Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp432230pxa; Wed, 12 Aug 2020 05:58:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyREU0dXK0tNPBX9vArT6uw7aYdzB6BRV0B2Eo6d+LOgdNWMlcI2LtUiBE6m55tXYP07Tqm X-Received: by 2002:a17:906:d8b6:: with SMTP id qc22mr32825518ejb.468.1597237094329; Wed, 12 Aug 2020 05:58:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597237094; cv=none; d=google.com; s=arc-20160816; b=rnz0vv8Lfy0ckzRsNqtZN14et5xKOp4Co4n0HbqLw+2wFZzVmd+y8bbX7MCBC3n2IF Sx9CPuS9FlDb3InFU19PhVhkVtg+Rlbext635kGni/57lRPQnUeXFBxwQX19whbqe1xx uPnd2clgYhTmVrmeh/UYAbz7MQRnYXciOvs4i/blGksiWIaeUOVOx2KU3P59tyf+E5ft 8e/Em7JvO18cZl8Ma6KpEPhWTNjdCxn0XE9harL9e5UfvOdTziwXQW0vBQ4episSzkwG eFTdHQfay/NgoYpeGJUZagWQ7CNqRZg+W4hiEnjBw3v5fdq5U+6W8jFXJBzKqMb2iEWE YQ/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=v02EBs8cjbT4ED2Rj1ogpCLzp0+SqCU6G8E+x9fn+d0=; b=k+uEgVRhn/1z57WjedTVxskxQ7T5zB54cjyLrzlJeD6aRPtn0188vy1AZbwWf2HUA8 mCyWv6VVqaMBCj42gi0AlHdnyAfNPYAWkApqkMibtE2c6GkKLYkSuFmo3saMk/iE1ca8 gewcaSCeZxPIYyPl8GZ8+cykMeHwsJGqOtRwxjFxJr3z98J7yZMpt94Ddey4T7y0UF3K bim3rkde5BOauMFWHWphmBTieGMX2PQyv0Br51JpCUJu+4AbeiXPgTHUxkUCQbKx0MvA KS/idR1nGZS/hbkKK6HWCGU5QFEbdTp0svMdv1nW6GKJQ3PtaZp5pH5uSA20FhHX6+ZG MUtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WYyUdzQW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g18si1114087ejb.224.2020.08.12.05.57.51; Wed, 12 Aug 2020 05:58:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WYyUdzQW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727981AbgHLM4y (ORCPT + 99 others); Wed, 12 Aug 2020 08:56:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:32908 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726698AbgHLM4v (ORCPT ); Wed, 12 Aug 2020 08:56:51 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 51888204FD; Wed, 12 Aug 2020 12:56:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597237011; bh=BGNPvffdTYH5cvHawxVaBWNHtXi/xbYebLv+GDhLXW4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WYyUdzQWeFFSH6eebGJcAWuEf5bXLvxWmMx1FIe4GHVlm0PyG6MSNgVuVZJ90wZRv mnReGhnLI/NQhUI7VP+SLK3Uz8BM0cSgbD6a8IoiXZWZ29MTZl+Ts/wsCQf5s2gHZr rlBwSnqYPYQ/ygzsVlp+t6u9rFHiwQ7VSmZQkf2w= Date: Wed, 12 Aug 2020 13:56:46 +0100 From: Will Deacon To: peterz@infradead.org, szabolcs.nagy@arm.com Cc: Ard Biesheuvel , Jessica Yu , Mauro Carvalho Chehab , Linux Kernel Mailing List , Thomas Gleixner , Kees Cook , Josh Poimboeuf , Miroslav Benes , Mark Rutland Subject: Re: [PATCH v2] module: Harden STRICT_MODULE_RWX Message-ID: <20200812125645.GA8675@willie-the-truck> References: <20200403171303.GK20760@hirez.programming.kicks-ass.net> <20200808101222.5103093e@coco.lan> <20200810092523.GA8612@linux-8ccs> <20200810150647.GB8612@linux-8ccs> <20200811163427.6edbf343@coco.lan> <20200811145524.GE2674@hirez.programming.kicks-ass.net> <20200811172738.2d632a09@coco.lan> <20200811160134.GA13652@linux-8ccs> <20200812104005.GN2674@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200812104005.GN2674@hirez.programming.kicks-ass.net> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 12, 2020 at 12:40:05PM +0200, peterz@infradead.org wrote: > On Wed, Aug 12, 2020 at 10:56:56AM +0200, Ard Biesheuvel wrote: > > The module .lds has BYTE(0) in the section contents to prevent the > > linker from pruning them entirely. The (NOLOAD) is there to ensure > > that this byte does not end up in the .ko, which is more a matter of > > principle than anything else, so we can happily drop that if it helps. > > > > However, this should only affect the PROGBITS vs NOBITS designation, > > and so I am not sure whether it makes a difference. > > > > Depending on where the w^x check occurs, we might simply override the > > permissions of these sections, and strip the writable permission if it > > is set in the PLT handling init code, which manipulates the metadata > > of all these 3 sections before the module space is vmalloc'ed. > > What's curious is that this seems the result of some recent binutils > change. Every build with binutils-2.34 (or older) does not seem to > generate these as WAX, but has the much more sensible WA. > > I suppose we can change the kernel check and 'allow' W^X for 0 sized > sections, but I think we should still figure out why binutils-2.35 is > now generating WAX sections all of a sudden, it might come bite us > elsewhere. Agreed, I think it's important to figure out what's going on here before we try to bodge around it. Adding Szabolcs, in case he has any ideas. To save him reading the whole thread, here's a summary: AArch64 kernel modules built with binutils 2.35 end up with a couple of ELF sections marked as SHF_WRITE | SHF_ALLOC | SHF_EXECINSTR: [ 5] .plt PROGBITS 0000000000000388 01d000 000008 00 WAX 0 0 1 [ 6] .init.plt NOBITS 0000000000000390 01d008 000008 00 WA 0 0 1 [ 7] .text.ftrace_trampoline PROGBITS 0000000000000398 01d008 000008 00 WAX 0 0 1 This results in the module being rejected by our loader, because we don't permit writable, executable mappings. Our linker script for these entries uses NOLOAD, so it's odd to see PROGBITS appearing in the readelf output above (and older binutils emits NOBITS sections). Anyway, here's the linker script: SECTIONS { .plt (NOLOAD) : { BYTE(0) } .init.plt (NOLOAD) : { BYTE(0) } .text.ftrace_trampoline (NOLOAD) : { BYTE(0) } } It appears that the name of the section influences the behaviour, as Jessica observed [1] that sections named .text.* end up with PROGBITS, whereas random naming such as ".test" ends up with NOBITS, as before. We've looked at the changelog between binutils 2.34 and 2.35, but nothing stands out. Any clues? Is this intentional binutils behaviour? Thanks, Will [1] https://lore.kernel.org/r/20200812114127.GA10824@linux-8ccs.fritz.box