Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp2019379rbb; Tue, 27 Feb 2024 08:14:03 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVtCfrS3Z4No2WruJV1Sjw+UttIzA7yJxb0ooxe5QOkPA3xTDBe8AoZSJDhVCGEPQm5q/IqUnk+uzXloETaveq1aqfGDzE1VR10+tVFTA== X-Google-Smtp-Source: AGHT+IGOZb2wutTaEcSUfO8ASh0FckbRRRcm/xjCxn+MzbcYdBVy6eIA4Ba7Jcc1481VjWRny+o+ X-Received: by 2002:a0c:9781:0:b0:68f:d1b7:ad9d with SMTP id l1-20020a0c9781000000b0068fd1b7ad9dmr2411926qvd.6.1709050443293; Tue, 27 Feb 2024 08:14:03 -0800 (PST) Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id gs10-20020a056214226a00b0068cb760019fsi7917714qvb.268.2024.02.27.08.14.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Feb 2024 08:14:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-83577-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@suse.com header.s=susede1 header.b=qBfsTw1Q; dkim=neutral (body hash did not verify) header.i=@suse.com header.s=susede1 header.b=qBfsTw1Q; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-83577-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-83577-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=suse.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 0CE311C2379F for ; Tue, 27 Feb 2024 16:14:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D4EAA148316; Tue, 27 Feb 2024 16:13:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.com header.i=@suse.com header.b="qBfsTw1Q"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.com header.i=@suse.com header.b="qBfsTw1Q" Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DCC771482E3; Tue, 27 Feb 2024 16:13:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709050420; cv=none; b=Nw4pZnDLxM/ued3Jla4ylvi9CKhe8RNrrI0w6o/p+TPJAosdu0sIjPf5ECMSTKPW2FAKQW8JFXuRUbUkLV1Tkq0rDx+2lN++DLsJ7DizMsa3jvh7+JAHCti4/lC/9AgwSwtoFVymqdO/pLfj8g6dllLc6u8zqpLZESfJjAnxbtI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709050420; c=relaxed/simple; bh=hH5VZDTaPA7gWWcOU5gFYjv9mGjEw76o5Pk8eeaddms=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=OBHrcLDza/b0xWk3YVVjdgCczVUVK8Q4xduuqqVvrovgeTQD6ii+OWTld26G5u3jVcDRAdyM0fkupllgunzT5zyKaGpCzXRnqwd5IhBOJ9nXwt833PrwGgnaPRSmdxD763ATB7sXJgy6mUEg8BGI+jof1qUE67yj0jXAopU7bUs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=qBfsTw1Q; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=qBfsTw1Q; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 8F61E2273B; Tue, 27 Feb 2024 16:13:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1709050416; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W+xJjudoH6jIHZHOuTHOKtgzEe1Mf8dOrRQLijDGuVc=; b=qBfsTw1Q5zB2ayQcnXO7lPOxCV0yX6aTYYma+wP3KEUgH9JHHO7uwMxxSBSZUFzsvIlq7K ax/vWnKzyCjbtPAfk2JyRi5Q2kRYUymCt/D0gWk06QYeCsdxUSv8yAB5IN8wkjY0ylWgaP R9IToFgnOtR1ptvGbmzYOyi+cpo5umQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1709050416; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=W+xJjudoH6jIHZHOuTHOKtgzEe1Mf8dOrRQLijDGuVc=; b=qBfsTw1Q5zB2ayQcnXO7lPOxCV0yX6aTYYma+wP3KEUgH9JHHO7uwMxxSBSZUFzsvIlq7K ax/vWnKzyCjbtPAfk2JyRi5Q2kRYUymCt/D0gWk06QYeCsdxUSv8yAB5IN8wkjY0ylWgaP R9IToFgnOtR1ptvGbmzYOyi+cpo5umQ= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id CE42F13A65; Tue, 27 Feb 2024 16:13:35 +0000 (UTC) Received: from dovecot-director2.suse.de ([10.150.64.162]) by imap1.dmz-prg2.suse.org with ESMTPSA id oi3FMC8K3mU+WAAAD6G6ig (envelope-from ); Tue, 27 Feb 2024 16:13:35 +0000 Message-ID: <0443c7c2-1c3f-4cf8-940d-88306956832a@suse.com> Date: Tue, 27 Feb 2024 17:13:35 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] x86, relocs: Ignore relocations in .notes section Content-Language: en-US To: Kees Cook , Borislav Petkov Cc: Guixiong Wei , Thomas Gleixner , Ingo Molnar , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , "Peter Zijlstra (Intel)" , Greg Kroah-Hartman , Tony Luck , Kristen Carlson Accardi , Boris Ostrovsky , Stefano Stabellini , Oleksandr Tyshchenko , Guixiong Wei , Jann Horn , Andrew Morton , Alexey Dobriyan , Chris Wright , Jeremy Fitzhardinge , Roland McGrath , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20240222171840.work.027-kees@kernel.org> From: =?UTF-8?B?SsO8cmdlbiBHcm/Dnw==?= In-Reply-To: <20240222171840.work.027-kees@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Authentication-Results: smtp-out1.suse.de; none X-Spamd-Result: default: False [-2.18 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; BAYES_HAM(-3.00)[100.00%]; RCVD_COUNT_THREE(0.00)[3]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; RCPT_COUNT_TWELVE(0.00)[24]; DBL_BLOCKED_OPENRESOLVER(0.00)[linuxfoundation.org:email,infradead.org:email,suse.com:email]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_MIXED_CHARSET(0.91)[subject]; FREEMAIL_CC(0.00)[gmail.com,linutronix.de,redhat.com,linux.intel.com,kernel.org,zytor.com,infradead.org,linuxfoundation.org,intel.com,oracle.com,epam.com,bytedance.com,google.com,linux-foundation.org,sous-sol.org,xensource.com,vger.kernel.org]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Level: X-Spam-Flag: NO X-Spam-Score: -2.18 On 22.02.24 18:18, Kees Cook wrote: > When building with CONFIG_XEN_PV=y, .text symbols are emitted into the > .notes section so that Xen can find the "startup_xen" entry point. This > information is used prior to booting the kernel, so relocations are not > useful. In fact, performing relocations against the .notes section means > that the KASLR base is exposed since /sys/kernel/notes is world-readable. > > To avoid leaking the KASLR base without breaking unprivileged tools that > are expecting to read /sys/kernel/notes, skip performing relocations in > the .notes section. The values readable in .notes are then identical to > those found in System.map. > > Reported-by: Guixiong Wei > Closes: https://lore.kernel.org/all/20240218073501.54555-1-guixiongwei@gmail.com/ > Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") > Fixes: da1a679cde9b ("Add /sys/kernel/notes") > Signed-off-by: Kees Cook > --- > Cc: Borislav Petkov > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: Dave Hansen > Cc: x86@kernel.org > Cc: "H. Peter Anvin" > Cc: "Peter Zijlstra (Intel)" > Cc: Greg Kroah-Hartman > Cc: Tony Luck > Cc: Kristen Carlson Accardi > Cc: "Jürgen Groß" > Cc: Boris Ostrovsky > Cc: Stefano Stabellini > Cc: Oleksandr Tyshchenko > Cc: Guixiong Wei > Cc: Jann Horn > --- > arch/x86/tools/relocs.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c > index a3bae2b24626..0811fff23b9c 100644 > --- a/arch/x86/tools/relocs.c > +++ b/arch/x86/tools/relocs.c > @@ -733,6 +733,16 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, > if (sec->shdr.sh_type != SHT_REL_TYPE) { > continue; > } > + > + /* > + * Do not perform relocations in .notes section; any > + * values there are meant for pre-boot consumption (e.g. > + * startup_xen). > + */ > + if (strcmp(sec_name(sec->shdr.sh_info), ".notes") == 0) { Instead of a strcmp(), wouldnt't ... > + continue; > + } > + > sec_symtab = sec->link; > sec_applies = &secs[sec->shdr.sh_info]; > if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { .. a test of "sec_applies->shdr.sh_type == SHT_NOTE" work as well? In the end I'm fine with both variants, so: Reviewed-by: Juergen Gross Juergen