Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2046875pxb; Sat, 23 Jan 2021 15:02:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJznVKdO23jsNnc3v0GejrVQavRY45XQynft2nr7V6x4dRdJrGy3IeC2eOFbi0gUlhZ4Vqho X-Received: by 2002:a17:906:f759:: with SMTP id jp25mr2092337ejb.207.1611442936186; Sat, 23 Jan 2021 15:02:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611442936; cv=none; d=google.com; s=arc-20160816; b=X862hLBdzj6s2DXhWxcuaCWNT4MCCoiefF9sitELcf/VyxjjdXGvxD3aILR11XEpp6 IURlhXgj8hY0tFH6mvdEuaDUTaYWx2lbrTwt05KuCjnwP/89geuHHon9dZXKi3XVIsS9 bZRGdPFlbMve81RNk2RsXK2UE8D7ArD9Rwc9mI5P/e9UsQ2EXOhAsZ2f/Vzzb7/CURSq wLDfYrAEa6f6RtIEIk7f0q9BPwERBf1SLwCs16tKCiez85ddUsvrgOSJV3GwGXW4cNVE rGWv19wQJSP9XCmwf2vgSMpjrH8AoQT67VYDm01m3ri/0PQqQGwzfgJuz0OkL72i9vPL 44zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=XEmc28AGxg8G814HFx/ez3FIOIJ36RQOCl9rPqWgvnQ=; b=hnf+SzuC7RqWCA44u9qCGDMIsMS2npDkorFgyoy/lOj+c1bKwk1qntBFjypSWJj6qj +iLk/xrLvxdC+R9U5tyER8e21pndprHc9HyWDZ/OrOlMVL9wCYRxdd7s1RYMXHb5mciN FBr1YFCLGLRFS8erGqVl4635gY0oftWNceeJt6dP8PY0Yo0zx8sal+vY2BFUNKrlWRB2 jnoNYr3P3MHcpLExedHHEXAq0H0kMnMJ8ngiBG09Z9xe3AZFNITjFUV3Mm/GhWHge9Au ExThoUUdZuve72Y4sz37t579fDFgmj9GtGiR5zyA8O9OqIntwEZpsNLo38Ax5esh0q7a EnqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="W4/1YIH5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pj26si4454471ejb.261.2021.01.23.15.01.52; Sat, 23 Jan 2021 15:02:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="W4/1YIH5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726361AbhAWXAU (ORCPT + 99 others); Sat, 23 Jan 2021 18:00:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726348AbhAWXAO (ORCPT ); Sat, 23 Jan 2021 18:00:14 -0500 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C317CC0613D6 for ; Sat, 23 Jan 2021 14:59:33 -0800 (PST) Received: by mail-pj1-x102a.google.com with SMTP id jx18so655979pjb.5 for ; Sat, 23 Jan 2021 14:59:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=XEmc28AGxg8G814HFx/ez3FIOIJ36RQOCl9rPqWgvnQ=; b=W4/1YIH5h1nwo0TQjLRQxWuhCqmWOmBpjcEApaJH7uj/3OwkPDFgVJw1I/zlOUvcJb KcKdWIT31OiX5BRomKzZVwrc2DGvjqmTzir9gKKP2oF7qxSIHrkr1iFvz2oY4G9txrSU zXbJWwWqYLma08LREe/nEyFp4fyJ6dkHkrC3kMaKauWs1HMmCcHtFaO0jFqeP8zEzmcb TlVnqkGVN2NPe4cJnyNGr2KsuysC9cDsqqIytYasLLXXICc9ahrXy6EDNFBgF1W46LsF a+QLYR5GdTOkwyj3I7rj004Oxb45fjcFqgU0UH9hFti1oZ1PkYN4MFP55HLQlblxsMUL 3xKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=XEmc28AGxg8G814HFx/ez3FIOIJ36RQOCl9rPqWgvnQ=; b=jxHcfyNBFp8QuldFP0dG/yIANhLuFuEasUyd/KcHDSm9iVkEcxpfxziDcDzlJaL9m+ /fH5bgSWld9qJuelfedKmjzKXoF2CcbAcyCKQsV4fYkXC3e/kwy1V6ZA6vZmWeotI3gT 5w01JPmDzoyF2KX0pboGgb5/Ai0NhWbQEvgRNTLiNeQ1zvzjyFC3vioyqWCP7IuJexud D3+XPdF54jxiEdJ9YjeFRGLqpSCJ2haxR7gcloRuTvWcEENTjfgFSItpIgPp7x1G99cW Sm0mgudwm0wNJ+bBCJdTleo6obxHplKqTHRGnUeOqPPW+H85v3y6G/FT1EQpDC2rGrmI PiDg== X-Gm-Message-State: AOAM530eIPcVi/psOFjo9B2i3S1VpsA7aLR7P+wplioS79c/TarVeO4S QVSViQYIv+D9Xff2sH2AoLuJhA== X-Received: by 2002:a17:90a:f998:: with SMTP id cq24mr13543739pjb.6.1611442772450; Sat, 23 Jan 2021 14:59:32 -0800 (PST) Received: from google.com ([2620:15c:2ce:0:a6ae:11ff:fe11:4abb]) by smtp.gmail.com with ESMTPSA id l14sm13144826pjy.15.2021.01.23.14.59.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Jan 2021 14:59:31 -0800 (PST) Date: Sat, 23 Jan 2021 14:59:28 -0800 From: Fangrui Song To: Kristen Carlson Accardi Cc: Miroslav Benes , Josh Poimboeuf , Kees Cook , tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, arjan@linux.intel.com, x86@kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, rick.p.edgecombe@intel.com, live-patching@vger.kernel.org, Hongjiu Lu , joe.lawrence@redhat.com Subject: Re: [PATCH v4 00/10] Function Granular KASLR Message-ID: <20210123225928.z5hkmaw6qjs2gu5g@google.com> References: <20200717170008.5949-1-kristen@linux.intel.com> <202007220738.72F26D2480@keescook> <20200722160730.cfhcj4eisglnzolr@treble> <202007221241.EBC2215A@keescook> <301c7fb7d22ad6ef97856b421873e32c2239d412.camel@linux.intel.com> <20200722213313.aetl3h5rkub6ktmw@treble> <46c49dec078cb8625a9c3a3cd1310a4de7ec760b.camel@linux.intel.com> <20200828192413.p6rctr42xtuh2c2e@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20200828192413.p6rctr42xtuh2c2e@treble> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-08-28, Josh Poimboeuf wrote: >On Fri, Aug 28, 2020 at 12:21:13PM +0200, Miroslav Benes wrote: >> > Hi there! I was trying to find a super easy way to address this, so I >> > thought the best thing would be if there were a compiler or linker >> > switch to just eliminate any duplicate symbols at compile time for >> > vmlinux. I filed this question on the binutils bugzilla looking to see >> > if there were existing flags that might do this, but H.J. Lu went ahead >> > and created a new one "-z unique", that seems to do what we would need >> > it to do. >> > >> > https://sourceware.org/bugzilla/show_bug.cgi?id=26391 >> > >> > When I use this option, it renames any duplicate symbols with an >> > extension - for example duplicatefunc.1 or duplicatefunc.2. You could >> > either match on the full unique name of the specific binary you are >> > trying to patch, or you match the base name and use the extension to >> > determine original position. Do you think this solution would work? >> >> Yes, I think so (thanks, Joe, for testing!). >> >> It looks cleaner to me than the options above, but it may just be a matter >> of taste. Anyway, I'd go with full name matching, because -z unique-symbol >> would allow us to remove sympos altogether, which is appealing. >> >> > If >> > so, I can modify livepatch to refuse to patch on duplicated symbols if >> > CONFIG_FG_KASLR and when this option is merged into the tool chain I >> > can add it to KBUILD_LDFLAGS when CONFIG_FG_KASLR and livepatching >> > should work in all cases. >> >> Ok. >> >> Josh, Petr, would this work for you too? > >Sounds good to me. Kristen, thanks for finding a solution! (I am not subscribed. I came here via https://sourceware.org/bugzilla/show_bug.cgi?id=26391 (ld -z unique-symbol)) > This works great after randomization because it always receives the > current address at runtime rather than relying on any kind of > buildtime address. The issue with with the live-patching code's > algorithm for resolving duplicate symbol names. If they request a > symbol by name from the kernel and there are 3 symbols with the same > name, they use the symbol's position in the built binary image to > select the correct symbol. If a.o, b.o and c.o define local symbol 'foo'. By position, do you mean that * the live-patching code uses something like (findall("foo")[0], findall("foo")[1], findall("foo")[2]) ? * shuffling a.o/b.o/c.o will make the returned triple different Local symbols are not required to be unique. Instead of patching the toolchain, have you thought about making the live-patching code smarter? (Depend on the duplicates, such a linker option can increase the link time/binary size considerably AND I don't know in what other cases such an option will be useful) For the following example, https://sourceware.org/bugzilla/show_bug.cgi?id=26822 # RUN: split-file %s %t # RUN: gcc -c %t/a.s -o %t/a.o # RUN: gcc -c %t/b.s -o %t/b.o # RUN: gcc -c %t/c.s -o %t/c.o # RUN: ld-new %t/a.o %t/b.o %t/c.o -z unique-symbol -o %t.exe #--- a.s a: a.1: a.2: nop #--- b.s a: nop #--- c.s a: nop readelf -Ws output: Symbol table '.symtab' contains 13 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS a.o 2: 0000000000401000 0 NOTYPE LOCAL DEFAULT 1 a 3: 0000000000401000 0 NOTYPE LOCAL DEFAULT 1 a.1 4: 0000000000401000 0 NOTYPE LOCAL DEFAULT 1 a.2 5: 0000000000000000 0 FILE LOCAL DEFAULT ABS b.o 6: 0000000000401001 0 NOTYPE LOCAL DEFAULT 1 a.1 7: 0000000000000000 0 FILE LOCAL DEFAULT ABS c.o 8: 0000000000401002 0 NOTYPE LOCAL DEFAULT 1 a.2 9: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND _start 10: 0000000000402000 0 NOTYPE GLOBAL DEFAULT 1 __bss_start 11: 0000000000402000 0 NOTYPE GLOBAL DEFAULT 1 _edata 12: 0000000000402000 0 NOTYPE GLOBAL DEFAULT 1 _end Note that you have STT_FILE SHN_ABS symbols. If the compiler does not produce them, they will be synthesized by GNU ld. https://sourceware.org/bugzilla/show_bug.cgi?id=26822 ld.bfd copies non-STT_SECTION local symbols from input object files. If an object file does not have STT_FILE symbols (no .file directive) but has non-STT_SECTION local symbols, ld.bfd synthesizes a STT_FILE symbol The filenames are usually base names, so "a.o" and "a.o" in two directories will be indistinguishable. The live-patching code can possibly work around this by not changing the relative order of the two "a.o".