Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1312041pxa; Thu, 13 Aug 2020 06:08:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxR8OoC87Qk7AbX/Tndlb8S7xPnBfND2yhGoGvWZMCf23mM7WJdZeSPtdAYO8uOnEKk/xZs X-Received: by 2002:a17:906:4dcb:: with SMTP id f11mr4573613ejw.454.1597324108273; Thu, 13 Aug 2020 06:08:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597324108; cv=none; d=google.com; s=arc-20160816; b=rDm6qvHhlG0S/Qnx/96UlnDidI0G9Uf3OOzxG9ZB7Udw78UmXWC58JVpyiH83XFkZk lC7oDe9K5oUuJHqZm7Wfbd93/dKtHjtE3fFvNvADYU90cB/RYP4FkpnyzD8to7YMAuE9 vT7q3N5f/ejj9BmjoCeLC6jsSvoaeo1nyPHezjiMT1j4pSmCVMaQAzC3pbQsw6d//l0u sOBgMSrzcXKqcO264buSWkQzP1df02xTriSy+9+7yUBkgqkVBKojVE6hgTRph+PpuhTy ZY/d8+nZ2KytLpfMxVt9nCEjVRehZ1UTpofYrscvg6e2xewss9PPagyCL0cPEvbxaUN5 KkvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VwuF/zMtYVIelFkx6ELH0E/1q4DrTcNb15XW4ScgHag=; b=bouLeby3/wDkVHmThr8r8j/y7355KKpQlqUbGILQGnjQd+3utRikNXQB42HipBducB UHXM5wQTRrQCX05q3ajQsh0x2CQPGcftkJRkzzfEIAMQtM8XuMBXjNZ9KmOaA0UpUXYA 8xdUbhe6rr1ZHbvE/h/2JxdVi0uOcnlbOqNxaPjY6nRNykqEs06cOiOLD/oPGbI6tOPZ BmC2vC2SfLedwvzDPFLTjX9UhHgmqt74pELe5jjsM569CO3EbzYDIWFwQDdvTWXal/ao PkAvtFDaoYPR/VjA8WOjIqldvUnw9fBmOZfowdLCr/u7mw2rDIh24nPjTv/1QNeagBs0 E6+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gVBS22cS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p8si3137751ejf.352.2020.08.13.06.08.04; Thu, 13 Aug 2020 06:08:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gVBS22cS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726557AbgHMNH1 (ORCPT + 99 others); Thu, 13 Aug 2020 09:07:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:59390 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726131AbgHMNH0 (ORCPT ); Thu, 13 Aug 2020 09:07:26 -0400 Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D218C2087C for ; Thu, 13 Aug 2020 13:07:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597324045; bh=VcwApqM6DK8ecEh+UIkhoHA0RLne+ZImllm8gN6jcVE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=gVBS22cSg1yykUPgCjhs3OEKYO/ySG7YzbCnzKWILSmyjDaKbLmHDQjehMjMz7IwJ w/Ss5NWKEz3Rb2EGYgpjAEg5aO+EWbfGmCDfByoQUESUJhPEL9fD+FRXtmWTigUPaD MIEJqpTkcPNOFN+/7o8/p4gzy0pVFn7CkDVw1Ik8= Received: by mail-oi1-f173.google.com with SMTP id e6so4961112oii.4 for ; Thu, 13 Aug 2020 06:07:25 -0700 (PDT) X-Gm-Message-State: AOAM5315yP/gX3rk+s13sONRYVBYfRafjTobjBi/mJe/8yo5OaeCeXlJ Tkp1zoXVNxYGMNE0QjVBRO4tbFIc0nPoidIJmN8= X-Received: by 2002:aca:d8c5:: with SMTP id p188mr3103262oig.47.1597324045108; Thu, 13 Aug 2020 06:07:25 -0700 (PDT) MIME-Version: 1.0 References: <20200811172738.2d632a09@coco.lan> <20200811160134.GA13652@linux-8ccs> <20200812104005.GN2674@hirez.programming.kicks-ass.net> <20200812125645.GA8675@willie-the-truck> <20200812141557.GQ14398@arm.com> <20200812160017.GA30302@linux-8ccs> <20200812200019.GY3982@worktop.programming.kicks-ass.net> <20200813130422.GA16938@linux-8ccs> In-Reply-To: <20200813130422.GA16938@linux-8ccs> From: Ard Biesheuvel Date: Thu, 13 Aug 2020 15:07:13 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] module: Harden STRICT_MODULE_RWX To: Jessica Yu Cc: Peter Zijlstra , Szabolcs Nagy , Will Deacon , Mauro Carvalho Chehab , Linux Kernel Mailing List , Thomas Gleixner , Kees Cook , Josh Poimboeuf , Miroslav Benes , Mark Rutland , nd Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 13 Aug 2020 at 15:04, Jessica Yu wrote: > > +++ Ard Biesheuvel [13/08/20 10:36 +0200]: > >On Wed, 12 Aug 2020 at 22:00, Peter Zijlstra wrote: > >> > >> On Wed, Aug 12, 2020 at 06:37:57PM +0200, Ard Biesheuvel wrote: > >> > I know there is little we can do at this point, apart from ignoring > >> > the permissions - perhaps we should just defer the w^x check until > >> > after calling module_frob_arch_sections()? > >> > >> My earlier suggestion was to ignore it for 0-sized sections. > > > >Only they are 1 byte sections in this case. > > > >We override the sh_type and sh_flags explicitly for these sections at > >module load time, so deferring the check seems like a reasonable > >alternative to me. > > So module_enforce_rwx_sections() is already called after > module_frob_arch_sections() - which really baffled me at first, since > sh_type and sh_flags should have been set already in > module_frob_arch_sections(). > > I added some debug prints to see which section the module code was > tripping on, and it was .text.ftrace_trampoline. See this snippet from > arm64's module_frob_arch_sections(): > > else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) && > !strcmp(secstrings + sechdrs[i].sh_name, > ".text.ftrace_trampoline")) > tramp = sechdrs + i; > > Since Mauro's config doesn't have CONFIG_DYNAMIC_FTRACE enabled, tramp > is never set here and the if (tramp) check at the end of the function > fails, so its section flags are never set, so they remain WAX and fail > the rwx check. Right. Our module.lds does not go through the preprocessor, so we cannot add the #ifdef check there currently. So we should either drop the IS_ENABLED() check here, or simply rename the section, dropping the .text prefix (which doesn't seem to have any significance outside this context) I'll leave it to Will to make the final call here.