* [PATCH v5 0/2] provide check for ro_after_init memory sections
@ 2017-04-06 3:35 Eddie Kovsky
2017-04-06 3:35 ` [PATCH v5 1/2] module: verify address is read-only Eddie Kovsky
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Eddie Kovsky @ 2017-04-06 3:35 UTC (permalink / raw)
To: jeyu, rusty, keescook; +Cc: linux-kernel, kernel-hardening
Provide a mechanism for other functions to verify that their arguments
are read-only.
This implements the first half of a suggestion made by Kees Cook for
the Kernel Self Protection Project:
- provide mechanism to check for ro_after_init memory areas, and
reject structures not marked ro_after_init in vmbus_register()
http://www.openwall.com/lists/kernel-hardening/2017/02/04/1
The idea is to prevent structures (including modules) that are not
read-only from being passed to functions. It builds upon the functions
in kernel/extable.c that test if an address is in the text section.
A build failure on the Blackfin architecture led to the discovery of
an incomplete definition of the RO_DATA macro used in this series. The
fixes are in linux-next:
commit 906f2a51c941 ("mm: fix section name for .data..ro_after_init")
commit 939897e2d736 ("vmlinux.lds: add missing VMLINUX_SYMBOL macros")
The latest version of this series uses new symbols provided in these
fixes. The series now cross compiles on Blackfin without errors. I have
also test compiled this series on next-20170405 for x86.
I have dropped the third patch that uses these features to check the
arguments to vmbus_register() because the maintainers have not been
receptive to using it. My goal right now is to get the API right.
Eddie Kovsky (2):
module: verify address is read-only
extable: verify address is read-only
include/linux/kernel.h | 2 ++
include/linux/module.h | 12 ++++++++++++
kernel/extable.c | 29 +++++++++++++++++++++++++++
kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 96 insertions(+)
--
2.12.2
^ permalink raw reply [flat|nested] 14+ messages in thread* [PATCH v5 1/2] module: verify address is read-only 2017-04-06 3:35 [PATCH v5 0/2] provide check for ro_after_init memory sections Eddie Kovsky @ 2017-04-06 3:35 ` Eddie Kovsky 2017-04-07 1:58 ` Jessica Yu 2017-04-06 3:35 ` [PATCH v5 2/2] extable: " Eddie Kovsky 2017-04-07 21:53 ` [PATCH v5 0/2] provide check for ro_after_init memory sections Kees Cook 2 siblings, 1 reply; 14+ messages in thread From: Eddie Kovsky @ 2017-04-06 3:35 UTC (permalink / raw) To: jeyu, rusty, keescook; +Cc: linux-kernel, kernel-hardening Implement a mechanism to check if a module's address is in the rodata or ro_after_init sections. It mimics the existing functions that test if an address is inside a module's text section. Functions that take a module as an argument will be able to verify that the module address is in a read-only section. The idea is to prevent structures (including modules) that are not read-only from being passed to functions. This implements the first half of a suggestion made by Kees Cook for the Kernel Self Protection Project: - provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Eddie Kovsky <ewk@edkovsky.org> --- Changes in v4: - Rename function __module_ro_address() to __module_rodata_address() - Move module_rodata_address() stub below is_module_address() - Minor comment fixes - Verify that mod is not NULL before setting up layout variables Changes in v3: - Change function name is_module_ro_address() to is_module_rodata_address(). - Improve comments on is_module_rodata_address(). - Add a !CONFIG_MODULES stub for is_module_rodata_address. - Correct and simplify the check for the read-only memory regions in the module address. --- include/linux/module.h | 12 ++++++++++++ kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h index 9ad68561d8c2..a3d17b081de3 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -492,7 +492,9 @@ static inline int module_is_live(struct module *mod) struct module *__module_text_address(unsigned long addr); struct module *__module_address(unsigned long addr); +struct module *__module_rodata_address(unsigned long addr); bool is_module_address(unsigned long addr); +bool is_module_rodata_address(unsigned long addr); bool __is_module_percpu_address(unsigned long addr, unsigned long *can_addr); bool is_module_percpu_address(unsigned long addr); bool is_module_text_address(unsigned long addr); @@ -646,6 +648,11 @@ static inline struct module *__module_address(unsigned long addr) return NULL; } +static inline struct module *__module_rodata_address(unsigned long addr) +{ + return NULL; +} + static inline struct module *__module_text_address(unsigned long addr) { return NULL; @@ -656,6 +663,11 @@ static inline bool is_module_address(unsigned long addr) return false; } +static inline bool is_module_rodata_address(unsigned long addr) +{ + return false; +} + static inline bool is_module_percpu_address(unsigned long addr) { return false; diff --git a/kernel/module.c b/kernel/module.c index f953df992a11..d5753210cf34 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -4296,6 +4296,59 @@ struct module *__module_text_address(unsigned long addr) } EXPORT_SYMBOL_GPL(__module_text_address); +/** + * is_module_rodata_address - is this address inside read-only module data? + * @addr: the address to check. + * + */ +bool is_module_rodata_address(unsigned long addr) +{ + bool ret; + + preempt_disable(); + ret = __module_rodata_address(addr) != NULL; + preempt_enable(); + + return ret; +} + +/* + * __module_rodata_address - get the module whose rodata/ro_after_init sections + * contain the given address. + * @addr: the address. + * + * Must be called with preempt disabled or module mutex held so that + * module doesn't get freed during this. + */ +struct module *__module_rodata_address(unsigned long addr) +{ + struct module *mod = __module_address(addr); + + /* + * Make sure module is within the read-only section. + * range(base + text_size, base + ro_after_init_size) + * encompasses both the rodata and ro_after_init regions. + * See comment above frob_text() for the layout diagram. + */ + if (mod) { + void *init_base = mod->init_layout.base; + unsigned int init_text_size = mod->init_layout.text_size; + unsigned int init_ro_after_init_size = mod->init_layout.ro_after_init_size; + + void *core_base = mod->core_layout.base; + unsigned int core_text_size = mod->core_layout.text_size; + unsigned int core_ro_after_init_size = mod->core_layout.ro_after_init_size; + + if (!within(addr, init_base + init_text_size, + init_ro_after_init_size - init_text_size) + && !within(addr, core_base + core_text_size, + core_ro_after_init_size - core_text_size)) + mod = NULL; + } + return mod; +} +EXPORT_SYMBOL_GPL(__module_rodata_address); + /* Don't grab lock, we're oopsing. */ void print_modules(void) { -- 2.12.2 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v5 1/2] module: verify address is read-only 2017-04-06 3:35 ` [PATCH v5 1/2] module: verify address is read-only Eddie Kovsky @ 2017-04-07 1:58 ` Jessica Yu 2017-04-07 20:46 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Jessica Yu @ 2017-04-07 1:58 UTC (permalink / raw) To: Eddie Kovsky; +Cc: rusty, keescook, linux-kernel, kernel-hardening +++ Eddie Kovsky [05/04/17 21:35 -0600]: >Implement a mechanism to check if a module's address is in >the rodata or ro_after_init sections. It mimics the existing functions >that test if an address is inside a module's text section. > >Functions that take a module as an argument will be able to verify that the >module address is in a read-only section. The idea is to prevent structures >(including modules) that are not read-only from being passed to functions. > >This implements the first half of a suggestion made by Kees Cook for >the Kernel Self Protection Project: > > - provide mechanism to check for ro_after_init memory areas, and > reject structures not marked ro_after_init in vmbus_register() > >Suggested-by: Kees Cook <keescook@chromium.org> >Signed-off-by: Eddie Kovsky <ewk@edkovsky.org> Acked-by: Jessica Yu <jeyu@redhat.com> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 1/2] module: verify address is read-only 2017-04-07 1:58 ` Jessica Yu @ 2017-04-07 20:46 ` Kees Cook 0 siblings, 0 replies; 14+ messages in thread From: Kees Cook @ 2017-04-07 20:46 UTC (permalink / raw) To: Jessica Yu; +Cc: Eddie Kovsky, Rusty Russell, LKML, kernel-hardening On Thu, Apr 6, 2017 at 6:58 PM, Jessica Yu <jeyu@redhat.com> wrote: > +++ Eddie Kovsky [05/04/17 21:35 -0600]: >> >> Implement a mechanism to check if a module's address is in >> the rodata or ro_after_init sections. It mimics the existing functions >> that test if an address is inside a module's text section. >> >> Functions that take a module as an argument will be able to verify that >> the >> module address is in a read-only section. The idea is to prevent >> structures >> (including modules) that are not read-only from being passed to functions. >> >> This implements the first half of a suggestion made by Kees Cook for >> the Kernel Self Protection Project: >> >> - provide mechanism to check for ro_after_init memory areas, and >> reject structures not marked ro_after_init in vmbus_register() >> >> Suggested-by: Kees Cook <keescook@chromium.org> >> Signed-off-by: Eddie Kovsky <ewk@edkovsky.org> > > > Acked-by: Jessica Yu <jeyu@redhat.com> Thanks! I'll either get these into my kspp tree or ask akpm to carry these since they depend on the renaming in his tree already. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v5 2/2] extable: verify address is read-only 2017-04-06 3:35 [PATCH v5 0/2] provide check for ro_after_init memory sections Eddie Kovsky 2017-04-06 3:35 ` [PATCH v5 1/2] module: verify address is read-only Eddie Kovsky @ 2017-04-06 3:35 ` Eddie Kovsky 2017-04-06 17:20 ` kbuild test robot 2017-04-06 17:41 ` kbuild test robot 2017-04-07 21:53 ` [PATCH v5 0/2] provide check for ro_after_init memory sections Kees Cook 2 siblings, 2 replies; 14+ messages in thread From: Eddie Kovsky @ 2017-04-06 3:35 UTC (permalink / raw) To: jeyu, rusty, keescook; +Cc: linux-kernel, kernel-hardening Provide a mechanism to check if the address of a variable is const or ro_after_init. It mimics the existing functions that test if an address is inside the kernel's text section. The idea is to prevent structures that are not read-only from being passed to functions. Other functions inside the kernel could then use this capability to verify that their arguments are read-only. This implements the first half of a suggestion made by Kees Cook for the Kernel Self Protection Project: - provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Eddie Kovsky <ewk@edkovsky.org> --- Changes in v5: - Replace __start_data_ro_after_init with __start_ro_after_init - Replace __end_data_ro_after_init with __end_ro_after_init Changes in v4: - Rename function core_kernel_ro_data() to core_kernel_rodata(). Changes in v3: - Fix missing declaration of is_module_rodata_address() --- include/linux/kernel.h | 2 ++ kernel/extable.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 4c26dc3a8295..5748784ca209 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -444,6 +444,8 @@ extern int core_kernel_data(unsigned long addr); extern int __kernel_text_address(unsigned long addr); extern int kernel_text_address(unsigned long addr); extern int func_ptr_is_kernel_text(void *ptr); +extern int core_kernel_rodata(unsigned long addr); +extern int kernel_ro_address(unsigned long addr); unsigned long int_sqrt(unsigned long); diff --git a/kernel/extable.c b/kernel/extable.c index 2676d7f8baf6..18c5e4dbe0fc 100644 --- a/kernel/extable.c +++ b/kernel/extable.c @@ -154,3 +154,32 @@ int func_ptr_is_kernel_text(void *ptr) return 1; return is_module_text_address(addr); } + +/** + * core_kernel_rodata - Verify address points to read-only section + * @addr: address to test + * + */ +int core_kernel_rodata(unsigned long addr) +{ + if (addr >= (unsigned long)__start_rodata && + addr < (unsigned long)__end_rodata) + return 1; + + if (addr >= (unsigned long)__start_ro_after_init && + addr < (unsigned long)__end_ro_after_init) + return 1; + + return 0; +} + +/* Verify that address is const or ro_after_init. */ +int kernel_ro_address(unsigned long addr) +{ + if (core_kernel_rodata(addr)) + return 1; + if (is_module_rodata_address(addr)) + return 1; + + return 0; +} -- 2.12.2 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v5 2/2] extable: verify address is read-only 2017-04-06 3:35 ` [PATCH v5 2/2] extable: " Eddie Kovsky @ 2017-04-06 17:20 ` kbuild test robot 2017-04-06 17:41 ` kbuild test robot 1 sibling, 0 replies; 14+ messages in thread From: kbuild test robot @ 2017-04-06 17:20 UTC (permalink / raw) To: Eddie Kovsky Cc: kbuild-all, jeyu, rusty, keescook, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 7804 bytes --] Hi Eddie, [auto build test WARNING on next-20170330] [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc5] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170407-004322 config: i386-randconfig-x014-201714 (attached as .config) compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 reproduce: # save the attached .config to linux build tree make ARCH=i386 All warnings (new ones prefixed by >>): In file included from include/linux/trace_clock.h:12:0, from include/linux/ftrace.h:9, from kernel/extable.c:18: kernel/extable.c: In function 'core_kernel_rodata': kernel/extable.c:169:29: error: '__start_ro_after_init' undeclared (first use in this function) if (addr >= (unsigned long)__start_ro_after_init && ^ include/linux/compiler.h:160:30: note: in definition of macro '__trace_if' if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ ^~~~ >> kernel/extable.c:169:2: note: in expansion of macro 'if' if (addr >= (unsigned long)__start_ro_after_init && ^~ kernel/extable.c:169:29: note: each undeclared identifier is reported only once for each function it appears in if (addr >= (unsigned long)__start_ro_after_init && ^ include/linux/compiler.h:160:30: note: in definition of macro '__trace_if' if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ ^~~~ >> kernel/extable.c:169:2: note: in expansion of macro 'if' if (addr >= (unsigned long)__start_ro_after_init && ^~ kernel/extable.c:170:28: error: '__end_ro_after_init' undeclared (first use in this function) addr < (unsigned long)__end_ro_after_init) ^ include/linux/compiler.h:160:30: note: in definition of macro '__trace_if' if (__builtin_constant_p(!!(cond)) ? !!(cond) : \ ^~~~ >> kernel/extable.c:169:2: note: in expansion of macro 'if' if (addr >= (unsigned long)__start_ro_after_init && ^~ vim +/if +169 kernel/extable.c 12 GNU General Public License for more details. 13 14 You should have received a copy of the GNU General Public License 15 along with this program; if not, write to the Free Software 16 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 */ > 18 #include <linux/ftrace.h> 19 #include <linux/memory.h> 20 #include <linux/extable.h> 21 #include <linux/module.h> 22 #include <linux/mutex.h> 23 #include <linux/init.h> 24 #include <linux/kprobes.h> 25 #include <linux/filter.h> 26 27 #include <asm/sections.h> 28 #include <linux/uaccess.h> 29 30 /* 31 * mutex protecting text section modification (dynamic code patching). 32 * some users need to sleep (allocating memory...) while they hold this lock. 33 * 34 * NOT exported to modules - patching kernel text is a really delicate matter. 35 */ 36 DEFINE_MUTEX(text_mutex); 37 38 extern struct exception_table_entry __start___ex_table[]; 39 extern struct exception_table_entry __stop___ex_table[]; 40 41 /* Cleared by build time tools if the table is already sorted. */ 42 u32 __initdata __visible main_extable_sort_needed = 1; 43 44 /* Sort the kernel's built-in exception table */ 45 void __init sort_main_extable(void) 46 { 47 if (main_extable_sort_needed && __stop___ex_table > __start___ex_table) { 48 pr_notice("Sorting __ex_table...\n"); 49 sort_extable(__start___ex_table, __stop___ex_table); 50 } 51 } 52 53 /* Given an address, look for it in the exception tables. */ 54 const struct exception_table_entry *search_exception_tables(unsigned long addr) 55 { 56 const struct exception_table_entry *e; 57 58 e = search_extable(__start___ex_table, __stop___ex_table-1, addr); 59 if (!e) 60 e = search_module_extables(addr); 61 return e; 62 } 63 64 static inline int init_kernel_text(unsigned long addr) 65 { 66 if (addr >= (unsigned long)_sinittext && 67 addr < (unsigned long)_einittext) 68 return 1; 69 return 0; 70 } 71 72 int core_kernel_text(unsigned long addr) 73 { 74 if (addr >= (unsigned long)_stext && 75 addr < (unsigned long)_etext) 76 return 1; 77 78 if (system_state == SYSTEM_BOOTING && 79 init_kernel_text(addr)) 80 return 1; 81 return 0; 82 } 83 84 /** 85 * core_kernel_data - tell if addr points to kernel data 86 * @addr: address to test 87 * 88 * Returns true if @addr passed in is from the core kernel data 89 * section. 90 * 91 * Note: On some archs it may return true for core RODATA, and false 92 * for others. But will always be true for core RW data. 93 */ 94 int core_kernel_data(unsigned long addr) 95 { 96 if (addr >= (unsigned long)_sdata && 97 addr < (unsigned long)_edata) 98 return 1; 99 return 0; 100 } 101 102 int __kernel_text_address(unsigned long addr) 103 { 104 if (core_kernel_text(addr)) 105 return 1; 106 if (is_module_text_address(addr)) 107 return 1; 108 if (is_ftrace_trampoline(addr)) 109 return 1; 110 if (is_kprobe_optinsn_slot(addr) || is_kprobe_insn_slot(addr)) 111 return 1; 112 if (is_bpf_text_address(addr)) 113 return 1; 114 /* 115 * There might be init symbols in saved stacktraces. 116 * Give those symbols a chance to be printed in 117 * backtraces (such as lockdep traces). 118 * 119 * Since we are after the module-symbols check, there's 120 * no danger of address overlap: 121 */ 122 if (init_kernel_text(addr)) 123 return 1; 124 return 0; 125 } 126 127 int kernel_text_address(unsigned long addr) 128 { 129 if (core_kernel_text(addr)) 130 return 1; 131 if (is_module_text_address(addr)) 132 return 1; 133 if (is_ftrace_trampoline(addr)) 134 return 1; 135 if (is_kprobe_optinsn_slot(addr) || is_kprobe_insn_slot(addr)) 136 return 1; 137 if (is_bpf_text_address(addr)) 138 return 1; 139 return 0; 140 } 141 142 /* 143 * On some architectures (PPC64, IA64) function pointers 144 * are actually only tokens to some data that then holds the 145 * real function address. As a result, to find if a function 146 * pointer is part of the kernel text, we need to do some 147 * special dereferencing first. 148 */ 149 int func_ptr_is_kernel_text(void *ptr) 150 { 151 unsigned long addr; 152 addr = (unsigned long) dereference_function_descriptor(ptr); 153 if (core_kernel_text(addr)) 154 return 1; 155 return is_module_text_address(addr); 156 } 157 158 /** 159 * core_kernel_rodata - Verify address points to read-only section 160 * @addr: address to test 161 * 162 */ 163 int core_kernel_rodata(unsigned long addr) 164 { 165 if (addr >= (unsigned long)__start_rodata && 166 addr < (unsigned long)__end_rodata) 167 return 1; 168 > 169 if (addr >= (unsigned long)__start_ro_after_init && 170 addr < (unsigned long)__end_ro_after_init) 171 return 1; 172 --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 25874 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 2/2] extable: verify address is read-only 2017-04-06 3:35 ` [PATCH v5 2/2] extable: " Eddie Kovsky 2017-04-06 17:20 ` kbuild test robot @ 2017-04-06 17:41 ` kbuild test robot 2017-04-07 19:29 ` Eddie Kovsky 1 sibling, 1 reply; 14+ messages in thread From: kbuild test robot @ 2017-04-06 17:41 UTC (permalink / raw) To: Eddie Kovsky Cc: kbuild-all, jeyu, rusty, keescook, linux-kernel, kernel-hardening [-- Attachment #1: Type: text/plain, Size: 1741 bytes --] Hi Eddie, [auto build test ERROR on next-20170330] [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc5] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170407-004322 config: i386-randconfig-x010-201714 (attached as .config) compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): kernel/extable.c: In function 'core_kernel_rodata': >> kernel/extable.c:169:29: error: '__start_ro_after_init' undeclared (first use in this function) if (addr >= (unsigned long)__start_ro_after_init && ^~~~~~~~~~~~~~~~~~~~~ kernel/extable.c:169:29: note: each undeclared identifier is reported only once for each function it appears in >> kernel/extable.c:170:28: error: '__end_ro_after_init' undeclared (first use in this function) addr < (unsigned long)__end_ro_after_init) ^~~~~~~~~~~~~~~~~~~ vim +/__start_ro_after_init +169 kernel/extable.c 163 int core_kernel_rodata(unsigned long addr) 164 { 165 if (addr >= (unsigned long)__start_rodata && 166 addr < (unsigned long)__end_rodata) 167 return 1; 168 > 169 if (addr >= (unsigned long)__start_ro_after_init && > 170 addr < (unsigned long)__end_ro_after_init) 171 return 1; 172 173 return 0; --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 27264 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 2/2] extable: verify address is read-only 2017-04-06 17:41 ` kbuild test robot @ 2017-04-07 19:29 ` Eddie Kovsky 2017-04-07 20:45 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Eddie Kovsky @ 2017-04-07 19:29 UTC (permalink / raw) To: kbuild test robot Cc: kbuild-all, jeyu, rusty, keescook, linux-kernel, kernel-hardening On 04/07/17, kbuild test robot wrote: > Hi Eddie, > > [auto build test ERROR on next-20170330] > [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc5] > [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] > > url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170407-004322 > config: i386-randconfig-x010-201714 (attached as .config) > compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 > reproduce: > # save the attached .config to linux build tree > make ARCH=i386 > > All errors (new ones prefixed by >>): > > kernel/extable.c: In function 'core_kernel_rodata': > >> kernel/extable.c:169:29: error: '__start_ro_after_init' undeclared (first use in this function) > if (addr >= (unsigned long)__start_ro_after_init && > ^~~~~~~~~~~~~~~~~~~~~ > kernel/extable.c:169:29: note: each undeclared identifier is reported only once for each function it appears in > >> kernel/extable.c:170:28: error: '__end_ro_after_init' undeclared (first use in this function) > addr < (unsigned long)__end_ro_after_init) > ^~~~~~~~~~~~~~~~~~~ > > vim +/__start_ro_after_init +169 kernel/extable.c > > 163 int core_kernel_rodata(unsigned long addr) > 164 { > 165 if (addr >= (unsigned long)__start_rodata && > 166 addr < (unsigned long)__end_rodata) > 167 return 1; > 168 > > 169 if (addr >= (unsigned long)__start_ro_after_init && > > 170 addr < (unsigned long)__end_ro_after_init) > 171 return 1; > 172 > 173 return 0; > > --- > 0-DAY kernel test infrastructure Open Source Technology Center > https://lists.01.org/pipermail/kbuild-all Intel Corporation This looks like a false alarm. The test build is based on next-20170330. Kees' patch for the section names [start|end]_ro_after_init didn't appear in next until 20170403. I cannot reproduce the build error using this config on recent versions of next. Am I missing something here? Eddie ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 2/2] extable: verify address is read-only 2017-04-07 19:29 ` Eddie Kovsky @ 2017-04-07 20:45 ` Kees Cook 0 siblings, 0 replies; 14+ messages in thread From: Kees Cook @ 2017-04-07 20:45 UTC (permalink / raw) To: Eddie Kovsky Cc: kbuild test robot, kbuild-all, Jessica Yu, Rusty Russell, LKML, kernel-hardening On Fri, Apr 7, 2017 at 12:29 PM, Eddie Kovsky <ewk@edkovsky.org> wrote: > On 04/07/17, kbuild test robot wrote: >> Hi Eddie, >> >> [auto build test ERROR on next-20170330] >> [cannot apply to linus/master linux/master jeyu/modules-next v4.9-rc8 v4.9-rc7 v4.9-rc6 v4.11-rc5] >> [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] >> >> url: https://github.com/0day-ci/linux/commits/Eddie-Kovsky/module-verify-address-is-read-only/20170407-004322 >> config: i386-randconfig-x010-201714 (attached as .config) >> compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901 >> reproduce: >> # save the attached .config to linux build tree >> make ARCH=i386 >> >> All errors (new ones prefixed by >>): >> >> kernel/extable.c: In function 'core_kernel_rodata': >> >> kernel/extable.c:169:29: error: '__start_ro_after_init' undeclared (first use in this function) >> if (addr >= (unsigned long)__start_ro_after_init && >> ^~~~~~~~~~~~~~~~~~~~~ >> kernel/extable.c:169:29: note: each undeclared identifier is reported only once for each function it appears in >> >> kernel/extable.c:170:28: error: '__end_ro_after_init' undeclared (first use in this function) >> addr < (unsigned long)__end_ro_after_init) >> ^~~~~~~~~~~~~~~~~~~ >> >> vim +/__start_ro_after_init +169 kernel/extable.c >> >> 163 int core_kernel_rodata(unsigned long addr) >> 164 { >> 165 if (addr >= (unsigned long)__start_rodata && >> 166 addr < (unsigned long)__end_rodata) >> 167 return 1; >> 168 >> > 169 if (addr >= (unsigned long)__start_ro_after_init && >> > 170 addr < (unsigned long)__end_ro_after_init) >> 171 return 1; >> 172 >> 173 return 0; >> >> --- >> 0-DAY kernel test infrastructure Open Source Technology Center >> https://lists.01.org/pipermail/kbuild-all Intel Corporation > > > This looks like a false alarm. > > The test build is based on next-20170330. Kees' patch for the section > names [start|end]_ro_after_init didn't appear in next until 20170403. > > I cannot reproduce the build error using this config on recent versions > of next. Am I missing something here? I agree, this was built without the renaming from the latest -next trees. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 0/2] provide check for ro_after_init memory sections 2017-04-06 3:35 [PATCH v5 0/2] provide check for ro_after_init memory sections Eddie Kovsky 2017-04-06 3:35 ` [PATCH v5 1/2] module: verify address is read-only Eddie Kovsky 2017-04-06 3:35 ` [PATCH v5 2/2] extable: " Eddie Kovsky @ 2017-04-07 21:53 ` Kees Cook 2017-04-07 22:12 ` Andrew Morton 2 siblings, 1 reply; 14+ messages in thread From: Kees Cook @ 2017-04-07 21:53 UTC (permalink / raw) To: Andrew Morton Cc: Jessica Yu, Rusty Russell, LKML, kernel-hardening, Eddie Kovsky On Wed, Apr 5, 2017 at 8:35 PM, Eddie Kovsky <ewk@edkovsky.org> wrote: > Provide a mechanism for other functions to verify that their arguments > are read-only. > > This implements the first half of a suggestion made by Kees Cook for > the Kernel Self Protection Project: > > - provide mechanism to check for ro_after_init memory areas, and > reject structures not marked ro_after_init in vmbus_register() > > http://www.openwall.com/lists/kernel-hardening/2017/02/04/1 > > The idea is to prevent structures (including modules) that are not > read-only from being passed to functions. It builds upon the functions > in kernel/extable.c that test if an address is in the text section. > > A build failure on the Blackfin architecture led to the discovery of > an incomplete definition of the RO_DATA macro used in this series. The > fixes are in linux-next: > > commit 906f2a51c941 ("mm: fix section name for .data..ro_after_init") > > commit 939897e2d736 ("vmlinux.lds: add missing VMLINUX_SYMBOL macros") > > The latest version of this series uses new symbols provided in these > fixes. The series now cross compiles on Blackfin without errors. I have > also test compiled this series on next-20170405 for x86. > > I have dropped the third patch that uses these features to check the > arguments to vmbus_register() because the maintainers have not been > receptive to using it. My goal right now is to get the API right. > > Eddie Kovsky (2): > module: verify address is read-only > extable: verify address is read-only > > include/linux/kernel.h | 2 ++ > include/linux/module.h | 12 ++++++++++++ > kernel/extable.c | 29 +++++++++++++++++++++++++++ > kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 96 insertions(+) Andrew, do you have these in your mailbox (it went to lkml), or should I resend them directly to you? Since they depend on the __start_ro_after_init naming fixes in -mm, it seemed like it'd be best to carry these two patches there. If so, please consider them both: Acked-by: Kees Cook <keescook@chromium.org> (And, from the thread on the module patch, Jessica has Acked that one too.) Thanks! -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 0/2] provide check for ro_after_init memory sections 2017-04-07 21:53 ` [PATCH v5 0/2] provide check for ro_after_init memory sections Kees Cook @ 2017-04-07 22:12 ` Andrew Morton 2017-04-07 22:15 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Andrew Morton @ 2017-04-07 22:12 UTC (permalink / raw) To: Kees Cook; +Cc: Jessica Yu, Rusty Russell, LKML, kernel-hardening, Eddie Kovsky On Fri, 7 Apr 2017 14:53:23 -0700 Kees Cook <keescook@chromium.org> wrote: > > Eddie Kovsky (2): > > module: verify address is read-only > > extable: verify address is read-only > > > > include/linux/kernel.h | 2 ++ > > include/linux/module.h | 12 ++++++++++++ > > kernel/extable.c | 29 +++++++++++++++++++++++++++ > > kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ > > 4 files changed, 96 insertions(+) > > Andrew, do you have these in your mailbox (it went to lkml), or should > I resend them directly to you? Since they depend on the > __start_ro_after_init naming fixes in -mm, it seemed like it'd be best > to carry these two patches there. If so, please consider them both: > > Acked-by: Kees Cook <keescook@chromium.org> > > (And, from the thread on the module patch, Jessica has Acked that one too.) Well I grabbed them, but the patches don't actually do anything - they add interfaces with no users. What's the plan here? ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 0/2] provide check for ro_after_init memory sections 2017-04-07 22:12 ` Andrew Morton @ 2017-04-07 22:15 ` Kees Cook 2017-04-07 22:23 ` Andrew Morton 0 siblings, 1 reply; 14+ messages in thread From: Kees Cook @ 2017-04-07 22:15 UTC (permalink / raw) To: Andrew Morton Cc: Jessica Yu, Rusty Russell, LKML, kernel-hardening, Eddie Kovsky On Fri, Apr 7, 2017 at 3:12 PM, Andrew Morton <akpm@linux-foundation.org> wrote: > On Fri, 7 Apr 2017 14:53:23 -0700 Kees Cook <keescook@chromium.org> wrote: > >> > Eddie Kovsky (2): >> > module: verify address is read-only >> > extable: verify address is read-only >> > >> > include/linux/kernel.h | 2 ++ >> > include/linux/module.h | 12 ++++++++++++ >> > kernel/extable.c | 29 +++++++++++++++++++++++++++ >> > kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ >> > 4 files changed, 96 insertions(+) >> >> Andrew, do you have these in your mailbox (it went to lkml), or should >> I resend them directly to you? Since they depend on the >> __start_ro_after_init naming fixes in -mm, it seemed like it'd be best >> to carry these two patches there. If so, please consider them both: >> >> Acked-by: Kees Cook <keescook@chromium.org> >> >> (And, from the thread on the module patch, Jessica has Acked that one too.) > > Well I grabbed them, but the patches don't actually do anything - they > add interfaces with no users. What's the plan here? I'd like to have a way for interfaces (especially the various *_register()) to be able to check that a structure is either const or __ro_after_init. My expectation is to add those and similar sanity-checks now that we can do so. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 0/2] provide check for ro_after_init memory sections 2017-04-07 22:15 ` Kees Cook @ 2017-04-07 22:23 ` Andrew Morton 2017-04-07 22:47 ` Kees Cook 0 siblings, 1 reply; 14+ messages in thread From: Andrew Morton @ 2017-04-07 22:23 UTC (permalink / raw) To: Kees Cook; +Cc: Jessica Yu, Rusty Russell, LKML, kernel-hardening, Eddie Kovsky On Fri, 7 Apr 2017 15:15:36 -0700 Kees Cook <keescook@chromium.org> wrote: > On Fri, Apr 7, 2017 at 3:12 PM, Andrew Morton <akpm@linux-foundation.org> wrote: > > On Fri, 7 Apr 2017 14:53:23 -0700 Kees Cook <keescook@chromium.org> wrote: > > > >> > Eddie Kovsky (2): > >> > module: verify address is read-only > >> > extable: verify address is read-only > >> > > >> > include/linux/kernel.h | 2 ++ > >> > include/linux/module.h | 12 ++++++++++++ > >> > kernel/extable.c | 29 +++++++++++++++++++++++++++ > >> > kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ > >> > 4 files changed, 96 insertions(+) > >> > >> Andrew, do you have these in your mailbox (it went to lkml), or should > >> I resend them directly to you? Since they depend on the > >> __start_ro_after_init naming fixes in -mm, it seemed like it'd be best > >> to carry these two patches there. If so, please consider them both: > >> > >> Acked-by: Kees Cook <keescook@chromium.org> > >> > >> (And, from the thread on the module patch, Jessica has Acked that one too.) > > > > Well I grabbed them, but the patches don't actually do anything - they > > add interfaces with no users. What's the plan here? > > I'd like to have a way for interfaces (especially the various > *_register()) to be able to check that a structure is either const or > __ro_after_init. My expectation is to add those and similar > sanity-checks now that we can do so. OK. But I'd rather sit on the patches until we have working, tested, reviewed callers which are agreed to be useful. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v5 0/2] provide check for ro_after_init memory sections 2017-04-07 22:23 ` Andrew Morton @ 2017-04-07 22:47 ` Kees Cook 0 siblings, 0 replies; 14+ messages in thread From: Kees Cook @ 2017-04-07 22:47 UTC (permalink / raw) To: Andrew Morton Cc: Jessica Yu, Rusty Russell, LKML, kernel-hardening, Eddie Kovsky On Fri, Apr 7, 2017 at 3:23 PM, Andrew Morton <akpm@linux-foundation.org> wrote: > On Fri, 7 Apr 2017 15:15:36 -0700 Kees Cook <keescook@chromium.org> wrote: > >> On Fri, Apr 7, 2017 at 3:12 PM, Andrew Morton <akpm@linux-foundation.org> wrote: >> > On Fri, 7 Apr 2017 14:53:23 -0700 Kees Cook <keescook@chromium.org> wrote: >> > >> >> > Eddie Kovsky (2): >> >> > module: verify address is read-only >> >> > extable: verify address is read-only >> >> > >> >> > include/linux/kernel.h | 2 ++ >> >> > include/linux/module.h | 12 ++++++++++++ >> >> > kernel/extable.c | 29 +++++++++++++++++++++++++++ >> >> > kernel/module.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> > 4 files changed, 96 insertions(+) >> >> >> >> Andrew, do you have these in your mailbox (it went to lkml), or should >> >> I resend them directly to you? Since they depend on the >> >> __start_ro_after_init naming fixes in -mm, it seemed like it'd be best >> >> to carry these two patches there. If so, please consider them both: >> >> >> >> Acked-by: Kees Cook <keescook@chromium.org> >> >> >> >> (And, from the thread on the module patch, Jessica has Acked that one too.) >> > >> > Well I grabbed them, but the patches don't actually do anything - they >> > add interfaces with no users. What's the plan here? >> >> I'd like to have a way for interfaces (especially the various >> *_register()) to be able to check that a structure is either const or >> __ro_after_init. My expectation is to add those and similar >> sanity-checks now that we can do so. > > OK. But I'd rather sit on the patches until we have working, tested, > reviewed callers which are agreed to be useful. That sounds fine to me. Thanks! -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2017-04-07 22:47 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-04-06 3:35 [PATCH v5 0/2] provide check for ro_after_init memory sections Eddie Kovsky 2017-04-06 3:35 ` [PATCH v5 1/2] module: verify address is read-only Eddie Kovsky 2017-04-07 1:58 ` Jessica Yu 2017-04-07 20:46 ` Kees Cook 2017-04-06 3:35 ` [PATCH v5 2/2] extable: " Eddie Kovsky 2017-04-06 17:20 ` kbuild test robot 2017-04-06 17:41 ` kbuild test robot 2017-04-07 19:29 ` Eddie Kovsky 2017-04-07 20:45 ` Kees Cook 2017-04-07 21:53 ` [PATCH v5 0/2] provide check for ro_after_init memory sections Kees Cook 2017-04-07 22:12 ` Andrew Morton 2017-04-07 22:15 ` Kees Cook 2017-04-07 22:23 ` Andrew Morton 2017-04-07 22:47 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).