[PATCH v5 10/10] livepatch: only match unique symbols when using fgkaslr

[PATCH v5 10/10] livepatch: only match unique symbols when using fgkaslr

[Kristen Carlson Accardi]

If any type of function granular randomization is enabled, the sympos
algorithm will fail, as it will be impossible to resolve symbols when
there are duplicates using the previous symbol position.

Override the value of sympos to always be zero if fgkaslr is enabled for
either the core kernel or modules, forcing the algorithm
to require that only unique symbols are allowed to be patched.

Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
---
 kernel/livepatch/core.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index f76fdb925532..da08e40f2da2 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -170,6 +170,17 @@ static int klp_find_object_symbol(const char *objname, const char *name,
 		kallsyms_on_each_symbol(klp_find_callback, &args);
 	mutex_unlock(&module_mutex);
 
+	/*
+	 * If any type of function granular randomization is enabled, it
+	 * will be impossible to resolve symbols when there are duplicates
+	 * using the previous symbol position (i.e. sympos != 0). Override
+	 * the value of sympos to always be zero in this case. This will
+	 * force the algorithm to require that only unique symbols are
+	 * allowed to be patched.
+	 */
+	if (IS_ENABLED(CONFIG_FG_KASLR) || IS_ENABLED(CONFIG_MODULE_FG_KASLR))
+		sympos = 0;
+
 	/*
 	 * Ensure an address was found. If sympos is 0, ensure symbol is unique;
 	 * otherwise ensure the symbol position count matches sympos.
-- 
2.20.1

Re: [PATCH v5 10/10] livepatch: only match unique symbols when using fgkaslr

[Miroslav Benes]

Hi,

On Wed, 23 Sep 2020, Kristen Carlson Accardi wrote:

> If any type of function granular randomization is enabled, the sympos
> algorithm will fail, as it will be impossible to resolve symbols when
> there are duplicates using the previous symbol position.
> 
> Override the value of sympos to always be zero if fgkaslr is enabled for
> either the core kernel or modules, forcing the algorithm
> to require that only unique symbols are allowed to be patched.
> 
> Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
> ---
>  kernel/livepatch/core.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
> index f76fdb925532..da08e40f2da2 100644
> --- a/kernel/livepatch/core.c
> +++ b/kernel/livepatch/core.c
> @@ -170,6 +170,17 @@ static int klp_find_object_symbol(const char *objname, const char *name,
>  		kallsyms_on_each_symbol(klp_find_callback, &args);
>  	mutex_unlock(&module_mutex);
>  
> +	/*
> +	 * If any type of function granular randomization is enabled, it
> +	 * will be impossible to resolve symbols when there are duplicates
> +	 * using the previous symbol position (i.e. sympos != 0). Override
> +	 * the value of sympos to always be zero in this case. This will
> +	 * force the algorithm to require that only unique symbols are
> +	 * allowed to be patched.
> +	 */
> +	if (IS_ENABLED(CONFIG_FG_KASLR) || IS_ENABLED(CONFIG_MODULE_FG_KASLR))
> +		sympos = 0;

This should work, but I wonder if we should make it more explicit. With 
the change the user will get the error with "unresolvable ambiguity for 
symbol..." if they specify sympos and the symbol is not unique. It could 
confuse them.

So, how about it making it something like

if (IS_ENABLED(CONFIG_FG_KASLR) || IS_ENABLED(CONFIG_MODULE_FG_KASLR))
	if (sympos) {
		pr_err("fgkaslr is enabled, specifying sympos for symbol '%s' in object '%s' does not work.\n",
			name, objname);
		*addr = 0;
		return -EINVAL;
	}

? (there could be goto to the error out at the end of the function).

In that case, if sympos is not specified, the user will get the message 
which matches the reality. If the user specifies it, they will get the 
error in case of fgkaslr.

Thanks for dealing with it
Miroslav

Re: [PATCH v5 00/10] Function Granular KASLR

[Miroslav Benes]

Hi Kristen,

On Wed, 23 Sep 2020, Kristen Carlson Accardi wrote:

> Function Granular Kernel Address Space Layout Randomization (fgkaslr)
> ---------------------------------------------------------------------
> 
> This patch set is an implementation of finer grained kernel address space
> randomization. It rearranges your kernel code at load time 
> on a per-function level granularity, with only around a second added to
> boot time.

I ran live patching kernel selftests on the patch set and everything 
passed fine.

However, we also use not-yet-upstream set of tests at SUSE for testing 
live patching [1] and one of them, klp_tc_12.sh, is failing. You should be 
able to run the set on upstream as is.

The test uninterruptedly sleeps in a kretprobed function called by a 
patched one. The current master without fgkaslr patch set reports the 
stack of the sleeping task as unreliable and live patching fails. The 
situation is different with fgkaslr (even with nofgkaslr on the command 
line). The stack is returned as reliable. It looks something like 

[<0>] __schedule+0x465/0xa40
[<0>] schedule+0x55/0xd0
[<0>] orig_do_sleep+0xb1/0x110 [klp_test_support_mod]
[<0>] swap_pages+0x7f/0x7f

where the last entry is not reliable. I've seen 
kretprobe_trampoline+0x0/0x4a and some other symbols there too. Since the 
patched function (orig_sleep_uninterruptible_set) is not on the stack, 
live patching succeeds, which is not intended.

With kprobe setting removed, all works as expected.

So I wonder if there is still some issue with ORC somewhere as you 
mentioned in v4 thread. I'll investigate more next week, but wanted to 
report early.

Regards
Miroslav

[1] https://github.com/lpechacek/qa_test_klp

Re: [PATCH v5 00/10] Function Granular KASLR

[Kristen Carlson Accardi]

Hi,

On Fri, 2020-09-25 at 15:06 +0200, Miroslav Benes wrote:
> Hi Kristen,
> 
> On Wed, 23 Sep 2020, Kristen Carlson Accardi wrote:
> 
> > Function Granular Kernel Address Space Layout Randomization
> > (fgkaslr)
> > -----------------------------------------------------------------
> > ----
> > 
> > This patch set is an implementation of finer grained kernel address
> > space
> > randomization. It rearranges your kernel code at load time 
> > on a per-function level granularity, with only around a second
> > added to
> > boot time.
> 
> I ran live patching kernel selftests on the patch set and everything 
> passed fine.
> 
> However, we also use not-yet-upstream set of tests at SUSE for
> testing 
> live patching [1] and one of them, klp_tc_12.sh, is failing. You
> should be 
> able to run the set on upstream as is.
> 
> The test uninterruptedly sleeps in a kretprobed function called by a 
> patched one. The current master without fgkaslr patch set reports
> the 
> stack of the sleeping task as unreliable and live patching fails.
> The 
> situation is different with fgkaslr (even with nofgkaslr on the
> command 
> line). The stack is returned as reliable. It looks something like 
> 
> [<0>] __schedule+0x465/0xa40
> [<0>] schedule+0x55/0xd0
> [<0>] orig_do_sleep+0xb1/0x110 [klp_test_support_mod]
> [<0>] swap_pages+0x7f/0x7f
> 
> where the last entry is not reliable. I've seen 
> kretprobe_trampoline+0x0/0x4a and some other symbols there too. Since
> the 
> patched function (orig_sleep_uninterruptible_set) is not on the
> stack, 
> live patching succeeds, which is not intended.
> 
> With kprobe setting removed, all works as expected.
> 
> So I wonder if there is still some issue with ORC somewhere as you 
> mentioned in v4 thread. I'll investigate more next week, but wanted
> to 
> report early.
> 
> Regards
> Miroslav
> 
> [1] https://github.com/lpechacek/qa_test_klp

Thanks for testing and reporting. I will grab your test and see what I
can find.