From: Kees Cook <keescook@chromium.org>
To: Jiri Kosina <jkosina@suse.cz>
Cc: "H. Peter Anvin" <hpa@linux.intel.com>,
LKML <linux-kernel@vger.kernel.org>,
live-patching@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
"x86@kernel.org" <x86@kernel.org>
Subject: Re: [PATCH] x86, kaslr: propagate base load address calculation
Date: Tue, 10 Feb 2015 09:25:45 -0800 [thread overview]
Message-ID: <CAGXu5jJzs9Ve9so96f6n-=JxP+GR3xYFQYBtZ=mUm+Q7bMAgBw@mail.gmail.com> (raw)
In-Reply-To: <alpine.LNX.2.00.1502101411280.10719@pobox.suse.cz>
On Tue, Feb 10, 2015 at 5:17 AM, Jiri Kosina <jkosina@suse.cz> wrote:
> Commit e2b32e678 ("x86, kaslr: randomize module base load address") makes
> the base address for module to be unconditionally randomized in case when
> CONFIG_RANDOMIZE_BASE is defined and "nokaslr" option isn't present on the
> commandline.
>
> This is not consistent with how choose_kernel_location() decides whether
> it will randomize kernel load base.
>
> Namely, CONFIG_HIBERNATION disables kASLR (unless "kaslr" option is
> explicitly specified on kernel commandline), which makes the state space
> larger than what module loader is looking at. IOW CONFIG_HIBERNATION &&
> CONFIG_RANDOMIZE_BASE is a valid config option, kASLR wouldn't be applied
> by default in that case, but module loader is not aware of that.
>
> Instead of fixing the logic in module.c, this patch takes more generic
> aproach, and exposes __KERNEL_OFFSET macro, which calculates the real
> offset that has been established by choose_kernel_location() during boot.
> This can be used later by other kernel code as well (such as, but not
> limited to, live patching).
>
> OOPS offset dumper and module loader are converted to that they make use
> of this macro as well.
>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Ah, yes! This is a good clean up. Thanks! I do see, however, one
corner case remaining: kASLR randomized to 0 offset. This will force
module ASLR off, which I think is a mistake. Perhaps we need to export
the kaslr state as a separate item to be checked directly, instead of
using __KERNEL_OFFSET?
-Kees
> ---
> arch/x86/include/asm/page_types.h | 4 ++++
> arch/x86/kernel/module.c | 10 +---------
> arch/x86/kernel/setup.c | 4 ++--
> 3 files changed, 7 insertions(+), 11 deletions(-)
>
> diff --git a/arch/x86/include/asm/page_types.h b/arch/x86/include/asm/page_types.h
> index f97fbe3..7f18eaf 100644
> --- a/arch/x86/include/asm/page_types.h
> +++ b/arch/x86/include/asm/page_types.h
> @@ -46,6 +46,10 @@
>
> #ifndef __ASSEMBLY__
>
> +/* Return kASLR relocation offset */
> +extern char _text[];
> +#define __KERNEL_OFFSET ((unsigned long)&_text - __START_KERNEL)
> +
> extern int devmem_is_allowed(unsigned long pagenr);
>
> extern unsigned long max_low_pfn_mapped;
> diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
> index e69f988..d236bd2 100644
> --- a/arch/x86/kernel/module.c
> +++ b/arch/x86/kernel/module.c
> @@ -46,21 +46,13 @@ do { \
>
> #ifdef CONFIG_RANDOMIZE_BASE
> static unsigned long module_load_offset;
> -static int randomize_modules = 1;
>
> /* Mutex protects the module_load_offset. */
> static DEFINE_MUTEX(module_kaslr_mutex);
>
> -static int __init parse_nokaslr(char *p)
> -{
> - randomize_modules = 0;
> - return 0;
> -}
> -early_param("nokaslr", parse_nokaslr);
> -
> static unsigned long int get_module_load_offset(void)
> {
> - if (randomize_modules) {
> + if (__KERNEL_OFFSET) {
> mutex_lock(&module_kaslr_mutex);
> /*
> * Calculate the module_load_offset the first time this
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index c4648ada..08124a1 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -833,8 +833,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
> {
> pr_emerg("Kernel Offset: 0x%lx from 0x%lx "
> "(relocation range: 0x%lx-0x%lx)\n",
> - (unsigned long)&_text - __START_KERNEL, __START_KERNEL,
> - __START_KERNEL_map, MODULES_VADDR-1);
> + __KERNEL_OFFSET, __START_KERNEL, __START_KERNEL_map,
> + MODULES_VADDR-1);
>
> return 0;
> }
>
> --
> Jiri Kosina
> SUSE Labs
--
Kees Cook
Chrome OS Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Jiri Kosina <jkosina@suse.cz>
Cc: "H. Peter Anvin" <hpa@linux.intel.com>,
LKML <linux-kernel@vger.kernel.org>,
live-patching@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
"x86@kernel.org" <x86@kernel.org>
Subject: Re: [PATCH] x86, kaslr: propagate base load address calculation
Date: Tue, 10 Feb 2015 09:25:45 -0800 [thread overview]
Message-ID: <CAGXu5jJzs9Ve9so96f6n-=JxP+GR3xYFQYBtZ=mUm+Q7bMAgBw@mail.gmail.com> (raw)
In-Reply-To: <alpine.LNX.2.00.1502101411280.10719@pobox.suse.cz>
On Tue, Feb 10, 2015 at 5:17 AM, Jiri Kosina <jkosina@suse.cz> wrote:
> Commit e2b32e678 ("x86, kaslr: randomize module base load address") makes
> the base address for module to be unconditionally randomized in case when
> CONFIG_RANDOMIZE_BASE is defined and "nokaslr" option isn't present on the
> commandline.
>
> This is not consistent with how choose_kernel_location() decides whether
> it will randomize kernel load base.
>
> Namely, CONFIG_HIBERNATION disables kASLR (unless "kaslr" option is
> explicitly specified on kernel commandline), which makes the state space
> larger than what module loader is looking at. IOW CONFIG_HIBERNATION &&
> CONFIG_RANDOMIZE_BASE is a valid config option, kASLR wouldn't be applied
> by default in that case, but module loader is not aware of that.
>
> Instead of fixing the logic in module.c, this patch takes more generic
> aproach, and exposes __KERNEL_OFFSET macro, which calculates the real
> offset that has been established by choose_kernel_location() during boot.
> This can be used later by other kernel code as well (such as, but not
> limited to, live patching).
>
> OOPS offset dumper and module loader are converted to that they make use
> of this macro as well.
>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Ah, yes! This is a good clean up. Thanks! I do see, however, one
corner case remaining: kASLR randomized to 0 offset. This will force
module ASLR off, which I think is a mistake. Perhaps we need to export
the kaslr state as a separate item to be checked directly, instead of
using __KERNEL_OFFSET?
-Kees
> ---
> arch/x86/include/asm/page_types.h | 4 ++++
> arch/x86/kernel/module.c | 10 +---------
> arch/x86/kernel/setup.c | 4 ++--
> 3 files changed, 7 insertions(+), 11 deletions(-)
>
> diff --git a/arch/x86/include/asm/page_types.h b/arch/x86/include/asm/page_types.h
> index f97fbe3..7f18eaf 100644
> --- a/arch/x86/include/asm/page_types.h
> +++ b/arch/x86/include/asm/page_types.h
> @@ -46,6 +46,10 @@
>
> #ifndef __ASSEMBLY__
>
> +/* Return kASLR relocation offset */
> +extern char _text[];
> +#define __KERNEL_OFFSET ((unsigned long)&_text - __START_KERNEL)
> +
> extern int devmem_is_allowed(unsigned long pagenr);
>
> extern unsigned long max_low_pfn_mapped;
> diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
> index e69f988..d236bd2 100644
> --- a/arch/x86/kernel/module.c
> +++ b/arch/x86/kernel/module.c
> @@ -46,21 +46,13 @@ do { \
>
> #ifdef CONFIG_RANDOMIZE_BASE
> static unsigned long module_load_offset;
> -static int randomize_modules = 1;
>
> /* Mutex protects the module_load_offset. */
> static DEFINE_MUTEX(module_kaslr_mutex);
>
> -static int __init parse_nokaslr(char *p)
> -{
> - randomize_modules = 0;
> - return 0;
> -}
> -early_param("nokaslr", parse_nokaslr);
> -
> static unsigned long int get_module_load_offset(void)
> {
> - if (randomize_modules) {
> + if (__KERNEL_OFFSET) {
> mutex_lock(&module_kaslr_mutex);
> /*
> * Calculate the module_load_offset the first time this
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index c4648ada..08124a1 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -833,8 +833,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
> {
> pr_emerg("Kernel Offset: 0x%lx from 0x%lx "
> "(relocation range: 0x%lx-0x%lx)\n",
> - (unsigned long)&_text - __START_KERNEL, __START_KERNEL,
> - __START_KERNEL_map, MODULES_VADDR-1);
> + __KERNEL_OFFSET, __START_KERNEL, __START_KERNEL_map,
> + MODULES_VADDR-1);
>
> return 0;
> }
>
> --
> Jiri Kosina
> SUSE Labs
--
Kees Cook
Chrome OS Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-02-10 17:25 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-10 13:17 [PATCH] x86, kaslr: propagate base load address calculation Jiri Kosina
2015-02-10 13:17 ` Jiri Kosina
2015-02-10 17:25 ` Kees Cook [this message]
2015-02-10 17:25 ` Kees Cook
2015-02-10 23:07 ` Jiri Kosina
2015-02-10 23:07 ` Jiri Kosina
2015-02-10 23:13 ` Jiri Kosina
2015-02-10 23:13 ` Jiri Kosina
2015-02-13 15:04 ` [PATCH v2] " Jiri Kosina
2015-02-13 15:04 ` Jiri Kosina
2015-02-13 17:49 ` Kees Cook
2015-02-13 17:49 ` Kees Cook
2015-02-13 22:20 ` Jiri Kosina
2015-02-13 22:20 ` Jiri Kosina
2015-02-13 23:25 ` Kees Cook
2015-02-13 23:25 ` Kees Cook
2015-02-16 11:55 ` Borislav Petkov
2015-02-16 11:55 ` Borislav Petkov
2015-02-16 19:27 ` Kees Cook
2015-02-16 19:27 ` Kees Cook
2015-02-16 19:42 ` Borislav Petkov
2015-02-16 19:42 ` Borislav Petkov
2015-02-17 10:44 ` Borislav Petkov
2015-02-17 10:44 ` Borislav Petkov
2015-02-17 12:21 ` Jiri Kosina
2015-02-17 12:21 ` Jiri Kosina
2015-02-17 12:39 ` Borislav Petkov
2015-02-17 12:39 ` Borislav Petkov
2015-02-17 16:45 ` Kees Cook
2015-02-17 16:45 ` Kees Cook
2015-02-17 22:31 ` Borislav Petkov
2015-02-17 22:31 ` Borislav Petkov
2015-02-18 3:33 ` Kees Cook
2015-02-18 3:33 ` Kees Cook
2015-02-18 8:32 ` Borislav Petkov
2015-02-18 8:32 ` Borislav Petkov
2015-02-18 10:46 ` Jiri Kosina
2015-02-18 10:46 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jJzs9Ve9so96f6n-=JxP+GR3xYFQYBtZ=mUm+Q7bMAgBw@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=hpa@linux.intel.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=live-patching@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.