Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp829459ybh; Wed, 22 Jul 2020 14:33:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAS+k2gwy6Nv+tEpk0gBz5NTVVgWhgTdeUzwaZnvQgDJwARobYRbrVAP8VzfZdkyPWDKWZ X-Received: by 2002:a17:906:3850:: with SMTP id w16mr1525061ejc.205.1595453637249; Wed, 22 Jul 2020 14:33:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595453637; cv=none; d=google.com; s=arc-20160816; b=Hy7W2SbjhERnpyOad8tuaBFS/nXEXpEL2ceHqUWckp5vwynNFOKmG86q8JXAC9PFgl MA5vpqzHgPun+sQYa1LqgvRm4wbtqZ1T1SivIDAK1E0Cy/8vMinjFD/bIeest7SjHA4I ssftUJnzDCC70gt2UJcNPZz9d6rejz5jKuDdYNHrc3BQctuNmSh3Yf0jL56NB5puiGZF CxF1iMeqOU3QuZhAeEFvwISiixmFvJ7eCZ+mSQC3CkRGahOcT3V7egB6mW0oEbhzcSOZ JdLy8MsrbMfmnLi77SLwrxXhLa4ioep/K6O6hgLEqeqRrUNq4iBMmQBhn+IRYYgb0gCT PzLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=6UgVjjJcVGP42I9xFZ1qZP7ITGojf/KeQGKFYq4eMxc=; b=PsMbCw7kqD+NLTR6ddIZZKeMcKl9kS5InhFrYCUQgN1TJXVVyci0uBUaKWvVj5Tw/t k6GZpzdOgcznqu/vQXmmAF3tJJ94uOpMX1Y3CnRYPfJxlGTzCdKnpug6HvgXY3KqtypX fzEmZgHUZFqi5x6x88o6I7Bb9UpnvFDVltXTtyDA8eRWyOsj4GNf9whvfwGuY1jATdtT msb0NOZXmzJr6sSljY0k7UXNC8XsXfkFeMwGymMF8yYoFs2ncrat1vusypFcJKv2n/BV sGm1kqJqcMsz8FzDc6Hqy56vy+ErPnRpSTWVS91yYnUZKurmsg89joAPCKdZ8u600+PV mv7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gYBt6oho; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lo3si579436ejb.219.2020.07.22.14.33.34; Wed, 22 Jul 2020 14:33:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gYBt6oho; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732511AbgGVVd2 (ORCPT + 99 others); Wed, 22 Jul 2020 17:33:28 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:59998 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726685AbgGVVd2 (ORCPT ); Wed, 22 Jul 2020 17:33:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595453606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6UgVjjJcVGP42I9xFZ1qZP7ITGojf/KeQGKFYq4eMxc=; b=gYBt6ohoIQZ86bOnFdZo5aNAxyVlGMrOykaZOdOR0Ff9H42lKmNbi+9jQsFFz1v7SSj3TK 6elIgb6h9sb2PhFNz5XgA07XK3jDJxwIIHlOm/Gnp3oTIF9BBMee6FLeJAH268I745BTMj nSBoxsmR6VfZU/0mXVEmUmHVu9ORLeI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-234-2z4NQGofNKiv8rFqmw4fnw-1; Wed, 22 Jul 2020 17:33:20 -0400 X-MC-Unique: 2z4NQGofNKiv8rFqmw4fnw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AA8EE1923762; Wed, 22 Jul 2020 21:33:17 +0000 (UTC) Received: from treble (ovpn-116-168.rdu2.redhat.com [10.10.116.168]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C6D8E710C3; Wed, 22 Jul 2020 21:33:15 +0000 (UTC) Date: Wed, 22 Jul 2020 16:33:13 -0500 From: Josh Poimboeuf To: Kristen Carlson Accardi Cc: Kees Cook , Miroslav Benes , tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, arjan@linux.intel.com, x86@kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, rick.p.edgecombe@intel.com, live-patching@vger.kernel.org Subject: Re: [PATCH v4 00/10] Function Granular KASLR Message-ID: <20200722213313.aetl3h5rkub6ktmw@treble> References: <20200717170008.5949-1-kristen@linux.intel.com> <202007220738.72F26D2480@keescook> <20200722160730.cfhcj4eisglnzolr@treble> <202007221241.EBC2215A@keescook> <301c7fb7d22ad6ef97856b421873e32c2239d412.camel@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <301c7fb7d22ad6ef97856b421873e32c2239d412.camel@linux.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 22, 2020 at 12:56:10PM -0700, Kristen Carlson Accardi wrote: > On Wed, 2020-07-22 at 12:42 -0700, Kees Cook wrote: > > On Wed, Jul 22, 2020 at 11:07:30AM -0500, Josh Poimboeuf wrote: > > > On Wed, Jul 22, 2020 at 07:39:55AM -0700, Kees Cook wrote: > > > > On Wed, Jul 22, 2020 at 11:27:30AM +0200, Miroslav Benes wrote: > > > > > Let me CC live-patching ML, because from a quick glance this is > > > > > something > > > > > which could impact live patching code. At least it invalidates > > > > > assumptions > > > > > which "sympos" is based on. > > > > > > > > In a quick skim, it looks like the symbol resolution is using > > > > kallsyms_on_each_symbol(), so I think this is safe? What's a good > > > > selftest for live-patching? > > > > > > The problem is duplicate symbols. If there are two static > > > functions > > > named 'foo' then livepatch needs a way to distinguish them. > > > > > > Our current approach to that problem is "sympos". We rely on the > > > fact > > > that the second foo() always comes after the first one in the > > > symbol > > > list and kallsyms. So they're referred to as foo,1 and foo,2. > > > > Ah. Fun. In that case, perhaps the LTO series has some solutions. I > > think builds with LTO end up renaming duplicate symbols like that, so > > it'll be back to being unique. > > > > Well, glad to hear there might be some precendence for how to solve > this, as I wasn't able to think of something reasonable off the top of > my head. Are you speaking of the Clang LTO series? > https://lore.kernel.org/lkml/20200624203200.78870-1-samitolvanen@google.com/ I'm not sure how LTO does it, but a few more (half-brained) ideas that could work: 1) Add a field in kallsyms to keep track of a symbol's original offset before randomization/re-sorting. Livepatch could use that field to determine the original sympos. 2) In fgkaslr code, go through all the sections and mark the ones which have duplicates (i.e. same name). Then when shuffling the sections, skip a shuffle if it involves a duplicate section. That way all the duplicates would retain their original sympos. 3) Livepatch could uniquely identify symbols by some feature other than sympos. For example: Symbol/function size - obviously this would only work if duplicately named symbols have different sizes. Checksum - as part of a separate feature we're also looking at giving each function its own checksum, calculated based on its instruction opcodes. Though calculating checksums at runtime could be complicated by IP-relative addressing. I'm thinking #1 or #2 wouldn't be too bad. #3 might be harder. -- Josh