[RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

All EXEC tests are based on running a copy of do_nothing()
except lkdtm_EXEC_RODATA which uses a different function
called lkdtm_rodata_do_nothing().

On architectures using function descriptors, EXEC tests are
performed using execute_location() which is a function
that most of the time copies do_nothing() at the tested
location then duplicates do_nothing() function descriptor
and updates it with the address of the copy of do_nothing().

But for EXEC_RODATA test, execute_location() uses
lkdtm_rodata_do_nothing() which is already in rodata section
at build time instead of using a copy of do_nothing(). However
it still uses the function descriptor of do_nothing(). There
is a risk that running lkdtm_rodata_do_nothing() with the
function descriptor of do_thing() is wrong.

To remove the above risk, change the approach and do the same
as for other EXEC tests: use a copy of do_nothing(). The copy
cannot be done during the test because RODATA area is write
protected. Do the copy during init, before RODATA becomes
write protected.

Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"

 drivers/misc/lkdtm/Makefile | 11 -----------
 drivers/misc/lkdtm/lkdtm.h  |  3 ---
 drivers/misc/lkdtm/perms.c  |  9 +++++++--
 drivers/misc/lkdtm/rodata.c | 11 -----------
 4 files changed, 7 insertions(+), 27 deletions(-)
 delete mode 100644 drivers/misc/lkdtm/rodata.c

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index e2984ce51fe4..3d45a2b3007d 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)		+= bugs.o
 lkdtm-$(CONFIG_LKDTM)		+= heap.o
 lkdtm-$(CONFIG_LKDTM)		+= perms.o
 lkdtm-$(CONFIG_LKDTM)		+= refcount.o
-lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
 lkdtm-$(CONFIG_LKDTM)		+= cfi.o
 lkdtm-$(CONFIG_LKDTM)		+= fortify.o
 lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
 
-KASAN_SANITIZE_rodata.o		:= n
 KASAN_SANITIZE_stackleak.o	:= n
-KCOV_INSTRUMENT_rodata.o	:= n
-CFLAGS_REMOVE_rodata.o		+= $(CC_FLAGS_LTO)
-
-OBJCOPYFLAGS :=
-OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
-targets += rodata.o rodata_objcopy.o
-$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
-	$(call if_changed,objcopy)
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 188bd0fd6575..905555d4c2cf 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
 void lkdtm_REFCOUNT_TIMING(void);
 void lkdtm_ATOMIC_TIMING(void);
 
-/* rodata.c */
-void lkdtm_rodata_do_nothing(void);
-
 /* usercopy.c */
 void __init lkdtm_usercopy_init(void);
 void __exit lkdtm_usercopy_exit(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 2c6aba3ff32b..9b951ca48363 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
 
 /* This is marked __ro_after_init, so it should ultimately be .rodata. */
 static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+static u8 rodata_area[EXEC_SIZE] __ro_after_init;
 
 /*
  * This just returns to the caller. It is designed to be copied into
@@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
 
 void lkdtm_EXEC_RODATA(void)
 {
-	execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
-			 CODE_AS_IS);
+	execute_location(rodata_area, CODE_AS_IS);
 }
 
 void lkdtm_EXEC_USERSPACE(void)
@@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
 {
 	/* Make sure we can write to __ro_after_init values during __init */
 	ro_after_init |= 0xAA;
+
+	memcpy(rodata_area, dereference_function_descriptor(do_nothing),
+	       EXEC_SIZE);
+	flush_icache_range((unsigned long)rodata_area,
+			   (unsigned long)rodata_area + EXEC_SIZE);
 }
diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
deleted file mode 100644
index baacb876d1d9..000000000000
--- a/drivers/misc/lkdtm/rodata.c
+++ /dev/null
@@ -1,11 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * This includes functions that are meant to live entirely in .rodata
- * (via objcopy tricks), to validate the non-executability of .rodata.
- */
-#include "lkdtm.h"
-
-void noinstr lkdtm_rodata_do_nothing(void)
-{
-	/* Does nothing. We just want an architecture agnostic "return". */
-}
-- 
2.31.1

[RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

All EXEC tests are based on running a copy of do_nothing()
except lkdtm_EXEC_RODATA which uses a different function
called lkdtm_rodata_do_nothing().

On architectures using function descriptors, EXEC tests are
performed using execute_location() which is a function
that most of the time copies do_nothing() at the tested
location then duplicates do_nothing() function descriptor
and updates it with the address of the copy of do_nothing().

But for EXEC_RODATA test, execute_location() uses
lkdtm_rodata_do_nothing() which is already in rodata section
at build time instead of using a copy of do_nothing(). However
it still uses the function descriptor of do_nothing(). There
is a risk that running lkdtm_rodata_do_nothing() with the
function descriptor of do_thing() is wrong.

To remove the above risk, change the approach and do the same
as for other EXEC tests: use a copy of do_nothing(). The copy
cannot be done during the test because RODATA area is write
protected. Do the copy during init, before RODATA becomes
write protected.

Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"

 drivers/misc/lkdtm/Makefile | 11 -----------
 drivers/misc/lkdtm/lkdtm.h  |  3 ---
 drivers/misc/lkdtm/perms.c  |  9 +++++++--
 drivers/misc/lkdtm/rodata.c | 11 -----------
 4 files changed, 7 insertions(+), 27 deletions(-)
 delete mode 100644 drivers/misc/lkdtm/rodata.c

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index e2984ce51fe4..3d45a2b3007d 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)		+= bugs.o
 lkdtm-$(CONFIG_LKDTM)		+= heap.o
 lkdtm-$(CONFIG_LKDTM)		+= perms.o
 lkdtm-$(CONFIG_LKDTM)		+= refcount.o
-lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
 lkdtm-$(CONFIG_LKDTM)		+= cfi.o
 lkdtm-$(CONFIG_LKDTM)		+= fortify.o
 lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
 
-KASAN_SANITIZE_rodata.o		:= n
 KASAN_SANITIZE_stackleak.o	:= n
-KCOV_INSTRUMENT_rodata.o	:= n
-CFLAGS_REMOVE_rodata.o		+= $(CC_FLAGS_LTO)
-
-OBJCOPYFLAGS :=
-OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
-targets += rodata.o rodata_objcopy.o
-$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
-	$(call if_changed,objcopy)
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 188bd0fd6575..905555d4c2cf 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
 void lkdtm_REFCOUNT_TIMING(void);
 void lkdtm_ATOMIC_TIMING(void);
 
-/* rodata.c */
-void lkdtm_rodata_do_nothing(void);
-
 /* usercopy.c */
 void __init lkdtm_usercopy_init(void);
 void __exit lkdtm_usercopy_exit(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 2c6aba3ff32b..9b951ca48363 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
 
 /* This is marked __ro_after_init, so it should ultimately be .rodata. */
 static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+static u8 rodata_area[EXEC_SIZE] __ro_after_init;
 
 /*
  * This just returns to the caller. It is designed to be copied into
@@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
 
 void lkdtm_EXEC_RODATA(void)
 {
-	execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
-			 CODE_AS_IS);
+	execute_location(rodata_area, CODE_AS_IS);
 }
 
 void lkdtm_EXEC_USERSPACE(void)
@@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
 {
 	/* Make sure we can write to __ro_after_init values during __init */
 	ro_after_init |= 0xAA;
+
+	memcpy(rodata_area, dereference_function_descriptor(do_nothing),
+	       EXEC_SIZE);
+	flush_icache_range((unsigned long)rodata_area,
+			   (unsigned long)rodata_area + EXEC_SIZE);
 }
diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
deleted file mode 100644
index baacb876d1d9..000000000000
--- a/drivers/misc/lkdtm/rodata.c
+++ /dev/null
@@ -1,11 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * This includes functions that are meant to live entirely in .rodata
- * (via objcopy tricks), to validate the non-executability of .rodata.
- */
-#include "lkdtm.h"
-
-void noinstr lkdtm_rodata_do_nothing(void)
-{
-	/* Does nothing. We just want an architecture agnostic "return". */
-}
-- 
2.31.1

[RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

All EXEC tests are based on running a copy of do_nothing()
except lkdtm_EXEC_RODATA which uses a different function
called lkdtm_rodata_do_nothing().

On architectures using function descriptors, EXEC tests are
performed using execute_location() which is a function
that most of the time copies do_nothing() at the tested
location then duplicates do_nothing() function descriptor
and updates it with the address of the copy of do_nothing().

But for EXEC_RODATA test, execute_location() uses
lkdtm_rodata_do_nothing() which is already in rodata section
at build time instead of using a copy of do_nothing(). However
it still uses the function descriptor of do_nothing(). There
is a risk that running lkdtm_rodata_do_nothing() with the
function descriptor of do_thing() is wrong.

To remove the above risk, change the approach and do the same
as for other EXEC tests: use a copy of do_nothing(). The copy
cannot be done during the test because RODATA area is write
protected. Do the copy during init, before RODATA becomes
write protected.

Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"

 drivers/misc/lkdtm/Makefile | 11 -----------
 drivers/misc/lkdtm/lkdtm.h  |  3 ---
 drivers/misc/lkdtm/perms.c  |  9 +++++++--
 drivers/misc/lkdtm/rodata.c | 11 -----------
 4 files changed, 7 insertions(+), 27 deletions(-)
 delete mode 100644 drivers/misc/lkdtm/rodata.c

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index e2984ce51fe4..3d45a2b3007d 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)		+= bugs.o
 lkdtm-$(CONFIG_LKDTM)		+= heap.o
 lkdtm-$(CONFIG_LKDTM)		+= perms.o
 lkdtm-$(CONFIG_LKDTM)		+= refcount.o
-lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
 lkdtm-$(CONFIG_LKDTM)		+= cfi.o
 lkdtm-$(CONFIG_LKDTM)		+= fortify.o
 lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
 
-KASAN_SANITIZE_rodata.o		:= n
 KASAN_SANITIZE_stackleak.o	:= n
-KCOV_INSTRUMENT_rodata.o	:= n
-CFLAGS_REMOVE_rodata.o		+= $(CC_FLAGS_LTO)
-
-OBJCOPYFLAGS :-OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
-targets += rodata.o rodata_objcopy.o
-$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
-	$(call if_changed,objcopy)
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 188bd0fd6575..905555d4c2cf 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
 void lkdtm_REFCOUNT_TIMING(void);
 void lkdtm_ATOMIC_TIMING(void);
 
-/* rodata.c */
-void lkdtm_rodata_do_nothing(void);
-
 /* usercopy.c */
 void __init lkdtm_usercopy_init(void);
 void __exit lkdtm_usercopy_exit(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 2c6aba3ff32b..9b951ca48363 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
 
 /* This is marked __ro_after_init, so it should ultimately be .rodata. */
 static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+static u8 rodata_area[EXEC_SIZE] __ro_after_init;
 
 /*
  * This just returns to the caller. It is designed to be copied into
@@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
 
 void lkdtm_EXEC_RODATA(void)
 {
-	execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
-			 CODE_AS_IS);
+	execute_location(rodata_area, CODE_AS_IS);
 }
 
 void lkdtm_EXEC_USERSPACE(void)
@@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
 {
 	/* Make sure we can write to __ro_after_init values during __init */
 	ro_after_init |= 0xAA;
+
+	memcpy(rodata_area, dereference_function_descriptor(do_nothing),
+	       EXEC_SIZE);
+	flush_icache_range((unsigned long)rodata_area,
+			   (unsigned long)rodata_area + EXEC_SIZE);
 }
diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
deleted file mode 100644
index baacb876d1d9..000000000000
--- a/drivers/misc/lkdtm/rodata.c
+++ /dev/null
@@ -1,11 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * This includes functions that are meant to live entirely in .rodata
- * (via objcopy tricks), to validate the non-executability of .rodata.
- */
-#include "lkdtm.h"
-
-void noinstr lkdtm_rodata_do_nothing(void)
-{
-	/* Does nothing. We just want an architecture agnostic "return". */
-}
-- 
2.31.1

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

Hi Kees,

Le 17/10/2021 à 19:19, Christophe Leroy a écrit :
> All EXEC tests are based on running a copy of do_nothing()
> except lkdtm_EXEC_RODATA which uses a different function
> called lkdtm_rodata_do_nothing().
> 
> On architectures using function descriptors, EXEC tests are
> performed using execute_location() which is a function
> that most of the time copies do_nothing() at the tested
> location then duplicates do_nothing() function descriptor
> and updates it with the address of the copy of do_nothing().
> 
> But for EXEC_RODATA test, execute_location() uses
> lkdtm_rodata_do_nothing() which is already in rodata section
> at build time instead of using a copy of do_nothing(). However
> it still uses the function descriptor of do_nothing(). There
> is a risk that running lkdtm_rodata_do_nothing() with the
> function descriptor of do_thing() is wrong.
> 
> To remove the above risk, change the approach and do the same
> as for other EXEC tests: use a copy of do_nothing(). The copy
> cannot be done during the test because RODATA area is write
> protected. Do the copy during init, before RODATA becomes
> write protected.
> 
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>

Any opinion on this patch ?

Thanks
Christophe

> ---
> This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"
> 
>   drivers/misc/lkdtm/Makefile | 11 -----------
>   drivers/misc/lkdtm/lkdtm.h  |  3 ---
>   drivers/misc/lkdtm/perms.c  |  9 +++++++--
>   drivers/misc/lkdtm/rodata.c | 11 -----------
>   4 files changed, 7 insertions(+), 27 deletions(-)
>   delete mode 100644 drivers/misc/lkdtm/rodata.c
> 
> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
> index e2984ce51fe4..3d45a2b3007d 100644
> --- a/drivers/misc/lkdtm/Makefile
> +++ b/drivers/misc/lkdtm/Makefile
> @@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)		+= bugs.o
>   lkdtm-$(CONFIG_LKDTM)		+= heap.o
>   lkdtm-$(CONFIG_LKDTM)		+= perms.o
>   lkdtm-$(CONFIG_LKDTM)		+= refcount.o
> -lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
>   lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
>   lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
>   lkdtm-$(CONFIG_LKDTM)		+= cfi.o
>   lkdtm-$(CONFIG_LKDTM)		+= fortify.o
>   lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
>   
> -KASAN_SANITIZE_rodata.o		:= n
>   KASAN_SANITIZE_stackleak.o	:= n
> -KCOV_INSTRUMENT_rodata.o	:= n
> -CFLAGS_REMOVE_rodata.o		+= $(CC_FLAGS_LTO)
> -
> -OBJCOPYFLAGS :=
> -OBJCOPYFLAGS_rodata_objcopy.o	:= \
> -			--rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
> -targets += rodata.o rodata_objcopy.o
> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
> -	$(call if_changed,objcopy)
> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
> index 188bd0fd6575..905555d4c2cf 100644
> --- a/drivers/misc/lkdtm/lkdtm.h
> +++ b/drivers/misc/lkdtm/lkdtm.h
> @@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
>   void lkdtm_REFCOUNT_TIMING(void);
>   void lkdtm_ATOMIC_TIMING(void);
>   
> -/* rodata.c */
> -void lkdtm_rodata_do_nothing(void);
> -
>   /* usercopy.c */
>   void __init lkdtm_usercopy_init(void);
>   void __exit lkdtm_usercopy_exit(void);
> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
> index 2c6aba3ff32b..9b951ca48363 100644
> --- a/drivers/misc/lkdtm/perms.c
> +++ b/drivers/misc/lkdtm/perms.c
> @@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
>   
>   /* This is marked __ro_after_init, so it should ultimately be .rodata. */
>   static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
> +static u8 rodata_area[EXEC_SIZE] __ro_after_init;
>   
>   /*
>    * This just returns to the caller. It is designed to be copied into
> @@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
>   
>   void lkdtm_EXEC_RODATA(void)
>   {
> -	execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
> -			 CODE_AS_IS);
> +	execute_location(rodata_area, CODE_AS_IS);
>   }
>   
>   void lkdtm_EXEC_USERSPACE(void)
> @@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
>   {
>   	/* Make sure we can write to __ro_after_init values during __init */
>   	ro_after_init |= 0xAA;
> +
> +	memcpy(rodata_area, dereference_function_descriptor(do_nothing),
> +	       EXEC_SIZE);
> +	flush_icache_range((unsigned long)rodata_area,
> +			   (unsigned long)rodata_area + EXEC_SIZE);
>   }
> diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
> deleted file mode 100644
> index baacb876d1d9..000000000000
> --- a/drivers/misc/lkdtm/rodata.c
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0
> -/*
> - * This includes functions that are meant to live entirely in .rodata
> - * (via objcopy tricks), to validate the non-executability of .rodata.
> - */
> -#include "lkdtm.h"
> -
> -void noinstr lkdtm_rodata_do_nothing(void)
> -{
> -	/* Does nothing. We just want an architecture agnostic "return". */
> -}

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

Hi Kees,

Le 17/10/2021 à 19:19, Christophe Leroy a écrit :
> All EXEC tests are based on running a copy of do_nothing()
> except lkdtm_EXEC_RODATA which uses a different function
> called lkdtm_rodata_do_nothing().
> 
> On architectures using function descriptors, EXEC tests are
> performed using execute_location() which is a function
> that most of the time copies do_nothing() at the tested
> location then duplicates do_nothing() function descriptor
> and updates it with the address of the copy of do_nothing().
> 
> But for EXEC_RODATA test, execute_location() uses
> lkdtm_rodata_do_nothing() which is already in rodata section
> at build time instead of using a copy of do_nothing(). However
> it still uses the function descriptor of do_nothing(). There
> is a risk that running lkdtm_rodata_do_nothing() with the
> function descriptor of do_thing() is wrong.
> 
> To remove the above risk, change the approach and do the same
> as for other EXEC tests: use a copy of do_nothing(). The copy
> cannot be done during the test because RODATA area is write
> protected. Do the copy during init, before RODATA becomes
> write protected.
> 
> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>

Any opinion on this patch ?

Thanks
Christophe

> ---
> This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"
> 
>   drivers/misc/lkdtm/Makefile | 11 -----------
>   drivers/misc/lkdtm/lkdtm.h  |  3 ---
>   drivers/misc/lkdtm/perms.c  |  9 +++++++--
>   drivers/misc/lkdtm/rodata.c | 11 -----------
>   4 files changed, 7 insertions(+), 27 deletions(-)
>   delete mode 100644 drivers/misc/lkdtm/rodata.c
> 
> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
> index e2984ce51fe4..3d45a2b3007d 100644
> --- a/drivers/misc/lkdtm/Makefile
> +++ b/drivers/misc/lkdtm/Makefile
> @@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)		+= bugs.o
>   lkdtm-$(CONFIG_LKDTM)		+= heap.o
>   lkdtm-$(CONFIG_LKDTM)		+= perms.o
>   lkdtm-$(CONFIG_LKDTM)		+= refcount.o
> -lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
>   lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
>   lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
>   lkdtm-$(CONFIG_LKDTM)		+= cfi.o
>   lkdtm-$(CONFIG_LKDTM)		+= fortify.o
>   lkdtm-$(CONFIG_PPC_BOOK3S_64)	+= powerpc.o
>   
> -KASAN_SANITIZE_rodata.o		:= n
>   KASAN_SANITIZE_stackleak.o	:= n
> -KCOV_INSTRUMENT_rodata.o	:= n
> -CFLAGS_REMOVE_rodata.o		+= $(CC_FLAGS_LTO)
> -
> -OBJCOPYFLAGS :=
> -OBJCOPYFLAGS_rodata_objcopy.o	:= \
> -			--rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
> -targets += rodata.o rodata_objcopy.o
> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
> -	$(call if_changed,objcopy)
> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
> index 188bd0fd6575..905555d4c2cf 100644
> --- a/drivers/misc/lkdtm/lkdtm.h
> +++ b/drivers/misc/lkdtm/lkdtm.h
> @@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
>   void lkdtm_REFCOUNT_TIMING(void);
>   void lkdtm_ATOMIC_TIMING(void);
>   
> -/* rodata.c */
> -void lkdtm_rodata_do_nothing(void);
> -
>   /* usercopy.c */
>   void __init lkdtm_usercopy_init(void);
>   void __exit lkdtm_usercopy_exit(void);
> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
> index 2c6aba3ff32b..9b951ca48363 100644
> --- a/drivers/misc/lkdtm/perms.c
> +++ b/drivers/misc/lkdtm/perms.c
> @@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
>   
>   /* This is marked __ro_after_init, so it should ultimately be .rodata. */
>   static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
> +static u8 rodata_area[EXEC_SIZE] __ro_after_init;
>   
>   /*
>    * This just returns to the caller. It is designed to be copied into
> @@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
>   
>   void lkdtm_EXEC_RODATA(void)
>   {
> -	execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
> -			 CODE_AS_IS);
> +	execute_location(rodata_area, CODE_AS_IS);
>   }
>   
>   void lkdtm_EXEC_USERSPACE(void)
> @@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
>   {
>   	/* Make sure we can write to __ro_after_init values during __init */
>   	ro_after_init |= 0xAA;
> +
> +	memcpy(rodata_area, dereference_function_descriptor(do_nothing),
> +	       EXEC_SIZE);
> +	flush_icache_range((unsigned long)rodata_area,
> +			   (unsigned long)rodata_area + EXEC_SIZE);
>   }
> diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
> deleted file mode 100644
> index baacb876d1d9..000000000000
> --- a/drivers/misc/lkdtm/rodata.c
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0
> -/*
> - * This includes functions that are meant to live entirely in .rodata
> - * (via objcopy tricks), to validate the non-executability of .rodata.
> - */
> -#include "lkdtm.h"
> -
> -void noinstr lkdtm_rodata_do_nothing(void)
> -{
> -	/* Does nothing. We just want an architecture agnostic "return". */
> -}

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

SGkgS2VlcywNCg0KTGUgMTcvMTAvMjAyMSDDoCAxOToxOSwgQ2hyaXN0b3BoZSBMZXJveSBhIMOp
Y3JpdMKgOg0KPiBBbGwgRVhFQyB0ZXN0cyBhcmUgYmFzZWQgb24gcnVubmluZyBhIGNvcHkgb2Yg
ZG9fbm90aGluZygpDQo+IGV4Y2VwdCBsa2R0bV9FWEVDX1JPREFUQSB3aGljaCB1c2VzIGEgZGlm
ZmVyZW50IGZ1bmN0aW9uDQo+IGNhbGxlZCBsa2R0bV9yb2RhdGFfZG9fbm90aGluZygpLg0KPiAN
Cj4gT24gYXJjaGl0ZWN0dXJlcyB1c2luZyBmdW5jdGlvbiBkZXNjcmlwdG9ycywgRVhFQyB0ZXN0
cyBhcmUNCj4gcGVyZm9ybWVkIHVzaW5nIGV4ZWN1dGVfbG9jYXRpb24oKSB3aGljaCBpcyBhIGZ1
bmN0aW9uDQo+IHRoYXQgbW9zdCBvZiB0aGUgdGltZSBjb3BpZXMgZG9fbm90aGluZygpIGF0IHRo
ZSB0ZXN0ZWQNCj4gbG9jYXRpb24gdGhlbiBkdXBsaWNhdGVzIGRvX25vdGhpbmcoKSBmdW5jdGlv
biBkZXNjcmlwdG9yDQo+IGFuZCB1cGRhdGVzIGl0IHdpdGggdGhlIGFkZHJlc3Mgb2YgdGhlIGNv
cHkgb2YgZG9fbm90aGluZygpLg0KPiANCj4gQnV0IGZvciBFWEVDX1JPREFUQSB0ZXN0LCBleGVj
dXRlX2xvY2F0aW9uKCkgdXNlcw0KPiBsa2R0bV9yb2RhdGFfZG9fbm90aGluZygpIHdoaWNoIGlz
IGFscmVhZHkgaW4gcm9kYXRhIHNlY3Rpb24NCj4gYXQgYnVpbGQgdGltZSBpbnN0ZWFkIG9mIHVz
aW5nIGEgY29weSBvZiBkb19ub3RoaW5nKCkuIEhvd2V2ZXINCj4gaXQgc3RpbGwgdXNlcyB0aGUg
ZnVuY3Rpb24gZGVzY3JpcHRvciBvZiBkb19ub3RoaW5nKCkuIFRoZXJlDQo+IGlzIGEgcmlzayB0
aGF0IHJ1bm5pbmcgbGtkdG1fcm9kYXRhX2RvX25vdGhpbmcoKSB3aXRoIHRoZQ0KPiBmdW5jdGlv
biBkZXNjcmlwdG9yIG9mIGRvX3RoaW5nKCkgaXMgd3JvbmcuDQo+IA0KPiBUbyByZW1vdmUgdGhl
IGFib3ZlIHJpc2ssIGNoYW5nZSB0aGUgYXBwcm9hY2ggYW5kIGRvIHRoZSBzYW1lDQo+IGFzIGZv
ciBvdGhlciBFWEVDIHRlc3RzOiB1c2UgYSBjb3B5IG9mIGRvX25vdGhpbmcoKS4gVGhlIGNvcHkN
Cj4gY2Fubm90IGJlIGRvbmUgZHVyaW5nIHRoZSB0ZXN0IGJlY2F1c2UgUk9EQVRBIGFyZWEgaXMg
d3JpdGUNCj4gcHJvdGVjdGVkLiBEbyB0aGUgY29weSBkdXJpbmcgaW5pdCwgYmVmb3JlIFJPREFU
QSBiZWNvbWVzDQo+IHdyaXRlIHByb3RlY3RlZC4NCj4gDQo+IFNpZ25lZC1vZmYtYnk6IENocmlz
dG9waGUgTGVyb3kgPGNocmlzdG9waGUubGVyb3lAY3Nncm91cC5ldT4NCg0KQW55IG9waW5pb24g
b24gdGhpcyBwYXRjaCA/DQoNClRoYW5rcw0KQ2hyaXN0b3BoZQ0KDQo+IC0tLQ0KPiBUaGlzIGFw
cGxpZXMgb24gdG9wIG9mIHNlcmllcyB2MyAiRml4IExLRFRNIGZvciBQUEM2NC9JQTY0L1BBUklT
QyINCj4gDQo+ICAgZHJpdmVycy9taXNjL2xrZHRtL01ha2VmaWxlIHwgMTEgLS0tLS0tLS0tLS0N
Cj4gICBkcml2ZXJzL21pc2MvbGtkdG0vbGtkdG0uaCAgfCAgMyAtLS0NCj4gICBkcml2ZXJzL21p
c2MvbGtkdG0vcGVybXMuYyAgfCAgOSArKysrKysrLS0NCj4gICBkcml2ZXJzL21pc2MvbGtkdG0v
cm9kYXRhLmMgfCAxMSAtLS0tLS0tLS0tLQ0KPiAgIDQgZmlsZXMgY2hhbmdlZCwgNyBpbnNlcnRp
b25zKCspLCAyNyBkZWxldGlvbnMoLSkNCj4gICBkZWxldGUgbW9kZSAxMDA2NDQgZHJpdmVycy9t
aXNjL2xrZHRtL3JvZGF0YS5jDQo+IA0KPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy9taXNjL2xrZHRt
L01ha2VmaWxlIGIvZHJpdmVycy9taXNjL2xrZHRtL01ha2VmaWxlDQo+IGluZGV4IGUyOTg0Y2U1
MWZlNC4uM2Q0NWEyYjMwMDdkIDEwMDY0NA0KPiAtLS0gYS9kcml2ZXJzL21pc2MvbGtkdG0vTWFr
ZWZpbGUNCj4gKysrIGIvZHJpdmVycy9taXNjL2xrZHRtL01ha2VmaWxlDQo+IEBAIC02LDIxICs2
LDEwIEBAIGxrZHRtLSQoQ09ORklHX0xLRFRNKQkJKz0gYnVncy5vDQo+ICAgbGtkdG0tJChDT05G
SUdfTEtEVE0pCQkrPSBoZWFwLm8NCj4gICBsa2R0bS0kKENPTkZJR19MS0RUTSkJCSs9IHBlcm1z
Lm8NCj4gICBsa2R0bS0kKENPTkZJR19MS0RUTSkJCSs9IHJlZmNvdW50Lm8NCj4gLWxrZHRtLSQo
Q09ORklHX0xLRFRNKQkJKz0gcm9kYXRhX29iamNvcHkubw0KPiAgIGxrZHRtLSQoQ09ORklHX0xL
RFRNKQkJKz0gdXNlcmNvcHkubw0KPiAgIGxrZHRtLSQoQ09ORklHX0xLRFRNKQkJKz0gc3RhY2ts
ZWFrLm8NCj4gICBsa2R0bS0kKENPTkZJR19MS0RUTSkJCSs9IGNmaS5vDQo+ICAgbGtkdG0tJChD
T05GSUdfTEtEVE0pCQkrPSBmb3J0aWZ5Lm8NCj4gICBsa2R0bS0kKENPTkZJR19QUENfQk9PSzNT
XzY0KQkrPSBwb3dlcnBjLm8NCj4gICANCj4gLUtBU0FOX1NBTklUSVpFX3JvZGF0YS5vCQk6PSBu
DQo+ICAgS0FTQU5fU0FOSVRJWkVfc3RhY2tsZWFrLm8JOj0gbg0KPiAtS0NPVl9JTlNUUlVNRU5U
X3JvZGF0YS5vCTo9IG4NCj4gLUNGTEFHU19SRU1PVkVfcm9kYXRhLm8JCSs9ICQoQ0NfRkxBR1Nf
TFRPKQ0KPiAtDQo+IC1PQkpDT1BZRkxBR1MgOj0NCj4gLU9CSkNPUFlGTEFHU19yb2RhdGFfb2Jq
Y29weS5vCTo9IFwNCj4gLQkJCS0tcmVuYW1lLXNlY3Rpb24gLm5vaW5zdHIudGV4dD0ucm9kYXRh
LGFsbG9jLHJlYWRvbmx5LGxvYWQsY29udGVudHMNCj4gLXRhcmdldHMgKz0gcm9kYXRhLm8gcm9k
YXRhX29iamNvcHkubw0KPiAtJChvYmopL3JvZGF0YV9vYmpjb3B5Lm86ICQob2JqKS9yb2RhdGEu
byBGT1JDRQ0KPiAtCSQoY2FsbCBpZl9jaGFuZ2VkLG9iamNvcHkpDQo+IGRpZmYgLS1naXQgYS9k
cml2ZXJzL21pc2MvbGtkdG0vbGtkdG0uaCBiL2RyaXZlcnMvbWlzYy9sa2R0bS9sa2R0bS5oDQo+
IGluZGV4IDE4OGJkMGZkNjU3NS4uOTA1NTU1ZDRjMmNmIDEwMDY0NA0KPiAtLS0gYS9kcml2ZXJz
L21pc2MvbGtkdG0vbGtkdG0uaA0KPiArKysgYi9kcml2ZXJzL21pc2MvbGtkdG0vbGtkdG0uaA0K
PiBAQCAtMTM3LDkgKzEzNyw2IEBAIHZvaWQgbGtkdG1fUkVGQ09VTlRfU1VCX0FORF9URVNUX1NB
VFVSQVRFRCh2b2lkKTsNCj4gICB2b2lkIGxrZHRtX1JFRkNPVU5UX1RJTUlORyh2b2lkKTsNCj4g
ICB2b2lkIGxrZHRtX0FUT01JQ19USU1JTkcodm9pZCk7DQo+ICAgDQo+IC0vKiByb2RhdGEuYyAq
Lw0KPiAtdm9pZCBsa2R0bV9yb2RhdGFfZG9fbm90aGluZyh2b2lkKTsNCj4gLQ0KPiAgIC8qIHVz
ZXJjb3B5LmMgKi8NCj4gICB2b2lkIF9faW5pdCBsa2R0bV91c2VyY29weV9pbml0KHZvaWQpOw0K
PiAgIHZvaWQgX19leGl0IGxrZHRtX3VzZXJjb3B5X2V4aXQodm9pZCk7DQo+IGRpZmYgLS1naXQg
YS9kcml2ZXJzL21pc2MvbGtkdG0vcGVybXMuYyBiL2RyaXZlcnMvbWlzYy9sa2R0bS9wZXJtcy5j
DQo+IGluZGV4IDJjNmFiYTNmZjMyYi4uOWI5NTFjYTQ4MzYzIDEwMDY0NA0KPiAtLS0gYS9kcml2
ZXJzL21pc2MvbGtkdG0vcGVybXMuYw0KPiArKysgYi9kcml2ZXJzL21pc2MvbGtkdG0vcGVybXMu
Yw0KPiBAQCAtMjcsNiArMjcsNyBAQCBzdGF0aWMgY29uc3QgdW5zaWduZWQgbG9uZyByb2RhdGEg
PSAweEFBNTVBQTU1Ow0KPiAgIA0KPiAgIC8qIFRoaXMgaXMgbWFya2VkIF9fcm9fYWZ0ZXJfaW5p
dCwgc28gaXQgc2hvdWxkIHVsdGltYXRlbHkgYmUgLnJvZGF0YS4gKi8NCj4gICBzdGF0aWMgdW5z
aWduZWQgbG9uZyByb19hZnRlcl9pbml0IF9fcm9fYWZ0ZXJfaW5pdCA9IDB4NTVBQTU1MDA7DQo+
ICtzdGF0aWMgdTggcm9kYXRhX2FyZWFbRVhFQ19TSVpFXSBfX3JvX2FmdGVyX2luaXQ7DQo+ICAg
DQo+ICAgLyoNCj4gICAgKiBUaGlzIGp1c3QgcmV0dXJucyB0byB0aGUgY2FsbGVyLiBJdCBpcyBk
ZXNpZ25lZCB0byBiZSBjb3BpZWQgaW50bw0KPiBAQCAtMTkzLDggKzE5NCw3IEBAIHZvaWQgbGtk
dG1fRVhFQ19WTUFMTE9DKHZvaWQpDQo+ICAgDQo+ICAgdm9pZCBsa2R0bV9FWEVDX1JPREFUQSh2
b2lkKQ0KPiAgIHsNCj4gLQlleGVjdXRlX2xvY2F0aW9uKGRlcmVmZXJlbmNlX2Z1bmN0aW9uX2Rl
c2NyaXB0b3IobGtkdG1fcm9kYXRhX2RvX25vdGhpbmcpLA0KPiAtCQkJIENPREVfQVNfSVMpOw0K
PiArCWV4ZWN1dGVfbG9jYXRpb24ocm9kYXRhX2FyZWEsIENPREVfQVNfSVMpOw0KPiAgIH0NCj4g
ICANCj4gICB2b2lkIGxrZHRtX0VYRUNfVVNFUlNQQUNFKHZvaWQpDQo+IEBAIC0yNjksNCArMjY5
LDkgQEAgdm9pZCBfX2luaXQgbGtkdG1fcGVybXNfaW5pdCh2b2lkKQ0KPiAgIHsNCj4gICAJLyog
TWFrZSBzdXJlIHdlIGNhbiB3cml0ZSB0byBfX3JvX2FmdGVyX2luaXQgdmFsdWVzIGR1cmluZyBf
X2luaXQgKi8NCj4gICAJcm9fYWZ0ZXJfaW5pdCB8PSAweEFBOw0KPiArDQo+ICsJbWVtY3B5KHJv
ZGF0YV9hcmVhLCBkZXJlZmVyZW5jZV9mdW5jdGlvbl9kZXNjcmlwdG9yKGRvX25vdGhpbmcpLA0K
PiArCSAgICAgICBFWEVDX1NJWkUpOw0KPiArCWZsdXNoX2ljYWNoZV9yYW5nZSgodW5zaWduZWQg
bG9uZylyb2RhdGFfYXJlYSwNCj4gKwkJCSAgICh1bnNpZ25lZCBsb25nKXJvZGF0YV9hcmVhICsg
RVhFQ19TSVpFKTsNCj4gICB9DQo+IGRpZmYgLS1naXQgYS9kcml2ZXJzL21pc2MvbGtkdG0vcm9k
YXRhLmMgYi9kcml2ZXJzL21pc2MvbGtkdG0vcm9kYXRhLmMNCj4gZGVsZXRlZCBmaWxlIG1vZGUg
MTAwNjQ0DQo+IGluZGV4IGJhYWNiODc2ZDFkOS4uMDAwMDAwMDAwMDAwDQo+IC0tLSBhL2RyaXZl
cnMvbWlzYy9sa2R0bS9yb2RhdGEuYw0KPiArKysgL2Rldi9udWxsDQo+IEBAIC0xLDExICswLDAg
QEANCj4gLS8vIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBHUEwtMi4wDQo+IC0vKg0KPiAtICog
VGhpcyBpbmNsdWRlcyBmdW5jdGlvbnMgdGhhdCBhcmUgbWVhbnQgdG8gbGl2ZSBlbnRpcmVseSBp
biAucm9kYXRhDQo+IC0gKiAodmlhIG9iamNvcHkgdHJpY2tzKSwgdG8gdmFsaWRhdGUgdGhlIG5v
bi1leGVjdXRhYmlsaXR5IG9mIC5yb2RhdGEuDQo+IC0gKi8NCj4gLSNpbmNsdWRlICJsa2R0bS5o
Ig0KPiAtDQo+IC12b2lkIG5vaW5zdHIgbGtkdG1fcm9kYXRhX2RvX25vdGhpbmcodm9pZCkNCj4g
LXsNCj4gLQkvKiBEb2VzIG5vdGhpbmcuIFdlIGp1c3Qgd2FudCBhbiBhcmNoaXRlY3R1cmUgYWdu
b3N0aWMgInJldHVybiIuICovDQo+IC19

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

Hi Kees,

Le 23/02/2022 à 18:17, Christophe Leroy a écrit :
> Hi Kees,
> 
> Le 17/10/2021 à 19:19, Christophe Leroy a écrit :
>> All EXEC tests are based on running a copy of do_nothing()
>> except lkdtm_EXEC_RODATA which uses a different function
>> called lkdtm_rodata_do_nothing().
>>
>> On architectures using function descriptors, EXEC tests are
>> performed using execute_location() which is a function
>> that most of the time copies do_nothing() at the tested
>> location then duplicates do_nothing() function descriptor
>> and updates it with the address of the copy of do_nothing().
>>
>> But for EXEC_RODATA test, execute_location() uses
>> lkdtm_rodata_do_nothing() which is already in rodata section
>> at build time instead of using a copy of do_nothing(). However
>> it still uses the function descriptor of do_nothing(). There
>> is a risk that running lkdtm_rodata_do_nothing() with the
>> function descriptor of do_thing() is wrong.
>>
>> To remove the above risk, change the approach and do the same
>> as for other EXEC tests: use a copy of do_nothing(). The copy
>> cannot be done during the test because RODATA area is write
>> protected. Do the copy during init, before RODATA becomes
>> write protected.
>>
>> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> 
> Any opinion on this patch ?

Any opinion ?

Thanks
Christophe

> 
> Thanks
> Christophe
> 
>> ---
>> This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"
>>
>>   drivers/misc/lkdtm/Makefile | 11 -----------
>>   drivers/misc/lkdtm/lkdtm.h  |  3 ---
>>   drivers/misc/lkdtm/perms.c  |  9 +++++++--
>>   drivers/misc/lkdtm/rodata.c | 11 -----------
>>   4 files changed, 7 insertions(+), 27 deletions(-)
>>   delete mode 100644 drivers/misc/lkdtm/rodata.c
>>
>> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
>> index e2984ce51fe4..3d45a2b3007d 100644
>> --- a/drivers/misc/lkdtm/Makefile
>> +++ b/drivers/misc/lkdtm/Makefile
>> @@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)        += bugs.o
>>   lkdtm-$(CONFIG_LKDTM)        += heap.o
>>   lkdtm-$(CONFIG_LKDTM)        += perms.o
>>   lkdtm-$(CONFIG_LKDTM)        += refcount.o
>> -lkdtm-$(CONFIG_LKDTM)        += rodata_objcopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += usercopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += stackleak.o
>>   lkdtm-$(CONFIG_LKDTM)        += cfi.o
>>   lkdtm-$(CONFIG_LKDTM)        += fortify.o
>>   lkdtm-$(CONFIG_PPC_BOOK3S_64)    += powerpc.o
>> -KASAN_SANITIZE_rodata.o        := n
>>   KASAN_SANITIZE_stackleak.o    := n
>> -KCOV_INSTRUMENT_rodata.o    := n
>> -CFLAGS_REMOVE_rodata.o        += $(CC_FLAGS_LTO)
>> -
>> -OBJCOPYFLAGS :=
>> -OBJCOPYFLAGS_rodata_objcopy.o    := \
>> -            --rename-section 
>> .noinstr.text=.rodata,alloc,readonly,load,contents
>> -targets += rodata.o rodata_objcopy.o
>> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
>> -    $(call if_changed,objcopy)
>> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
>> index 188bd0fd6575..905555d4c2cf 100644
>> --- a/drivers/misc/lkdtm/lkdtm.h
>> +++ b/drivers/misc/lkdtm/lkdtm.h
>> @@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
>>   void lkdtm_REFCOUNT_TIMING(void);
>>   void lkdtm_ATOMIC_TIMING(void);
>> -/* rodata.c */
>> -void lkdtm_rodata_do_nothing(void);
>> -
>>   /* usercopy.c */
>>   void __init lkdtm_usercopy_init(void);
>>   void __exit lkdtm_usercopy_exit(void);
>> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
>> index 2c6aba3ff32b..9b951ca48363 100644
>> --- a/drivers/misc/lkdtm/perms.c
>> +++ b/drivers/misc/lkdtm/perms.c
>> @@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
>>   /* This is marked __ro_after_init, so it should ultimately be 
>> .rodata. */
>>   static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
>> +static u8 rodata_area[EXEC_SIZE] __ro_after_init;
>>   /*
>>    * This just returns to the caller. It is designed to be copied into
>> @@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
>>   void lkdtm_EXEC_RODATA(void)
>>   {
>> -    
>> execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing), 
>>
>> -             CODE_AS_IS);
>> +    execute_location(rodata_area, CODE_AS_IS);
>>   }
>>   void lkdtm_EXEC_USERSPACE(void)
>> @@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
>>   {
>>       /* Make sure we can write to __ro_after_init values during 
>> __init */
>>       ro_after_init |= 0xAA;
>> +
>> +    memcpy(rodata_area, dereference_function_descriptor(do_nothing),
>> +           EXEC_SIZE);
>> +    flush_icache_range((unsigned long)rodata_area,
>> +               (unsigned long)rodata_area + EXEC_SIZE);
>>   }
>> diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
>> deleted file mode 100644
>> index baacb876d1d9..000000000000
>> --- a/drivers/misc/lkdtm/rodata.c
>> +++ /dev/null
>> @@ -1,11 +0,0 @@
>> -// SPDX-License-Identifier: GPL-2.0
>> -/*
>> - * This includes functions that are meant to live entirely in .rodata
>> - * (via objcopy tricks), to validate the non-executability of .rodata.
>> - */
>> -#include "lkdtm.h"
>> -
>> -void noinstr lkdtm_rodata_do_nothing(void)
>> -{
>> -    /* Does nothing. We just want an architecture agnostic "return". */
>> -}

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

Hi Kees,

Le 23/02/2022 à 18:17, Christophe Leroy a écrit :
> Hi Kees,
> 
> Le 17/10/2021 à 19:19, Christophe Leroy a écrit :
>> All EXEC tests are based on running a copy of do_nothing()
>> except lkdtm_EXEC_RODATA which uses a different function
>> called lkdtm_rodata_do_nothing().
>>
>> On architectures using function descriptors, EXEC tests are
>> performed using execute_location() which is a function
>> that most of the time copies do_nothing() at the tested
>> location then duplicates do_nothing() function descriptor
>> and updates it with the address of the copy of do_nothing().
>>
>> But for EXEC_RODATA test, execute_location() uses
>> lkdtm_rodata_do_nothing() which is already in rodata section
>> at build time instead of using a copy of do_nothing(). However
>> it still uses the function descriptor of do_nothing(). There
>> is a risk that running lkdtm_rodata_do_nothing() with the
>> function descriptor of do_thing() is wrong.
>>
>> To remove the above risk, change the approach and do the same
>> as for other EXEC tests: use a copy of do_nothing(). The copy
>> cannot be done during the test because RODATA area is write
>> protected. Do the copy during init, before RODATA becomes
>> write protected.
>>
>> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> 
> Any opinion on this patch ?

Any opinion ?

Thanks
Christophe

> 
> Thanks
> Christophe
> 
>> ---
>> This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"
>>
>>   drivers/misc/lkdtm/Makefile | 11 -----------
>>   drivers/misc/lkdtm/lkdtm.h  |  3 ---
>>   drivers/misc/lkdtm/perms.c  |  9 +++++++--
>>   drivers/misc/lkdtm/rodata.c | 11 -----------
>>   4 files changed, 7 insertions(+), 27 deletions(-)
>>   delete mode 100644 drivers/misc/lkdtm/rodata.c
>>
>> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
>> index e2984ce51fe4..3d45a2b3007d 100644
>> --- a/drivers/misc/lkdtm/Makefile
>> +++ b/drivers/misc/lkdtm/Makefile
>> @@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)        += bugs.o
>>   lkdtm-$(CONFIG_LKDTM)        += heap.o
>>   lkdtm-$(CONFIG_LKDTM)        += perms.o
>>   lkdtm-$(CONFIG_LKDTM)        += refcount.o
>> -lkdtm-$(CONFIG_LKDTM)        += rodata_objcopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += usercopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += stackleak.o
>>   lkdtm-$(CONFIG_LKDTM)        += cfi.o
>>   lkdtm-$(CONFIG_LKDTM)        += fortify.o
>>   lkdtm-$(CONFIG_PPC_BOOK3S_64)    += powerpc.o
>> -KASAN_SANITIZE_rodata.o        := n
>>   KASAN_SANITIZE_stackleak.o    := n
>> -KCOV_INSTRUMENT_rodata.o    := n
>> -CFLAGS_REMOVE_rodata.o        += $(CC_FLAGS_LTO)
>> -
>> -OBJCOPYFLAGS :=
>> -OBJCOPYFLAGS_rodata_objcopy.o    := \
>> -            --rename-section 
>> .noinstr.text=.rodata,alloc,readonly,load,contents
>> -targets += rodata.o rodata_objcopy.o
>> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
>> -    $(call if_changed,objcopy)
>> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
>> index 188bd0fd6575..905555d4c2cf 100644
>> --- a/drivers/misc/lkdtm/lkdtm.h
>> +++ b/drivers/misc/lkdtm/lkdtm.h
>> @@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
>>   void lkdtm_REFCOUNT_TIMING(void);
>>   void lkdtm_ATOMIC_TIMING(void);
>> -/* rodata.c */
>> -void lkdtm_rodata_do_nothing(void);
>> -
>>   /* usercopy.c */
>>   void __init lkdtm_usercopy_init(void);
>>   void __exit lkdtm_usercopy_exit(void);
>> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
>> index 2c6aba3ff32b..9b951ca48363 100644
>> --- a/drivers/misc/lkdtm/perms.c
>> +++ b/drivers/misc/lkdtm/perms.c
>> @@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
>>   /* This is marked __ro_after_init, so it should ultimately be 
>> .rodata. */
>>   static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
>> +static u8 rodata_area[EXEC_SIZE] __ro_after_init;
>>   /*
>>    * This just returns to the caller. It is designed to be copied into
>> @@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
>>   void lkdtm_EXEC_RODATA(void)
>>   {
>> -    
>> execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing), 
>>
>> -             CODE_AS_IS);
>> +    execute_location(rodata_area, CODE_AS_IS);
>>   }
>>   void lkdtm_EXEC_USERSPACE(void)
>> @@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
>>   {
>>       /* Make sure we can write to __ro_after_init values during 
>> __init */
>>       ro_after_init |= 0xAA;
>> +
>> +    memcpy(rodata_area, dereference_function_descriptor(do_nothing),
>> +           EXEC_SIZE);
>> +    flush_icache_range((unsigned long)rodata_area,
>> +               (unsigned long)rodata_area + EXEC_SIZE);
>>   }
>> diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
>> deleted file mode 100644
>> index baacb876d1d9..000000000000
>> --- a/drivers/misc/lkdtm/rodata.c
>> +++ /dev/null
>> @@ -1,11 +0,0 @@
>> -// SPDX-License-Identifier: GPL-2.0
>> -/*
>> - * This includes functions that are meant to live entirely in .rodata
>> - * (via objcopy tricks), to validate the non-executability of .rodata.
>> - */
>> -#include "lkdtm.h"
>> -
>> -void noinstr lkdtm_rodata_do_nothing(void)
>> -{
>> -    /* Does nothing. We just want an architecture agnostic "return". */
>> -}

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Christophe Leroy]

Hi Kees,

Le 23/02/2022 à 18:17, Christophe Leroy a écrit :
> Hi Kees,
> 
> Le 17/10/2021 à 19:19, Christophe Leroy a écrit :
>> All EXEC tests are based on running a copy of do_nothing()
>> except lkdtm_EXEC_RODATA which uses a different function
>> called lkdtm_rodata_do_nothing().
>>
>> On architectures using function descriptors, EXEC tests are
>> performed using execute_location() which is a function
>> that most of the time copies do_nothing() at the tested
>> location then duplicates do_nothing() function descriptor
>> and updates it with the address of the copy of do_nothing().
>>
>> But for EXEC_RODATA test, execute_location() uses
>> lkdtm_rodata_do_nothing() which is already in rodata section
>> at build time instead of using a copy of do_nothing(). However
>> it still uses the function descriptor of do_nothing(). There
>> is a risk that running lkdtm_rodata_do_nothing() with the
>> function descriptor of do_thing() is wrong.
>>
>> To remove the above risk, change the approach and do the same
>> as for other EXEC tests: use a copy of do_nothing(). The copy
>> cannot be done during the test because RODATA area is write
>> protected. Do the copy during init, before RODATA becomes
>> write protected.
>>
>> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> 
> Any opinion on this patch ?

Any opinion ?

Thanks
Christophe

> 
> Thanks
> Christophe
> 
>> ---
>> This applies on top of series v3 "Fix LKDTM for PPC64/IA64/PARISC"
>>
>>   drivers/misc/lkdtm/Makefile | 11 -----------
>>   drivers/misc/lkdtm/lkdtm.h  |  3 ---
>>   drivers/misc/lkdtm/perms.c  |  9 +++++++--
>>   drivers/misc/lkdtm/rodata.c | 11 -----------
>>   4 files changed, 7 insertions(+), 27 deletions(-)
>>   delete mode 100644 drivers/misc/lkdtm/rodata.c
>>
>> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
>> index e2984ce51fe4..3d45a2b3007d 100644
>> --- a/drivers/misc/lkdtm/Makefile
>> +++ b/drivers/misc/lkdtm/Makefile
>> @@ -6,21 +6,10 @@ lkdtm-$(CONFIG_LKDTM)        += bugs.o
>>   lkdtm-$(CONFIG_LKDTM)        += heap.o
>>   lkdtm-$(CONFIG_LKDTM)        += perms.o
>>   lkdtm-$(CONFIG_LKDTM)        += refcount.o
>> -lkdtm-$(CONFIG_LKDTM)        += rodata_objcopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += usercopy.o
>>   lkdtm-$(CONFIG_LKDTM)        += stackleak.o
>>   lkdtm-$(CONFIG_LKDTM)        += cfi.o
>>   lkdtm-$(CONFIG_LKDTM)        += fortify.o
>>   lkdtm-$(CONFIG_PPC_BOOK3S_64)    += powerpc.o
>> -KASAN_SANITIZE_rodata.o        := n
>>   KASAN_SANITIZE_stackleak.o    := n
>> -KCOV_INSTRUMENT_rodata.o    := n
>> -CFLAGS_REMOVE_rodata.o        += $(CC_FLAGS_LTO)
>> -
>> -OBJCOPYFLAGS :>> -OBJCOPYFLAGS_rodata_objcopy.o    := \
>> -            --rename-section 
>> .noinstr.text=.rodata,alloc,readonly,load,contents
>> -targets += rodata.o rodata_objcopy.o
>> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
>> -    $(call if_changed,objcopy)
>> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
>> index 188bd0fd6575..905555d4c2cf 100644
>> --- a/drivers/misc/lkdtm/lkdtm.h
>> +++ b/drivers/misc/lkdtm/lkdtm.h
>> @@ -137,9 +137,6 @@ void lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED(void);
>>   void lkdtm_REFCOUNT_TIMING(void);
>>   void lkdtm_ATOMIC_TIMING(void);
>> -/* rodata.c */
>> -void lkdtm_rodata_do_nothing(void);
>> -
>>   /* usercopy.c */
>>   void __init lkdtm_usercopy_init(void);
>>   void __exit lkdtm_usercopy_exit(void);
>> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
>> index 2c6aba3ff32b..9b951ca48363 100644
>> --- a/drivers/misc/lkdtm/perms.c
>> +++ b/drivers/misc/lkdtm/perms.c
>> @@ -27,6 +27,7 @@ static const unsigned long rodata = 0xAA55AA55;
>>   /* This is marked __ro_after_init, so it should ultimately be 
>> .rodata. */
>>   static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
>> +static u8 rodata_area[EXEC_SIZE] __ro_after_init;
>>   /*
>>    * This just returns to the caller. It is designed to be copied into
>> @@ -193,8 +194,7 @@ void lkdtm_EXEC_VMALLOC(void)
>>   void lkdtm_EXEC_RODATA(void)
>>   {
>> -    
>> execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing), 
>>
>> -             CODE_AS_IS);
>> +    execute_location(rodata_area, CODE_AS_IS);
>>   }
>>   void lkdtm_EXEC_USERSPACE(void)
>> @@ -269,4 +269,9 @@ void __init lkdtm_perms_init(void)
>>   {
>>       /* Make sure we can write to __ro_after_init values during 
>> __init */
>>       ro_after_init |= 0xAA;
>> +
>> +    memcpy(rodata_area, dereference_function_descriptor(do_nothing),
>> +           EXEC_SIZE);
>> +    flush_icache_range((unsigned long)rodata_area,
>> +               (unsigned long)rodata_area + EXEC_SIZE);
>>   }
>> diff --git a/drivers/misc/lkdtm/rodata.c b/drivers/misc/lkdtm/rodata.c
>> deleted file mode 100644
>> index baacb876d1d9..000000000000
>> --- a/drivers/misc/lkdtm/rodata.c
>> +++ /dev/null
>> @@ -1,11 +0,0 @@
>> -// SPDX-License-Identifier: GPL-2.0
>> -/*
>> - * This includes functions that are meant to live entirely in .rodata
>> - * (via objcopy tricks), to validate the non-executability of .rodata.
>> - */
>> -#include "lkdtm.h"
>> -
>> -void noinstr lkdtm_rodata_do_nothing(void)
>> -{
>> -    /* Does nothing. We just want an architecture agnostic "return". */
>> -}

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Kees Cook]

On Sun, Oct 17, 2021 at 07:19:47PM +0200, Christophe Leroy wrote:
> But for EXEC_RODATA test, execute_location() uses
> lkdtm_rodata_do_nothing() which is already in rodata section
> at build time instead of using a copy of do_nothing(). However
> it still uses the function descriptor of do_nothing(). There
> is a risk that running lkdtm_rodata_do_nothing() with the
> function descriptor of do_thing() is wrong.

Wrong how? (Could there be two descriptors?)

> To remove the above risk, change the approach and do the same
> as for other EXEC tests: use a copy of do_nothing(). The copy
> cannot be done during the test because RODATA area is write
> protected. Do the copy during init, before RODATA becomes
> write protected.

Hmm, hmm. This is a nice way to handle it, but I'm not sure which
"weird" way is better. I kind of prefer the code going through all the
"regular" linking goo to end up in .rodata, but is it really any
different from doing this via the ro_after_init section? It makes me
nervous because they can technically be handled differently. For
example, .rodata is mapped differently on some architectures compared to
ro_after_init. Honestly, I actually this this patch should be modified
to _add_ a new test for EXEC_RO_AFTER_INIT, and leave the existing
.rodata one alone...

-Kees

-- 
Kees Cook

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Kees Cook]

On Sun, Oct 17, 2021 at 07:19:47PM +0200, Christophe Leroy wrote:
> But for EXEC_RODATA test, execute_location() uses
> lkdtm_rodata_do_nothing() which is already in rodata section
> at build time instead of using a copy of do_nothing(). However
> it still uses the function descriptor of do_nothing(). There
> is a risk that running lkdtm_rodata_do_nothing() with the
> function descriptor of do_thing() is wrong.

Wrong how? (Could there be two descriptors?)

> To remove the above risk, change the approach and do the same
> as for other EXEC tests: use a copy of do_nothing(). The copy
> cannot be done during the test because RODATA area is write
> protected. Do the copy during init, before RODATA becomes
> write protected.

Hmm, hmm. This is a nice way to handle it, but I'm not sure which
"weird" way is better. I kind of prefer the code going through all the
"regular" linking goo to end up in .rodata, but is it really any
different from doing this via the ro_after_init section? It makes me
nervous because they can technically be handled differently. For
example, .rodata is mapped differently on some architectures compared to
ro_after_init. Honestly, I actually this this patch should be modified
to _add_ a new test for EXEC_RO_AFTER_INIT, and leave the existing
.rodata one alone...

-Kees

-- 
Kees Cook

Re: [RFC PATCH] lkdtm: Replace lkdtm_rodata_do_nothing() by do_nothing()

[Kees Cook]

On Sun, Oct 17, 2021 at 07:19:47PM +0200, Christophe Leroy wrote:
> But for EXEC_RODATA test, execute_location() uses
> lkdtm_rodata_do_nothing() which is already in rodata section
> at build time instead of using a copy of do_nothing(). However
> it still uses the function descriptor of do_nothing(). There
> is a risk that running lkdtm_rodata_do_nothing() with the
> function descriptor of do_thing() is wrong.

Wrong how? (Could there be two descriptors?)

> To remove the above risk, change the approach and do the same
> as for other EXEC tests: use a copy of do_nothing(). The copy
> cannot be done during the test because RODATA area is write
> protected. Do the copy during init, before RODATA becomes
> write protected.

Hmm, hmm. This is a nice way to handle it, but I'm not sure which
"weird" way is better. I kind of prefer the code going through all the
"regular" linking goo to end up in .rodata, but is it really any
different from doing this via the ro_after_init section? It makes me
nervous because they can technically be handled differently. For
example, .rodata is mapped differently on some architectures compared to
ro_after_init. Honestly, I actually this this patch should be modified
to _add_ a new test for EXEC_RO_AFTER_INIT, and leave the existing
.rodata one alone...

-Kees

-- 
Kees Cook