020 23:44:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582328683; bh=uMLXKUvP9rdKF8HGi/y1znP35m5mrNUlNmaHCWuNMWg=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ej5tQ3TPcg+n/Ou8+qvfqKceKz088FOVkCrYHPqmIkdM5qCk1nzVmRKIvlhBSYGWQ g2x1I1v5l8eJq31loGcmxAbFP7XIE1ybjMWnoQdIHJcgvBTR8FkOIP4olTnTfnc2D7 wsqteD+RSVB17Jf5nWUTohbqt4sMLOhZ094PJz6Q= Date: Sat, 22 Feb 2020 08:44:38 +0900 From: Masami Hiramatsu To: Will Deacon Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, akpm@linux-foundation.org, "K . Prasad" , Thomas Gleixner , Greg Kroah-Hartman , Frederic Weisbecker , Christoph Hellwig , Quentin Perret , Alexei Starovoitov Subject: Re: [PATCH 0/3] Unexport kallsyms_lookup_name() and kallsyms_on_each_symbol() Message-Id: <20200222084438.37a0ff99edbe32acdb666c79@kernel.org> In-Reply-To: <20200221144853.GA18153@willie-the-truck> References: <20200221114404.14641-1-will@kernel.org> <20200221232746.6eb84111a0d385bed71613ff@kernel.org> <20200221144853.GA18153@willie-the-truck> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 21 Feb 2020 14:48:54 +0000 Will Deacon wrote: > Hi Masami, > > On Fri, Feb 21, 2020 at 11:27:46PM +0900, Masami Hiramatsu wrote: > > On Fri, 21 Feb 2020 11:44:01 +0000 > > Will Deacon wrote: > > > Despite having just a single modular in-tree user that I could spot, > > > kallsyms_lookup_name() is exported to modules and provides a mechanism > > > for out-of-tree modules to access and invoke arbitrary, non-exported > > > kernel symbols when kallsyms is enabled. > > > > > > This patch series fixes up that one user and unexports the symbol along > > > with kallsyms_on_each_symbol(), since that could also be abused in a > > > similar manner. > > > > What kind of issue would you like to fix with this? > > I would like to avoid out-of-tree modules being easily able to call > functions that are not exported. kallsyms_lookup_name() makes this > trivial to the point that there is very little incentive to rework these > modules to either use upstream interfaces correctly or propose functionality > which may be otherwise missing upstream. Both of these latter solutions > would be pre-requisites to upstreaming these modules, and the current state > of things actively discourages that approach. > > The background here is that we are aiming for Android devices to be able > to use a generic binary kernel image closely following upstream, with > any vendor extensions coming in as kernel modules. In this case, we > (Google) end up maintaining the binary module ABI within the scope of a > single LTS kernel. Monitoring and managing the ABI surface is not feasible > if it effectively includes all data and functions via kallsyms_lookup_name(). > Of course, we could just carry this patch in the Android kernel tree, > but we're aiming to carry as little as possible (ideally nothing) and > I think it's a sensible change in its own right. I'm surprised you object > to it, in all honesty. > > Now, you could turn around and say "that's not upstream's problem", but > it still seems highly undesirable to me to have an upstream bypass for > exported symbols that isn't even used by upstream modules. It's ripe for > abuse and encourages people to work outside of the upstream tree. The > usual rule is that we don't export symbols without a user in the tree > and that seems especially relevant in this case. So this is to officially states our policy that if out-of-tree driver developers need some symbol exposed, they should work with upstream to find better solution. Not for fixing some kind of security hole. > > There are many ways to find (estimate) symbol address, especially, if > > the programmer already has the symbol map, it is *very* easy to find > > the target symbol address even from one exported symbol (the distance > > of 2 symbols doesn't change.) If not, they can use kprobes to find > > their required symbol address. If they have a time, they can use > > snprintf("%pF") to search symbol. > > I would say that both of these are inconvenient enough that the developer > would think twice before considering to use them in production. Fair enough. > > > So, for me, this series just make it hard for casual developers (but > > maybe they will find the answer on any technical Q&A site soon). > > Which casual developers? I don't understand who you're referring to here. > Do you have a specific example in mind? No, I don't. :) > > > Hmm, are there other good way to detect such bad-manner out-of-tree > > module and reject them? What about decoding them and monitor their > > all call instructions? > > That sounds like using a sledge hammer to crack a nut to me. Agreed. Just for discouraging abuse of unexposed symbols, I think this is enough. Reviewed-by: Masami Hiramatsu for thise series. Thank you, -- Masami Hiramatsu