[PATCH v4] retpoline/module: Warn for missing retpoline in module

[PATCH v4] retpoline/module: Warn for missing retpoline in module

[Andi Kleen]

From: Andi Kleen <ak@linux.intel.com>

There's a risk that a kernel that has full retpoline mitigations
becomes vulnerable when a module gets loaded that hasn't been
compiled with the right compiler or the right option.

We cannot fix it, but should at least warn the user when that
happens.

When the a module hasn't been compiled with a retpoline
aware compiler, print a warning and report it in the sysfs
vulnerability files

For modules it is checked at compile time, however it cannot
check assembler or other non compiled objects used in the module link.

v2: Change warning message
v3: Port to latest tree
v4: Remove tainting
v5: Add changes from Thomas Gleixner, refactor checking,
use a separate variable
Cc: jeyu@kernel.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
 arch/x86/kernel/cpu/bugs.c | 18 +++++++++++++++++-
 include/linux/module.h     |  9 +++++++++
 kernel/module.c            | 11 +++++++++++
 scripts/mod/modpost.c      |  9 +++++++++
 4 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 390b3dc3d438..8766e13efe80 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -11,6 +11,7 @@
 #include <linux/init.h>
 #include <linux/utsname.h>
 #include <linux/cpu.h>
+#include <linux/module.h>
 
 #include <asm/nospec-branch.h>
 #include <asm/cmdline.h>
@@ -94,6 +95,20 @@ static const char *spectre_v2_strings[] = {
 
 static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
 
+static bool spectre_v2_bad_module;
+
+#ifdef RETPOLINE
+bool retpoline_module_ok(bool has_retpoline)
+{
+	if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
+		return true;
+
+	pr_err("system may be vunerable to spectre_v2\n");
+	spectre_v2_bad_module = true;
+	return false;
+}
+#endif
+
 static void __init spec2_print_if_insecure(const char *reason)
 {
 	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
@@ -278,6 +293,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
 		return sprintf(buf, "Not affected\n");
 
-	return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+	return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+			spectre_v2_bad_module ? " but vulnerable module loaded" : "");
 }
 #endif
diff --git a/include/linux/module.h b/include/linux/module.h
index fe5aa3736707..b1cc541f2ddf 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -794,6 +794,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
 static inline void module_bug_cleanup(struct module *mod) {}
 #endif	/* CONFIG_GENERIC_BUG */
 
+#ifdef RETPOLINE
+extern bool retpoline_module_ok(bool has_retpoline);
+#else
+static inline bool retpoline_module_ok(bool has_retpoline)
+{
+	return true;
+}
+#endif
+
 #ifdef CONFIG_MODULE_SIG
 static inline bool module_sig_ok(struct module *module)
 {
diff --git a/kernel/module.c b/kernel/module.c
index de66ec825992..3c6e2d9231d3 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2855,6 +2855,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
 }
 #endif /* CONFIG_LIVEPATCH */
 
+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
+{
+	if (retpoline_module_ok(get_modinfo(info, "retpoline")))
+		return;
+
+	pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+	mod->name);
+}
+
 /* Sets info->hdr and info->len. */
 static int copy_module_from_user(const void __user *umod, unsigned long len,
 				  struct load_info *info)
@@ -3021,6 +3030,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
 		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
 	}
 
+	check_modinfo_retpoline(mod, info);
+
 	if (get_modinfo(info, "staging")) {
 		add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
 		pr_warn("%s: module is from the staging directory, the quality "
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 98314b400a95..54deaa1066cf 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2165,6 +2165,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
 		buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
 }
 
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+	buf_printf(b, "\n#ifdef RETPOLINE\n");
+	buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+	buf_printf(b, "#endif\n");
+}
+
 static void add_staging_flag(struct buffer *b, const char *name)
 {
 	static const char *staging_dir = "drivers/staging";
@@ -2506,6 +2514,7 @@ int main(int argc, char **argv)
 		err |= check_modname_len(mod);
 		add_header(&buf, mod);
 		add_intree_flag(&buf, !external_module);
+		add_retpoline(&buf);
 		add_staging_flag(&buf, mod->name);
 		err |= add_versions(&buf, mod);
 		add_depends(&buf, mod, modules);
-- 
2.14.3

Re: [PATCH v4] retpoline/module: Warn for missing retpoline in module

[Randy Dunlap]

On 01/25/2018 03:50 PM, Andi Kleen wrote:

> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc3d438..8766e13efe80 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
>  #include <linux/init.h>
>  #include <linux/utsname.h>
>  #include <linux/cpu.h>
> +#include <linux/module.h>
>  
>  #include <asm/nospec-branch.h>
>  #include <asm/cmdline.h>
> @@ -94,6 +95,20 @@ static const char *spectre_v2_strings[] = {
>  
>  static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
>  
> +static bool spectre_v2_bad_module;
> +
> +#ifdef RETPOLINE
> +bool retpoline_module_ok(bool has_retpoline)
> +{
> +	if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
> +		return true;
> +
> +	pr_err("system may be vunerable to spectre_v2\n");

	                      vulnerable

> +	spectre_v2_bad_module = true;
> +	return false;
> +}
> +#endif
> +
>  static void __init spec2_print_if_insecure(const char *reason)
>  {
>  	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
> @@ -278,6 +293,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
>  	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
>  		return sprintf(buf, "Not affected\n");
>  
> -	return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
> +	return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
> +			spectre_v2_bad_module ? " but vulnerable module loaded" : "");
>  }
>  #endif


-- 
~Randy

[tip:x86/pti] module/retpoline: Warn about missing retpoline in module

[tip-bot for Andi Kleen]

Commit-ID:  caf7501a1b4ec964190f31f9c3f163de252273b8
Gitweb:     https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
Author:     Andi Kleen <ak@linux.intel.com>
AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 26 Jan 2018 15:03:56 +0100

module/retpoline: Warn about missing retpoline in module

There's a risk that a kernel which has full retpoline mitigations becomes
vulnerable when a module gets loaded that hasn't been compiled with the
right compiler or the right option.

To enable detection of that mismatch at module load time, add a module info
string "retpoline" at build time when the module was compiled with
retpoline support. This only covers compiled C source, but assembler source
or prebuilt object files are not checked.

If a retpoline enabled kernel detects a non retpoline protected module at
load time, print a warning and report it in the sysfs vulnerability file.

[ tglx: Massaged changelog ]

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: gregkh@linuxfoundation.org
Cc: torvalds@linux-foundation.org
Cc: jeyu@kernel.org
Cc: arjan@linux.intel.com
Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
---
 arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++-
 include/linux/module.h     |  9 +++++++++
 kernel/module.c            | 11 +++++++++++
 scripts/mod/modpost.c      |  9 +++++++++
 4 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 390b3dc..4a39d7b 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -11,6 +11,7 @@
 #include <linux/init.h>
 #include <linux/utsname.h>
 #include <linux/cpu.h>
+#include <linux/module.h>
 
 #include <asm/nospec-branch.h>
 #include <asm/cmdline.h>
@@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
 #define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
 
 static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+static bool spectre_v2_bad_module;
+
+#ifdef RETPOLINE
+bool retpoline_module_ok(bool has_retpoline)
+{
+	if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
+		return true;
+
+	pr_err("System may be vunerable to spectre v2\n");
+	spectre_v2_bad_module = true;
+	return false;
+}
+#endif
 
 static void __init spec2_print_if_insecure(const char *reason)
 {
@@ -278,6 +292,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
 		return sprintf(buf, "Not affected\n");
 
-	return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+	return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+		       spectre_v2_bad_module ? " - vulnerable module loaded" : "");
 }
 #endif
diff --git a/include/linux/module.h b/include/linux/module.h
index fe5aa37..b1cc541 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -794,6 +794,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
 static inline void module_bug_cleanup(struct module *mod) {}
 #endif	/* CONFIG_GENERIC_BUG */
 
+#ifdef RETPOLINE
+extern bool retpoline_module_ok(bool has_retpoline);
+#else
+static inline bool retpoline_module_ok(bool has_retpoline)
+{
+	return true;
+}
+#endif
+
 #ifdef CONFIG_MODULE_SIG
 static inline bool module_sig_ok(struct module *module)
 {
diff --git a/kernel/module.c b/kernel/module.c
index de66ec8..690c065 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2855,6 +2855,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
 }
 #endif /* CONFIG_LIVEPATCH */
 
+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
+{
+	if (retpoline_module_ok(get_modinfo(info, "retpoline")))
+		return;
+
+	pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+		mod->name);
+}
+
 /* Sets info->hdr and info->len. */
 static int copy_module_from_user(const void __user *umod, unsigned long len,
 				  struct load_info *info)
@@ -3021,6 +3030,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
 		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
 	}
 
+	check_modinfo_retpoline(mod, info);
+
 	if (get_modinfo(info, "staging")) {
 		add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
 		pr_warn("%s: module is from the staging directory, the quality "
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 98314b4..54deaa1 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2165,6 +2165,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
 		buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
 }
 
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+	buf_printf(b, "\n#ifdef RETPOLINE\n");
+	buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+	buf_printf(b, "#endif\n");
+}
+
 static void add_staging_flag(struct buffer *b, const char *name)
 {
 	static const char *staging_dir = "drivers/staging";
@@ -2506,6 +2514,7 @@ int main(int argc, char **argv)
 		err |= check_modname_len(mod);
 		add_header(&buf, mod);
 		add_intree_flag(&buf, !external_module);
+		add_retpoline(&buf);
 		add_staging_flag(&buf, mod->name);
 		err |= add_versions(&buf, mod);
 		add_depends(&buf, mod, modules);

Re: [tip:x86/pti] module/retpoline: Warn about missing retpoline in module

[Randy Dunlap]

On 01/26/2018 06:59 AM, tip-bot for Andi Kleen wrote:
> Commit-ID:  caf7501a1b4ec964190f31f9c3f163de252273b8
> Gitweb:     https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
> Author:     Andi Kleen <ak@linux.intel.com>
> AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
> Committer:  Thomas Gleixner <tglx@linutronix.de>
> CommitDate: Fri, 26 Jan 2018 15:03:56 +0100
> 
> module/retpoline: Warn about missing retpoline in module


> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc..4a39d7b 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
>  #include <linux/init.h>
>  #include <linux/utsname.h>
>  #include <linux/cpu.h>
> +#include <linux/module.h>
>  
>  #include <asm/nospec-branch.h>
>  #include <asm/cmdline.h>
> @@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
>  #define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
>  
>  static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
> +static bool spectre_v2_bad_module;
> +
> +#ifdef RETPOLINE
> +bool retpoline_module_ok(bool has_retpoline)
> +{
> +	if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
> +		return true;
> +
> +	pr_err("System may be vunerable to spectre v2\n");

	                      vulnerable

> +	spectre_v2_bad_module = true;
> +	return false;
> +}
> +#endif



-- 
~Randy

Re: [tip:x86/pti] module/retpoline: Warn about missing retpoline in module

[Borislav Petkov]

On Fri, Jan 26, 2018 at 06:59:06AM -0800, tip-bot for Andi Kleen wrote:
> Commit-ID:  caf7501a1b4ec964190f31f9c3f163de252273b8
> Gitweb:     https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
> Author:     Andi Kleen <ak@linux.intel.com>
> AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
> Committer:  Thomas Gleixner <tglx@linutronix.de>
> CommitDate: Fri, 26 Jan 2018 15:03:56 +0100
> 
> module/retpoline: Warn about missing retpoline in module
> 
> There's a risk that a kernel which has full retpoline mitigations becomes
> vulnerable when a module gets loaded that hasn't been compiled with the
> right compiler or the right option.
> 
> To enable detection of that mismatch at module load time, add a module info
> string "retpoline" at build time when the module was compiled with
> retpoline support. This only covers compiled C source, but assembler source
> or prebuilt object files are not checked.
> 
> If a retpoline enabled kernel detects a non retpoline protected module at
> load time, print a warning and report it in the sysfs vulnerability file.
> 
> [ tglx: Massaged changelog ]
> 
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: gregkh@linuxfoundation.org
> Cc: torvalds@linux-foundation.org
> Cc: jeyu@kernel.org
> Cc: arjan@linux.intel.com
> Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
> ---
>  arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++-
>  include/linux/module.h     |  9 +++++++++
>  kernel/module.c            | 11 +++++++++++
>  scripts/mod/modpost.c      |  9 +++++++++
>  4 files changed, 45 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc..4a39d7b 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
>  #include <linux/init.h>
>  #include <linux/utsname.h>
>  #include <linux/cpu.h>
> +#include <linux/module.h>
>  
>  #include <asm/nospec-branch.h>
>  #include <asm/cmdline.h>
> @@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
>  #define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
>  
>  static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
> +static bool spectre_v2_bad_module;

allnoconfig says:

arch/x86/kernel/cpu/bugs.c:97:13: warning: ‘spectre_v2_bad_module’ defined but not used [-Wunused-variable]
 static bool spectre_v2_bad_module;
             ^

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.