Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp586523pxa; Wed, 12 Aug 2020 09:01:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzXqusb+rCtSD7EzegKLxkvRpuenSkR1Hs8iuxtCXGODfVLTGq74siJJWibfWBddZjoKArx X-Received: by 2002:a50:bc05:: with SMTP id j5mr516138edh.375.1597248103062; Wed, 12 Aug 2020 09:01:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597248103; cv=none; d=google.com; s=arc-20160816; b=YV7bHSJ+9KrLd0Pp9tw0OjqjVS3XyQQMn+AmGmOe9sXQRMF9KqA8KW9tCyCQXZB7LG rroLAoi4y6bxL6gZiMZbA4MsUrOx6x4LBF13qmvxW3atu4tvMfxu8bHQ3KzkPsm8T0Fm zc8l5nKIMENlyzxvC7ctgIZmla+YSldqxhAHJaX1hQHyNx/4v7+BeRtda7JthSAhgnZ4 rWmgB05ngo0u/HUk/1NK1gStFJElrBEI62UqHalr+ft3qoeoqlC4s9JXuft+s0qvkwE/ kTmD23sDXHqgjsRsEyaCKgQMgig14DVCPR4I7SGFlECrRubAwoJlsdDTDae0RfNw77Gf JHxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=csHwNR7N1O8I7H9sQa8vBaAWi14/A7Q716cLgdD5y+o=; b=DwKwqb4glQZ8lyqk6UYIRonGG6ZkB7tTXWXw1ZVzsYWtGXmgnDxn4/NyQTIfdF7QPo BrOi3H/AK2vXfNm+PSbw6zGiXwn6ZhAwEIRXcTSQDD5e1LHc0Sgtzwfvb62Ah772wJ7U SkWStmsoqf3e1Cehx8kRlIsK/SkWQ+DLvRcu/iFG4VdNh+u6GJvSYysb8njWuw+5Na4I +8stGlyvMmYNOIENeIHBloZnto9pCyxhfRlhShRYdV7C3paM5RiFiNmtHU+1C6y8AXDI AuCsl1kgvAyjOrmXGVCzr21EMGTcQrbntHI0yxAqqFtZKMecvWn2TSO9RjyOU9Yi6XNr pu/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oAPCEis8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a20si1581489eda.489.2020.08.12.09.01.18; Wed, 12 Aug 2020 09:01:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oAPCEis8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726658AbgHLQAY (ORCPT + 99 others); Wed, 12 Aug 2020 12:00:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:51200 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726540AbgHLQAX (ORCPT ); Wed, 12 Aug 2020 12:00:23 -0400 Received: from linux-8ccs (p57a236d4.dip0.t-ipconnect.de [87.162.54.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3109F2080C; Wed, 12 Aug 2020 16:00:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597248022; bh=eG3MLrqj5YnC1fRgBH0kWL1AM/Z3lmWKoxz+o7N3ns0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=oAPCEis8WSrev5o7mL0hm7bQSFJW5YRnSpe+8GB6P/VAcc7ZczEDVn2s6ZmOCBGFF ZSejeeVDqTBdUHiqNkbBKbFKfjd2v4RwSz+Do4dq+29MXsadCEZRNcCoYQomtUfGaS v5dXK6poViUDOS5EL9rSlXqBeIjPeBT7Vhc8Qcrs= Date: Wed, 12 Aug 2020 18:00:17 +0200 From: Jessica Yu To: Szabolcs Nagy Cc: Will Deacon , peterz@infradead.org, Ard Biesheuvel , Mauro Carvalho Chehab , Linux Kernel Mailing List , Thomas Gleixner , Kees Cook , Josh Poimboeuf , Miroslav Benes , Mark Rutland , nd@arm.com Subject: Re: [PATCH v2] module: Harden STRICT_MODULE_RWX Message-ID: <20200812160017.GA30302@linux-8ccs> References: <20200810092523.GA8612@linux-8ccs> <20200810150647.GB8612@linux-8ccs> <20200811163427.6edbf343@coco.lan> <20200811145524.GE2674@hirez.programming.kicks-ass.net> <20200811172738.2d632a09@coco.lan> <20200811160134.GA13652@linux-8ccs> <20200812104005.GN2674@hirez.programming.kicks-ass.net> <20200812125645.GA8675@willie-the-truck> <20200812141557.GQ14398@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20200812141557.GQ14398@arm.com> X-OS: Linux linux-8ccs 5.8.0-rc6-lp150.12.61-default+ x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Szabolcs Nagy [12/08/20 15:15 +0100]: >The 08/12/2020 13:56, Will Deacon wrote: >> On Wed, Aug 12, 2020 at 12:40:05PM +0200, peterz@infradead.org wrote: >> > On Wed, Aug 12, 2020 at 10:56:56AM +0200, Ard Biesheuvel wrote: >> > > The module .lds has BYTE(0) in the section contents to prevent the >> > > linker from pruning them entirely. The (NOLOAD) is there to ensure >> > > that this byte does not end up in the .ko, which is more a matter of >> > > principle than anything else, so we can happily drop that if it helps. >> > > >> > > However, this should only affect the PROGBITS vs NOBITS designation, >> > > and so I am not sure whether it makes a difference. >> > > >> > > Depending on where the w^x check occurs, we might simply override the >> > > permissions of these sections, and strip the writable permission if it >> > > is set in the PLT handling init code, which manipulates the metadata >> > > of all these 3 sections before the module space is vmalloc'ed. >> > >> > What's curious is that this seems the result of some recent binutils >> > change. Every build with binutils-2.34 (or older) does not seem to >> > generate these as WAX, but has the much more sensible WA. >> > >> > I suppose we can change the kernel check and 'allow' W^X for 0 sized >> > sections, but I think we should still figure out why binutils-2.35 is >> > now generating WAX sections all of a sudden, it might come bite us >> > elsewhere. >> >> Agreed, I think it's important to figure out what's going on here before we >> try to bodge around it. >> >> Adding Szabolcs, in case he has any ideas. >> >> To save him reading the whole thread, here's a summary: >> >> AArch64 kernel modules built with binutils 2.35 end up with a couple of >> ELF sections marked as SHF_WRITE | SHF_ALLOC | SHF_EXECINSTR: >> >> [ 5] .plt PROGBITS 0000000000000388 01d000 000008 00 WAX 0 0 1 >> [ 6] .init.plt NOBITS 0000000000000390 01d008 000008 00 WA 0 0 1 >> [ 7] .text.ftrace_trampoline PROGBITS 0000000000000398 01d008 000008 00 WAX 0 0 1 >> >> This results in the module being rejected by our loader, because we don't >> permit writable, executable mappings. >> >> Our linker script for these entries uses NOLOAD, so it's odd to see PROGBITS >> appearing in the readelf output above (and older binutils emits NOBITS >> sections). Anyway, here's the linker script: >> >> SECTIONS { >> .plt (NOLOAD) : { BYTE(0) } >> .init.plt (NOLOAD) : { BYTE(0) } >> .text.ftrace_trampoline (NOLOAD) : { BYTE(0) } >> } >> >> It appears that the name of the section influences the behaviour, as >> Jessica observed [1] that sections named .text.* end up with PROGBITS, >> whereas random naming such as ".test" ends up with NOBITS, as before. >> >> We've looked at the changelog between binutils 2.34 and 2.35, but nothing >> stands out. Any clues? Is this intentional binutils behaviour? > >for me it bisects to > >https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=8c803a2dd7d3d742a3d0071914f557ef465afe71 > >i will have to investigate further what's going on. Thanks for the hint. I'm almost certain it's due to this excerpt from the changelog: "we now init sh_type and sh_flags for all known ABI sections in _bfd_elf_new_section_hook." Indeed, .plt and .text.* are listed as special sections in bfd/elf.c. The former requires an exact match and the latter only has to match the prefix ".text." Since the code considers ".plt" and ".text.ftrace_trampoline" special sections, their sh_type and sh_flags are now set by default. Now I guess the question is whether this can be overriden by a linker script..