From: Kees Cook <keescook@chromium.org>
To: Jakub Kicinski <jakub.kicinski@netronome.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Eddie Kovsky <ewk@edkovsky.org>
Cc: kbuild-all@01.org, kbuild test robot <lkp@intel.com>,
Jessica Yu <jeyu@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v4 2/2] extable: verify address is read-only
Date: Mon, 27 Mar 2017 11:42:57 -0700 [thread overview]
Message-ID: <CAGXu5jKFPwDTaRq8eiszOoqdm-nQD13UrF_bj+m6FWWCzEnO9g@mail.gmail.com> (raw)
In-Reply-To: <201703271633.xbYHmB37%fengguang.wu@intel.com>
On Mon, Mar 27, 2017 at 1:43 AM, kbuild test robot <lkp@intel.com> wrote:
> Hi Eddie,
>
> [auto build test ERROR on next-20170323]
> [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc4]
> [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
>
> url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170327-142922
> config: blackfin-BF561-EZKIT-SMP_defconfig (attached as .config)
> compiler: bfin-uclinux-gcc (GCC) 6.2.0
> reproduce:
> wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # save the attached .config to linux build tree
> make.cross ARCH=blackfin
>
> All errors (new ones prefixed by >>):
>
> kernel/built-in.o: In function `core_kernel_rodata':
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
Hm, I'm confused about this. blackfin includes
include/asm-generic-vmlinux.lds.h and uses the RO_DATA macro (which
resolves to RO_DATA_SECTION to RO_AFTER_INIT_DATA which defines
__[start|end]_data_ro_after_init.
Also, it seems that commit d7c19b066dcf4bd19c4385e8065558d4e74f9e73
("mm: kmemleak: scan .data.ro_after_init") added a potentially
redundant section name (s390 already calls this
__[start|end]_ro_after_init). I'd like to get this cleaned up, since
having multiple names for the same thing is confusing:
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 000e6e91f6a0..3667d20e997f 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -62,9 +62,11 @@ SECTIONS
. = ALIGN(PAGE_SIZE);
__start_ro_after_init = .;
+ __start_data_ro_after_init = .;
.data..ro_after_init : {
*(.data..ro_after_init)
}
+ __end_data_ro_after_init = .;
EXCEPTION_TABLE(16)
. = ALIGN(PAGE_SIZE);
__end_ro_after_init = .;
And it seems that this hunk is wrong (__end_ro_after_init includes
s390's exception table, etc). I think we should remove the
..._data_... name and use s390's name.
I'll send an adjustment patch, but we'll still need to deal with blackfin.
-Kees
>
> vim +169 kernel/extable.c
>
> 163 int core_kernel_rodata(unsigned long addr)
> 164 {
> 165 if (addr >= (unsigned long)__start_rodata &&
> 166 addr < (unsigned long)__end_rodata)
> 167 return 1;
> 168
> > 169 if (addr >= (unsigned long)__start_data_ro_after_init &&
> 170 addr < (unsigned long)__end_data_ro_after_init)
> 171 return 1;
> 172
>
> ---
> 0-DAY kernel test infrastructure Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all Intel Corporation
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Jakub Kicinski <jakub.kicinski@netronome.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Eddie Kovsky <ewk@edkovsky.org>
Cc: kbuild-all@01.org, kbuild test robot <lkp@intel.com>,
Jessica Yu <jeyu@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v4 2/2] extable: verify address is read-only
Date: Mon, 27 Mar 2017 11:42:57 -0700 [thread overview]
Message-ID: <CAGXu5jKFPwDTaRq8eiszOoqdm-nQD13UrF_bj+m6FWWCzEnO9g@mail.gmail.com> (raw)
In-Reply-To: <201703271633.xbYHmB37%fengguang.wu@intel.com>
On Mon, Mar 27, 2017 at 1:43 AM, kbuild test robot <lkp@intel.com> wrote:
> Hi Eddie,
>
> [auto build test ERROR on next-20170323]
> [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc4]
> [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
>
> url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170327-142922
> config: blackfin-BF561-EZKIT-SMP_defconfig (attached as .config)
> compiler: bfin-uclinux-gcc (GCC) 6.2.0
> reproduce:
> wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # save the attached .config to linux build tree
> make.cross ARCH=blackfin
>
> All errors (new ones prefixed by >>):
>
> kernel/built-in.o: In function `core_kernel_rodata':
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__start_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
>>> kernel/extable.c:169: undefined reference to `__end_data_ro_after_init'
Hm, I'm confused about this. blackfin includes
include/asm-generic-vmlinux.lds.h and uses the RO_DATA macro (which
resolves to RO_DATA_SECTION to RO_AFTER_INIT_DATA which defines
__[start|end]_data_ro_after_init.
Also, it seems that commit d7c19b066dcf4bd19c4385e8065558d4e74f9e73
("mm: kmemleak: scan .data.ro_after_init") added a potentially
redundant section name (s390 already calls this
__[start|end]_ro_after_init). I'd like to get this cleaned up, since
having multiple names for the same thing is confusing:
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 000e6e91f6a0..3667d20e997f 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -62,9 +62,11 @@ SECTIONS
. = ALIGN(PAGE_SIZE);
__start_ro_after_init = .;
+ __start_data_ro_after_init = .;
.data..ro_after_init : {
*(.data..ro_after_init)
}
+ __end_data_ro_after_init = .;
EXCEPTION_TABLE(16)
. = ALIGN(PAGE_SIZE);
__end_ro_after_init = .;
And it seems that this hunk is wrong (__end_ro_after_init includes
s390's exception table, etc). I think we should remove the
..._data_... name and use s390's name.
I'll send an adjustment patch, but we'll still need to deal with blackfin.
-Kees
>
> vim +169 kernel/extable.c
>
> 163 int core_kernel_rodata(unsigned long addr)
> 164 {
> 165 if (addr >= (unsigned long)__start_rodata &&
> 166 addr < (unsigned long)__end_rodata)
> 167 return 1;
> 168
> > 169 if (addr >= (unsigned long)__start_data_ro_after_init &&
> 170 addr < (unsigned long)__end_data_ro_after_init)
> 171 return 1;
> 172
>
> ---
> 0-DAY kernel test infrastructure Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all Intel Corporation
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-03-27 18:51 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-26 21:08 [PATCH v4 0/2] provide check for ro_after_init memory sections Eddie Kovsky
2017-03-26 21:08 ` [kernel-hardening] " Eddie Kovsky
2017-03-26 21:08 ` [PATCH v4 1/2] module: verify address is read-only Eddie Kovsky
2017-03-26 21:08 ` [kernel-hardening] " Eddie Kovsky
2017-03-30 3:31 ` Jessica Yu
2017-03-30 3:31 ` [kernel-hardening] " Jessica Yu
2017-03-26 21:08 ` [PATCH v4 2/2] extable: " Eddie Kovsky
2017-03-26 21:08 ` [kernel-hardening] " Eddie Kovsky
2017-03-27 8:43 ` kbuild test robot
2017-03-27 8:43 ` [kernel-hardening] " kbuild test robot
2017-03-27 18:42 ` Kees Cook [this message]
2017-03-27 18:42 ` Kees Cook
2017-03-29 3:28 ` Eddie Kovsky
2017-03-29 3:28 ` [kernel-hardening] " Eddie Kovsky
2017-03-30 3:27 ` Jessica Yu
2017-03-30 3:27 ` [kernel-hardening] " Jessica Yu
2017-03-30 16:24 ` Kees Cook
2017-03-30 16:24 ` [kernel-hardening] " Kees Cook
2017-03-31 3:09 ` Eddie Kovsky
2017-03-31 3:09 ` [kernel-hardening] " Eddie Kovsky
2017-04-03 22:10 ` Kees Cook
2017-04-03 22:10 ` [kernel-hardening] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jKFPwDTaRq8eiszOoqdm-nQD13UrF_bj+m6FWWCzEnO9g@mail.gmail.com \
--to=keescook@chromium.org \
--cc=catalin.marinas@arm.com \
--cc=ewk@edkovsky.org \
--cc=heiko.carstens@de.ibm.com \
--cc=jakub.kicinski@netronome.com \
--cc=jeyu@redhat.com \
--cc=kbuild-all@01.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.