Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3389290pxu; Tue, 15 Dec 2020 06:04:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJy8a1yqT5HYuswzm0gl5wo98FfEiAW9QNjs3mTpqVlmsy/Os5X98bGRyFGT8obBKikxJ5S7 X-Received: by 2002:aa7:d2c9:: with SMTP id k9mr2564772edr.74.1608041092409; Tue, 15 Dec 2020 06:04:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608041092; cv=none; d=google.com; s=arc-20160816; b=v1ffY6r8GvIbH8CztBIEBHKZ5kE6SqzC9/qq7N7E+e4W60yajlhG67xg3hAXoEfP3L 9am6twHoxm+qBqHTbZMIrWXeFWNxvQkKsFMaurfNgItCzJs+qF8Zwf+C8jrguD7rHB4r qVdh1Vz+n49URkjpPlJdNEqshtcLRP60QYm4uWqpYOBIYZm8Fr6wm2JFjq5+ZB4ZEzOP 858Znnpg3vJG7iLp1/pcJMF0nPkXmYfRBxRpsT4EDyi8RCQu//D8WXFgptI2qd1ZVs/Q /ECM7aNgzM2IYURMXAWxUaTW/dM7Z5wUqQl+JyPCMvLef17zqwUdNLRZ2LFWJeQtqq9g Y8yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=A+G1WfxuzopjSGXsyyh6fV+cm5tzdzFwJFw7K7WHVUE=; b=PU9KbMFjvBDnfuTX6IoSjAefbIw8MQbVLugojv+DZUHHF6GFatxehm8WJ0sacGQo6j AMhc70XfV7nkf0tIBY4CB4n8Q6G1CD9mtSKDp6xQ/Fp8HTP0Kum94XqFA1RiI0GWdKmx N1D8Nkj2Kxmjm7pav9MgP55dEX9wTXz1S/IZY4OVNyFCb/gwRyKHwQYXIAfebOZBTaSW qO9AsxGVv7lAFGoXxHSfGaDNYGHgvge4WoKZ1xJSnak5pWob8+eSvPwKTT9pm1sXiUG0 aP8oAxWTrbDxNCWdKplgYZcznbsLUHJSTscZpYXHj4FI3o2dTEqSlBFXnPpCA9LYXcYp QVXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sASorQfN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s28si930847edc.569.2020.12.15.06.04.27; Tue, 15 Dec 2020 06:04:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sASorQfN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729284AbgLOOB4 (ORCPT + 99 others); Tue, 15 Dec 2020 09:01:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729250AbgLOOBo (ORCPT ); Tue, 15 Dec 2020 09:01:44 -0500 Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DA882C06179C for ; Tue, 15 Dec 2020 06:01:03 -0800 (PST) Received: by mail-pg1-x543.google.com with SMTP id w16so15270362pga.9 for ; Tue, 15 Dec 2020 06:01:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A+G1WfxuzopjSGXsyyh6fV+cm5tzdzFwJFw7K7WHVUE=; b=sASorQfNuaBWVsxWUIUgLm7Qp2mxT+WTVUU7goR/Wivp2sk6xds760igjubEb7CoeF hIqVYyTgT8yRQK3bHnIVcJeuxSnlJ0VKMnNw+3evRRtPbbeukNE+VUAQp6AVGnlaM34p AgEdx2v7zUT83kp8zyj1HUdzy64yL2JDzMiaTsLI9l2YhhlHjV8+2LuiYVtpoGTBY8pG lqypksdABpZlAkrgveMN2rs6i5sT9HKrCVONAMu57N4+p76FCGZxTaxPf1Xm/FUBKDd9 LCuuKYE6M8XZOzE2QKA8iIn2TPeHbdry7p6/pgpK5C0Kt9iNzGzLk9bBFldawchUOtWI W+Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A+G1WfxuzopjSGXsyyh6fV+cm5tzdzFwJFw7K7WHVUE=; b=LIzyhv9TnI+g1RbtKrl0Qu9QhFkTPoWe5G7FvSaKtIiJNGvM4Ggwm8NJVqonQkuoq2 rSj73Vyqg6n5wBXEI/xPqM445bAENp4V00jRa9YkHziVjmFNMgai73HBY92KeV98/H5+ aTIHZ745tnPqoZndvT7RGrmIg39r2ThBaQRVolCMMsGZffbVa0MiEUUv9GmPXJpQzpWG hRriJBNfg8HW3wVEQerc8ofKjL8P5urFDHwV6xQDH23YGKX6D/OALVm7i/6hMZhkHS3P yERjONxt9K/0qY33Jc0YV22/IrzGphN0lh9Whr+4QEUhtFlHNbO3Jlr4m3fabudnhnve IErw== X-Gm-Message-State: AOAM531VBnk/Etc4AyWBhwsEhgXTb1/HphG7LOJqNWT22/Xc0EornKdM 95dCJ7QlTftVpgO4M/Fa+WuAzBj4nWRcFaV7ILuSgg== X-Received: by 2002:a63:5d3:: with SMTP id 202mr23746844pgf.286.1608040863307; Tue, 15 Dec 2020 06:01:03 -0800 (PST) MIME-Version: 1.0 References: <20201214191413.3164796-1-elver@google.com> In-Reply-To: <20201214191413.3164796-1-elver@google.com> From: Andrey Konovalov Date: Tue, 15 Dec 2020 15:00:52 +0100 Message-ID: Subject: Re: [PATCH] lkdtm: disable KASAN for rodata.o To: Marco Elver Cc: Kees Cook , Andrew Morton , LKML , kasan-dev , Arnd Bergmann , Greg Kroah-Hartman , Dmitry Vyukov , clang-built-linux Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 14, 2020 at 8:15 PM Marco Elver wrote: > > Building lkdtm with KASAN and Clang 11 or later results in the following > error when attempting to load the module: > > kernel tried to execute NX-protected page - exploit attempt? (uid: 0) > BUG: unable to handle page fault for address: ffffffffc019cd70 > #PF: supervisor instruction fetch in kernel mode > #PF: error_code(0x0011) - permissions violation > ... > RIP: 0010:asan.module_ctor+0x0/0xffffffffffffa290 [lkdtm] > ... > Call Trace: > do_init_module+0x17c/0x570 > load_module+0xadee/0xd0b0 > __x64_sys_finit_module+0x16c/0x1a0 > do_syscall_64+0x34/0x50 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > The reason is that rodata.o generates a dummy function that lives in > .rodata to validate that .rodata can't be executed; however, Clang 11 > adds KASAN globals support by generating module constructors to > initialize globals redzones. When Clang 11 adds a module constructor to > rodata.o, it is also added to .rodata: any attempt to call it on > initialization results in the above error. > > Therefore, disable KASAN instrumentation for rodata.o. > > Signed-off-by: Marco Elver > --- > drivers/misc/lkdtm/Makefile | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile > index c70b3822013f..1c4c7aca0026 100644 > --- a/drivers/misc/lkdtm/Makefile > +++ b/drivers/misc/lkdtm/Makefile > @@ -11,6 +11,7 @@ lkdtm-$(CONFIG_LKDTM) += usercopy.o > lkdtm-$(CONFIG_LKDTM) += stackleak.o > lkdtm-$(CONFIG_LKDTM) += cfi.o > > +KASAN_SANITIZE_rodata.o := n > KASAN_SANITIZE_stackleak.o := n > KCOV_INSTRUMENT_rodata.o := n > > > base-commit: 2c85ebc57b3e1817b6ce1a6b703928e113a90442 > -- > 2.29.2.684.gfbc64c5ab5-goog > Reviewed-by: Andrey Konovalov Thanks for taking care of this!