From: Kristen Carlson Accardi <kristen@linux.intel.com>
To: keescook@chromium.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de
Cc: arjan@linux.intel.com, x86@kernel.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, rick.p.edgecombe@intel.com,
Kristen Carlson Accardi <kristen@linux.intel.com>,
Tony Luck <tony.luck@intel.com>
Subject: [PATCH v5 08/10] kallsyms: Hide layout
Date: Wed, 23 Sep 2020 10:39:02 -0700 [thread overview]
Message-ID: <20200923173905.11219-9-kristen@linux.intel.com> (raw)
In-Reply-To: <20200923173905.11219-1-kristen@linux.intel.com>
This patch makes /proc/kallsyms display in a random order, rather
than sorted by address in order to hide the newly randomized address
layout.
Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Tony Luck <tony.luck@intel.com>
---
kernel/kallsyms.c | 163 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 162 insertions(+), 1 deletion(-)
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 4fb15fa96734..6047771ad408 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -448,6 +448,12 @@ struct kallsym_iter {
int show_value;
};
+struct kallsyms_shuffled_iter {
+ struct kallsym_iter iter;
+ loff_t total_syms;
+ loff_t shuffled_index[];
+};
+
int __weak arch_get_kallsym(unsigned int symnum, unsigned long *value,
char *type, char *name)
{
@@ -695,7 +701,7 @@ bool kallsyms_show_value(const struct cred *cred)
}
}
-static int kallsyms_open(struct inode *inode, struct file *file)
+static int __kallsyms_open(struct inode *inode, struct file *file)
{
/*
* We keep iterator in m->private, since normal case is to
@@ -716,6 +722,161 @@ static int kallsyms_open(struct inode *inode, struct file *file)
return 0;
}
+/*
+ * When function granular kaslr is enabled, we need to print out the symbols
+ * at random so we don't reveal the new layout.
+ */
+#if defined(CONFIG_FG_KASLR)
+static int update_random_pos(struct kallsyms_shuffled_iter *s_iter,
+ loff_t pos, loff_t *new_pos)
+{
+ loff_t new;
+
+ if (pos >= s_iter->total_syms)
+ return 0;
+
+ new = s_iter->shuffled_index[pos];
+
+ /*
+ * normally this would be done as part of update_iter, however,
+ * we want to avoid triggering this in the event that new is
+ * zero since we don't want to blow away our pos end indicators.
+ */
+ if (new == 0) {
+ s_iter->iter.name[0] = '\0';
+ s_iter->iter.nameoff = get_symbol_offset(new);
+ s_iter->iter.pos = new;
+ }
+
+ *new_pos = new;
+ return 1;
+}
+
+static void *shuffled_start(struct seq_file *m, loff_t *pos)
+{
+ struct kallsyms_shuffled_iter *s_iter = m->private;
+ loff_t new_pos;
+
+ if (!update_random_pos(s_iter, *pos, &new_pos))
+ return NULL;
+
+ return s_start(m, &new_pos);
+}
+
+static void *shuffled_next(struct seq_file *m, void *p, loff_t *pos)
+{
+ struct kallsyms_shuffled_iter *s_iter = m->private;
+ loff_t new_pos;
+
+ (*pos)++;
+
+ if (!update_random_pos(s_iter, *pos, &new_pos))
+ return NULL;
+
+ if (!update_iter(m->private, new_pos))
+ return NULL;
+
+ return p;
+}
+
+/*
+ * shuffle_index_list()
+ * Use a Fisher Yates algorithm to shuffle a list of text sections.
+ */
+static void shuffle_index_list(loff_t *indexes, loff_t size)
+{
+ int i;
+ unsigned int j;
+ loff_t temp;
+
+ for (i = size - 1; i > 0; i--) {
+ /* pick a random index from 0 to i */
+ get_random_bytes(&j, sizeof(j));
+ j = j % (i + 1);
+
+ temp = indexes[i];
+ indexes[i] = indexes[j];
+ indexes[j] = temp;
+ }
+}
+
+static const struct seq_operations kallsyms_shuffled_op = {
+ .start = shuffled_start,
+ .next = shuffled_next,
+ .stop = s_stop,
+ .show = s_show
+};
+
+static int kallsyms_random_open(struct inode *inode, struct file *file)
+{
+ loff_t pos;
+ struct kallsyms_shuffled_iter *shuffled_iter;
+ struct kallsym_iter iter;
+ bool show_value;
+
+ /*
+ * If privileged, go ahead and use the normal algorithm for
+ * displaying symbols
+ */
+ show_value = kallsyms_show_value(file->f_cred);
+ if (show_value)
+ return __kallsyms_open(inode, file);
+
+ /*
+ * we need to figure out how many extra symbols there are
+ * to print out past kallsyms_num_syms
+ */
+ pos = kallsyms_num_syms;
+ reset_iter(&iter, 0);
+ do {
+ if (!update_iter(&iter, pos))
+ break;
+ pos++;
+ } while (1);
+
+ /*
+ * add storage space for an array of loff_t equal to the size
+ * of the total number of symbols we need to print
+ */
+ shuffled_iter = __seq_open_private(file, &kallsyms_shuffled_op,
+ sizeof(*shuffled_iter) +
+ (sizeof(pos) * pos));
+ if (!shuffled_iter)
+ return -ENOMEM;
+
+ reset_iter(&shuffled_iter->iter, 0);
+ shuffled_iter->iter.show_value = show_value;
+ shuffled_iter->total_syms = pos;
+
+ /*
+ * the existing update_iter algorithm requires that we
+ * are either moving along increasing pos sequentially,
+ * or that these values are correct. Since these values
+ * were discovered above, initialize our new iter so we
+ * can use update_iter non-sequentially.
+ */
+ shuffled_iter->iter.pos_arch_end = iter.pos_arch_end;
+ shuffled_iter->iter.pos_mod_end = iter.pos_mod_end;
+ shuffled_iter->iter.pos_ftrace_mod_end = iter.pos_ftrace_mod_end;
+
+ /*
+ * initialize the array with all possible pos values, then
+ * shuffle the array so that the values will display in a random
+ * order.
+ */
+ for (pos = 0; pos < shuffled_iter->total_syms; pos++)
+ shuffled_iter->shuffled_index[pos] = pos;
+
+ shuffle_index_list(shuffled_iter->shuffled_index, shuffled_iter->total_syms);
+
+ return 0;
+}
+
+#define kallsyms_open kallsyms_random_open
+#else
+#define kallsyms_open __kallsyms_open
+#endif /* CONFIG_FG_KASLR */
+
#ifdef CONFIG_KGDB_KDB
const char *kdb_walk_kallsyms(loff_t *pos)
{
--
2.20.1
next prev parent reply other threads:[~2020-09-23 17:41 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 17:38 [PATCH v5 00/10] Function Granular KASLR Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 01/10] x86: tools/relocs: Support >64K section headers Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 02/10] x86/boot: Allow a "silent" kaslr random byte fetch Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 03/10] x86: Makefile: Add build and config option for CONFIG_FG_KASLR Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 04/10] x86: Make sure _etext includes function sections Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 05/10] x86/tools: Add relative relocs for randomized functions Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 06/10] x86/boot/compressed: Avoid duplicate malloc() implementations Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 07/10] x86: Add support for function granular KASLR Kristen Carlson Accardi
2020-09-23 17:39 ` Kristen Carlson Accardi [this message]
2020-09-23 17:39 ` [PATCH v5 09/10] module: Reorder functions Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 10/10] livepatch: only match unique symbols when using fgkaslr Kristen Carlson Accardi
2020-09-24 13:06 ` Miroslav Benes
2020-09-24 13:06 ` Miroslav Benes
2020-09-25 13:06 ` [PATCH v5 00/10] Function Granular KASLR Miroslav Benes
2020-09-25 13:06 ` Miroslav Benes
2020-09-28 17:31 ` Kristen Carlson Accardi
2020-09-28 17:31 ` Kristen Carlson Accardi
2020-09-29 18:58 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923173905.11219-9-kristen@linux.intel.com \
--to=kristen@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.