Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2568774pxa; Mon, 24 Aug 2020 18:56:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6ph3t27KX6OVRm6ecXNW0/rmPxxOv+pKpYBPDpvRfL6akPGwiGnx61j8VoAzf79iLZAbV X-Received: by 2002:a50:bac2:: with SMTP id x60mr8296736ede.210.1598320585151; Mon, 24 Aug 2020 18:56:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598320585; cv=none; d=google.com; s=arc-20160816; b=V4jtgtu+PkCkz5EFI8DWX77ZqyNCrPv+L2jrDKvqwaK9IVztS0fPG8o6j+k1ga+rs6 ccImMkAL9cFmAk7I/8x/UxH7lKGxt0GxZOJV3T1FCcNlsEBnvkxdmCpnO+hD6ICVOVmU uBvVeCK6bwt4WrTFepMu7efujzG42iIe6WyytNyRwTgNoyYgg1WpNPUbY8MeBlIi8HlP Hr9/5gl56YA3bJz4lkdkaU5m8uZHPnMJR0w/c1OWYE7AjF5ybIh0SAQiZILzXNhlwhhD mvT5i8ZzvO0ZaibBnJCAm/c/jZuJ2RmqUBCqNw51iGxIw2/xfKPOz9+N0Tdwgc1Bixbx h95A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature:dkim-filter; bh=CKR+6kF2zsUjEyroT6l5Mabjj0JoFdiFLY9EUgK/rQ8=; b=ldcYEU80IUAEtx8ryxrQ7umT5vvp5CtCKRyQB4jZIdcrtm8Xt9UpiESoM9dXDZv7Hz Ysyd2miZvYFPX0Pjo8COUupN7bT4fbTdF7TGwGGoB/0AXg5DamVHlhNR8xHzwsKSkqeI AZNifbCjgGT7/fy82NvXvtaclGjf1QW9ccaGd+4spS6730PIPWH348/HKsIcim+pEirZ RNyOBl1H9ZrwoMk5iAM/0Rv0rcf82d/HYwdxtp7eSQ23UWLWL2ycbwLNirKS44rDzD7+ /HlY/3tDSrwPKqrRXwVnq5EbNz4vBl6vhyU52l9r5x2FD+Vr3L+KJVHQ1OV0NdcTniao lo7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=HQxo0Hh7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p4si3889935edm.96.2020.08.24.18.56.02; Mon, 24 Aug 2020 18:56:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=HQxo0Hh7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726767AbgHYBy6 (ORCPT + 99 others); Mon, 24 Aug 2020 21:54:58 -0400 Received: from conssluserg-01.nifty.com ([210.131.2.80]:64801 "EHLO conssluserg-01.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725924AbgHYByy (ORCPT ); Mon, 24 Aug 2020 21:54:54 -0400 Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48]) (authenticated) by conssluserg-01.nifty.com with ESMTP id 07P1se50013557 for ; Tue, 25 Aug 2020 10:54:40 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-01.nifty.com 07P1se50013557 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1598320481; bh=CKR+6kF2zsUjEyroT6l5Mabjj0JoFdiFLY9EUgK/rQ8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=HQxo0Hh7Sm5JG0iakkdNULPO+O/YRaJuetg5u/z7Fk8S92cXnhIloTHHzH8WaJkVd Xejqn+70d53Js00cyi7nmKdOT9KV8nSMzCfXo1rwEy4LihwpP3zrDXCzfOlZWdY30D AKVsMZ5dKZryNDNqReWswAtHUwk9uMOZmqfZx5M3ipUOuGTgUOhRpgJyFTPHFEGKe3 jzHXhdO0sBkCMVuS0QgWTijXHR3Q4LZ6KLg+Q5Hawu4UFUJM3Nd0RjQfjKBl8GMto0 m16Wy6NIJDW70QRluQHpwJDNnXx3D7WvsY2jM5VCxKJ2ZTP4YQ9zq5GJwUKi1KD25c lGMm/0ZFHS08Q== X-Nifty-SrcIP: [209.85.217.48] Received: by mail-vs1-f48.google.com with SMTP id y8so5516346vsq.8 for ; Mon, 24 Aug 2020 18:54:40 -0700 (PDT) X-Gm-Message-State: AOAM531O/l5yQvWBK6l9vWYx5jGoO/44Nwxsu4lYFawWYRDKpzZ5ou5D 69V6lCJJlJ2IQEkxcFkQ0GINc0+k0FczM4+WZo8= X-Received: by 2002:a67:bb06:: with SMTP id m6mr4408946vsn.54.1598320479429; Mon, 24 Aug 2020 18:54:39 -0700 (PDT) MIME-Version: 1.0 References: <20200812160017.GA30302@linux-8ccs> <20200812200019.GY3982@worktop.programming.kicks-ass.net> <20200813130422.GA16938@linux-8ccs> <20200821121959.GC20833@willie-the-truck> <20200821123036.GA21158@willie-the-truck> <20200824152359.GA32398@linux-8ccs> In-Reply-To: <20200824152359.GA32398@linux-8ccs> From: Masahiro Yamada Date: Tue, 25 Aug 2020 10:54:02 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] module: Harden STRICT_MODULE_RWX To: Jessica Yu Cc: Ard Biesheuvel , Will Deacon , Peter Zijlstra , Szabolcs Nagy , Mauro Carvalho Chehab , Linux Kernel Mailing List , Thomas Gleixner , Kees Cook , Josh Poimboeuf , Miroslav Benes , Mark Rutland , nd Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 25, 2020 at 12:24 AM Jessica Yu wrote: > > +++ Ard Biesheuvel [22/08/20 15:47 +0200]: > >(+ Masahiro) > > > >On Fri, 21 Aug 2020 at 14:30, Will Deacon wrote: > >> > >> On Fri, Aug 21, 2020 at 02:27:05PM +0200, Ard Biesheuvel wrote: > >> > On Fri, 21 Aug 2020 at 14:20, Will Deacon wrote: > >> > > > >> > > On Thu, Aug 13, 2020 at 03:07:13PM +0200, Ard Biesheuvel wrote: > >> > > > On Thu, 13 Aug 2020 at 15:04, Jessica Yu wrote: > >> > > > > > >> > > > > +++ Ard Biesheuvel [13/08/20 10:36 +0200]: > >> > > > > >On Wed, 12 Aug 2020 at 22:00, Peter Zijlstra wrote: > >> > > > > >> > >> > > > > >> On Wed, Aug 12, 2020 at 06:37:57PM +0200, Ard Biesheuvel wrote: > >> > > > > >> > I know there is little we can do at this point, apart from ignoring > >> > > > > >> > the permissions - perhaps we should just defer the w^x check until > >> > > > > >> > after calling module_frob_arch_sections()? > >> > > > > >> > >> > > > > >> My earlier suggestion was to ignore it for 0-sized sections. > >> > > > > > > >> > > > > >Only they are 1 byte sections in this case. > >> > > > > > > >> > > > > >We override the sh_type and sh_flags explicitly for these sections at > >> > > > > >module load time, so deferring the check seems like a reasonable > >> > > > > >alternative to me. > >> > > > > > >> > > > > So module_enforce_rwx_sections() is already called after > >> > > > > module_frob_arch_sections() - which really baffled me at first, since > >> > > > > sh_type and sh_flags should have been set already in > >> > > > > module_frob_arch_sections(). > >> > > > > > >> > > > > I added some debug prints to see which section the module code was > >> > > > > tripping on, and it was .text.ftrace_trampoline. See this snippet from > >> > > > > arm64's module_frob_arch_sections(): > >> > > > > > >> > > > > else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) && > >> > > > > !strcmp(secstrings + sechdrs[i].sh_name, > >> > > > > ".text.ftrace_trampoline")) > >> > > > > tramp = sechdrs + i; > >> > > > > > >> > > > > Since Mauro's config doesn't have CONFIG_DYNAMIC_FTRACE enabled, tramp > >> > > > > is never set here and the if (tramp) check at the end of the function > >> > > > > fails, so its section flags are never set, so they remain WAX and fail > >> > > > > the rwx check. > >> > > > > >> > > > Right. Our module.lds does not go through the preprocessor, so we > >> > > > cannot add the #ifdef check there currently. So we should either drop > >> > > > the IS_ENABLED() check here, or simply rename the section, dropping > >> > > > the .text prefix (which doesn't seem to have any significance outside > >> > > > this context) > >> > > > > >> > > > I'll leave it to Will to make the final call here. > >> > > > >> > > Why don't we just preprocess the linker script, like we do for the main > >> > > kernel? > >> > > > >> > > >> > That should work as well, I just haven't checked how straight-forward > >> > it is to change that. > >> > >> Ok, if it's _not_ straightforward, then let's just drop the IS_ENABLED() > >> altogether. > >> > > > >I played around with this for a while, but failed to get Kbuild to > >instantiate $(objtree)/arch/arm64/kernel/module.lds based on > >$(srctree)/arch/arm64/kernel/module.lds.S and the cpp_lds_S rule. > >Perhaps Masahiro has any suggestions here? Otherwise, let's just drop > >the IS_ENABLED() check for now. > > I also tinkered around a bit and was able to generate > $(objtree)/arch/arm64/kernel/module.lds based on > $(srctree)/arch/arm64/kernel/module.lds.S only if I specified the > former as the make target directly. Correct me if I'm wrong, but I > guess this might be because the single build targets would utilize > scripts/Makefile.build (where the cpp_lds_S rule is defined) while the > module-related Makefiles don't seem to support .lds.S -> .lds in > general.. Masahiro, how easy would it be to extend .lds.S -> .lds > support to module linker scripts as well? > > Thanks, > > Jessica If you want to generate $(objtree)/arch/arm64/kernel/module.lds, you need to tell it to the build system. The following seems to work, but please do NOT do this: ----------------->8-------------------- diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index b45f0124cc16..4ae398c21111 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -116,7 +116,7 @@ endif CHECKFLAGS += -D__aarch64__ ifeq ($(CONFIG_ARM64_MODULE_PLTS),y) -KBUILD_LDS_MODULE += $(srctree)/arch/arm64/kernel/module.lds +KBUILD_LDS_MODULE += arch/arm64/kernel/module.lds endif ifeq ($(CONFIG_DYNAMIC_FTRACE_WITH_REGS),y) diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index a561cbb91d4d..693797e6db01 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -71,3 +71,5 @@ extra-y += $(head-y) vmlinux.lds ifeq ($(CONFIG_DEBUG_EFI),y) AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\"" endif + +always-$(CONFIG_MODULES) += module.lds diff --git a/arch/arm64/kernel/module.lds b/arch/arm64/kernel/module.lds.S similarity index 100% rename from arch/arm64/kernel/module.lds rename to arch/arm64/kernel/module.lds.S ----------------->8-------------------- The difference between arch/arm64/kernel/vmlinux.lds and arch/arm64/kernel/module.lds is that we must keep the latter for external module builds. 'make clean' cannot remove any build artifact used for external modules, but 'make mrproper' must remove them. Let me think about it. -- Best Regards Masahiro Yamada