* [PATCH v4] retpoline/module: Warn for missing retpoline in module
@ 2018-01-25 23:50 Andi Kleen
2018-01-25 23:53 ` Randy Dunlap
2018-01-26 14:59 ` [tip:x86/pti] module/retpoline: Warn about " tip-bot for Andi Kleen
0 siblings, 2 replies; 5+ messages in thread
From: Andi Kleen @ 2018-01-25 23:50 UTC (permalink / raw)
To: tglx; +Cc: gregkh, dwmw, linux-kernel, torvalds, x86, arjan, Andi Kleen, jeyu
From: Andi Kleen <ak@linux.intel.com>
There's a risk that a kernel that has full retpoline mitigations
becomes vulnerable when a module gets loaded that hasn't been
compiled with the right compiler or the right option.
We cannot fix it, but should at least warn the user when that
happens.
When the a module hasn't been compiled with a retpoline
aware compiler, print a warning and report it in the sysfs
vulnerability files
For modules it is checked at compile time, however it cannot
check assembler or other non compiled objects used in the module link.
v2: Change warning message
v3: Port to latest tree
v4: Remove tainting
v5: Add changes from Thomas Gleixner, refactor checking,
use a separate variable
Cc: jeyu@kernel.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
arch/x86/kernel/cpu/bugs.c | 18 +++++++++++++++++-
include/linux/module.h | 9 +++++++++
kernel/module.c | 11 +++++++++++
scripts/mod/modpost.c | 9 +++++++++
4 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 390b3dc3d438..8766e13efe80 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -11,6 +11,7 @@
#include <linux/init.h>
#include <linux/utsname.h>
#include <linux/cpu.h>
+#include <linux/module.h>
#include <asm/nospec-branch.h>
#include <asm/cmdline.h>
@@ -94,6 +95,20 @@ static const char *spectre_v2_strings[] = {
static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+static bool spectre_v2_bad_module;
+
+#ifdef RETPOLINE
+bool retpoline_module_ok(bool has_retpoline)
+{
+ if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
+ return true;
+
+ pr_err("system may be vunerable to spectre_v2\n");
+ spectre_v2_bad_module = true;
+ return false;
+}
+#endif
+
static void __init spec2_print_if_insecure(const char *reason)
{
if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
@@ -278,6 +293,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
return sprintf(buf, "Not affected\n");
- return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+ return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ spectre_v2_bad_module ? " but vulnerable module loaded" : "");
}
#endif
diff --git a/include/linux/module.h b/include/linux/module.h
index fe5aa3736707..b1cc541f2ddf 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -794,6 +794,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
static inline void module_bug_cleanup(struct module *mod) {}
#endif /* CONFIG_GENERIC_BUG */
+#ifdef RETPOLINE
+extern bool retpoline_module_ok(bool has_retpoline);
+#else
+static inline bool retpoline_module_ok(bool has_retpoline)
+{
+ return true;
+}
+#endif
+
#ifdef CONFIG_MODULE_SIG
static inline bool module_sig_ok(struct module *module)
{
diff --git a/kernel/module.c b/kernel/module.c
index de66ec825992..3c6e2d9231d3 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2855,6 +2855,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
}
#endif /* CONFIG_LIVEPATCH */
+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
+{
+ if (retpoline_module_ok(get_modinfo(info, "retpoline")))
+ return;
+
+ pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+ mod->name);
+}
+
/* Sets info->hdr and info->len. */
static int copy_module_from_user(const void __user *umod, unsigned long len,
struct load_info *info)
@@ -3021,6 +3030,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
}
+ check_modinfo_retpoline(mod, info);
+
if (get_modinfo(info, "staging")) {
add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
pr_warn("%s: module is from the staging directory, the quality "
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 98314b400a95..54deaa1066cf 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2165,6 +2165,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
}
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+ buf_printf(b, "\n#ifdef RETPOLINE\n");
+ buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+ buf_printf(b, "#endif\n");
+}
+
static void add_staging_flag(struct buffer *b, const char *name)
{
static const char *staging_dir = "drivers/staging";
@@ -2506,6 +2514,7 @@ int main(int argc, char **argv)
err |= check_modname_len(mod);
add_header(&buf, mod);
add_intree_flag(&buf, !external_module);
+ add_retpoline(&buf);
add_staging_flag(&buf, mod->name);
err |= add_versions(&buf, mod);
add_depends(&buf, mod, modules);
--
2.14.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v4] retpoline/module: Warn for missing retpoline in module
2018-01-25 23:50 [PATCH v4] retpoline/module: Warn for missing retpoline in module Andi Kleen
@ 2018-01-25 23:53 ` Randy Dunlap
2018-01-26 14:59 ` [tip:x86/pti] module/retpoline: Warn about " tip-bot for Andi Kleen
1 sibling, 0 replies; 5+ messages in thread
From: Randy Dunlap @ 2018-01-25 23:53 UTC (permalink / raw)
To: Andi Kleen, tglx
Cc: gregkh, dwmw, linux-kernel, torvalds, x86, arjan, Andi Kleen, jeyu
On 01/25/2018 03:50 PM, Andi Kleen wrote:
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc3d438..8766e13efe80 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
> #include <linux/init.h>
> #include <linux/utsname.h>
> #include <linux/cpu.h>
> +#include <linux/module.h>
>
> #include <asm/nospec-branch.h>
> #include <asm/cmdline.h>
> @@ -94,6 +95,20 @@ static const char *spectre_v2_strings[] = {
>
> static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
>
> +static bool spectre_v2_bad_module;
> +
> +#ifdef RETPOLINE
> +bool retpoline_module_ok(bool has_retpoline)
> +{
> + if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
> + return true;
> +
> + pr_err("system may be vunerable to spectre_v2\n");
vulnerable
> + spectre_v2_bad_module = true;
> + return false;
> +}
> +#endif
> +
> static void __init spec2_print_if_insecure(const char *reason)
> {
> if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
> @@ -278,6 +293,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
> if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
> return sprintf(buf, "Not affected\n");
>
> - return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
> + return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
> + spectre_v2_bad_module ? " but vulnerable module loaded" : "");
> }
> #endif
--
~Randy
^ permalink raw reply [flat|nested] 5+ messages in thread* [tip:x86/pti] module/retpoline: Warn about missing retpoline in module
2018-01-25 23:50 [PATCH v4] retpoline/module: Warn for missing retpoline in module Andi Kleen
2018-01-25 23:53 ` Randy Dunlap
@ 2018-01-26 14:59 ` tip-bot for Andi Kleen
2018-01-26 17:51 ` Randy Dunlap
2018-01-27 13:40 ` Borislav Petkov
1 sibling, 2 replies; 5+ messages in thread
From: tip-bot for Andi Kleen @ 2018-01-26 14:59 UTC (permalink / raw)
To: linux-tip-commits; +Cc: dwmw2, hpa, linux-kernel, tglx, mingo, ak
Commit-ID: caf7501a1b4ec964190f31f9c3f163de252273b8
Gitweb: https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
Author: Andi Kleen <ak@linux.intel.com>
AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 26 Jan 2018 15:03:56 +0100
module/retpoline: Warn about missing retpoline in module
There's a risk that a kernel which has full retpoline mitigations becomes
vulnerable when a module gets loaded that hasn't been compiled with the
right compiler or the right option.
To enable detection of that mismatch at module load time, add a module info
string "retpoline" at build time when the module was compiled with
retpoline support. This only covers compiled C source, but assembler source
or prebuilt object files are not checked.
If a retpoline enabled kernel detects a non retpoline protected module at
load time, print a warning and report it in the sysfs vulnerability file.
[ tglx: Massaged changelog ]
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: gregkh@linuxfoundation.org
Cc: torvalds@linux-foundation.org
Cc: jeyu@kernel.org
Cc: arjan@linux.intel.com
Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
---
arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++-
include/linux/module.h | 9 +++++++++
kernel/module.c | 11 +++++++++++
scripts/mod/modpost.c | 9 +++++++++
4 files changed, 45 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 390b3dc..4a39d7b 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -11,6 +11,7 @@
#include <linux/init.h>
#include <linux/utsname.h>
#include <linux/cpu.h>
+#include <linux/module.h>
#include <asm/nospec-branch.h>
#include <asm/cmdline.h>
@@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
#define pr_fmt(fmt) "Spectre V2 mitigation: " fmt
static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+static bool spectre_v2_bad_module;
+
+#ifdef RETPOLINE
+bool retpoline_module_ok(bool has_retpoline)
+{
+ if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
+ return true;
+
+ pr_err("System may be vunerable to spectre v2\n");
+ spectre_v2_bad_module = true;
+ return false;
+}
+#endif
static void __init spec2_print_if_insecure(const char *reason)
{
@@ -278,6 +292,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
return sprintf(buf, "Not affected\n");
- return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+ return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ spectre_v2_bad_module ? " - vulnerable module loaded" : "");
}
#endif
diff --git a/include/linux/module.h b/include/linux/module.h
index fe5aa37..b1cc541 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -794,6 +794,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
static inline void module_bug_cleanup(struct module *mod) {}
#endif /* CONFIG_GENERIC_BUG */
+#ifdef RETPOLINE
+extern bool retpoline_module_ok(bool has_retpoline);
+#else
+static inline bool retpoline_module_ok(bool has_retpoline)
+{
+ return true;
+}
+#endif
+
#ifdef CONFIG_MODULE_SIG
static inline bool module_sig_ok(struct module *module)
{
diff --git a/kernel/module.c b/kernel/module.c
index de66ec8..690c065 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2855,6 +2855,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
}
#endif /* CONFIG_LIVEPATCH */
+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
+{
+ if (retpoline_module_ok(get_modinfo(info, "retpoline")))
+ return;
+
+ pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+ mod->name);
+}
+
/* Sets info->hdr and info->len. */
static int copy_module_from_user(const void __user *umod, unsigned long len,
struct load_info *info)
@@ -3021,6 +3030,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
}
+ check_modinfo_retpoline(mod, info);
+
if (get_modinfo(info, "staging")) {
add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
pr_warn("%s: module is from the staging directory, the quality "
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 98314b4..54deaa1 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2165,6 +2165,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
}
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+ buf_printf(b, "\n#ifdef RETPOLINE\n");
+ buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+ buf_printf(b, "#endif\n");
+}
+
static void add_staging_flag(struct buffer *b, const char *name)
{
static const char *staging_dir = "drivers/staging";
@@ -2506,6 +2514,7 @@ int main(int argc, char **argv)
err |= check_modname_len(mod);
add_header(&buf, mod);
add_intree_flag(&buf, !external_module);
+ add_retpoline(&buf);
add_staging_flag(&buf, mod->name);
err |= add_versions(&buf, mod);
add_depends(&buf, mod, modules);
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [tip:x86/pti] module/retpoline: Warn about missing retpoline in module
2018-01-26 14:59 ` [tip:x86/pti] module/retpoline: Warn about " tip-bot for Andi Kleen
@ 2018-01-26 17:51 ` Randy Dunlap
2018-01-27 13:40 ` Borislav Petkov
1 sibling, 0 replies; 5+ messages in thread
From: Randy Dunlap @ 2018-01-26 17:51 UTC (permalink / raw)
To: tglx, hpa, linux-kernel, ak, mingo, dwmw2, linux-tip-commits
On 01/26/2018 06:59 AM, tip-bot for Andi Kleen wrote:
> Commit-ID: caf7501a1b4ec964190f31f9c3f163de252273b8
> Gitweb: https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
> Author: Andi Kleen <ak@linux.intel.com>
> AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
> Committer: Thomas Gleixner <tglx@linutronix.de>
> CommitDate: Fri, 26 Jan 2018 15:03:56 +0100
>
> module/retpoline: Warn about missing retpoline in module
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc..4a39d7b 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
> #include <linux/init.h>
> #include <linux/utsname.h>
> #include <linux/cpu.h>
> +#include <linux/module.h>
>
> #include <asm/nospec-branch.h>
> #include <asm/cmdline.h>
> @@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
> #define pr_fmt(fmt) "Spectre V2 mitigation: " fmt
>
> static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
> +static bool spectre_v2_bad_module;
> +
> +#ifdef RETPOLINE
> +bool retpoline_module_ok(bool has_retpoline)
> +{
> + if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
> + return true;
> +
> + pr_err("System may be vunerable to spectre v2\n");
vulnerable
> + spectre_v2_bad_module = true;
> + return false;
> +}
> +#endif
--
~Randy
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [tip:x86/pti] module/retpoline: Warn about missing retpoline in module
2018-01-26 14:59 ` [tip:x86/pti] module/retpoline: Warn about " tip-bot for Andi Kleen
2018-01-26 17:51 ` Randy Dunlap
@ 2018-01-27 13:40 ` Borislav Petkov
1 sibling, 0 replies; 5+ messages in thread
From: Borislav Petkov @ 2018-01-27 13:40 UTC (permalink / raw)
To: tglx, hpa, linux-kernel, ak, mingo, dwmw2; +Cc: linux-tip-commits
On Fri, Jan 26, 2018 at 06:59:06AM -0800, tip-bot for Andi Kleen wrote:
> Commit-ID: caf7501a1b4ec964190f31f9c3f163de252273b8
> Gitweb: https://git.kernel.org/tip/caf7501a1b4ec964190f31f9c3f163de252273b8
> Author: Andi Kleen <ak@linux.intel.com>
> AuthorDate: Thu, 25 Jan 2018 15:50:28 -0800
> Committer: Thomas Gleixner <tglx@linutronix.de>
> CommitDate: Fri, 26 Jan 2018 15:03:56 +0100
>
> module/retpoline: Warn about missing retpoline in module
>
> There's a risk that a kernel which has full retpoline mitigations becomes
> vulnerable when a module gets loaded that hasn't been compiled with the
> right compiler or the right option.
>
> To enable detection of that mismatch at module load time, add a module info
> string "retpoline" at build time when the module was compiled with
> retpoline support. This only covers compiled C source, but assembler source
> or prebuilt object files are not checked.
>
> If a retpoline enabled kernel detects a non retpoline protected module at
> load time, print a warning and report it in the sysfs vulnerability file.
>
> [ tglx: Massaged changelog ]
>
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: gregkh@linuxfoundation.org
> Cc: torvalds@linux-foundation.org
> Cc: jeyu@kernel.org
> Cc: arjan@linux.intel.com
> Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
> ---
> arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++-
> include/linux/module.h | 9 +++++++++
> kernel/module.c | 11 +++++++++++
> scripts/mod/modpost.c | 9 +++++++++
> 4 files changed, 45 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 390b3dc..4a39d7b 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -11,6 +11,7 @@
> #include <linux/init.h>
> #include <linux/utsname.h>
> #include <linux/cpu.h>
> +#include <linux/module.h>
>
> #include <asm/nospec-branch.h>
> #include <asm/cmdline.h>
> @@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
> #define pr_fmt(fmt) "Spectre V2 mitigation: " fmt
>
> static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
> +static bool spectre_v2_bad_module;
allnoconfig says:
arch/x86/kernel/cpu/bugs.c:97:13: warning: ‘spectre_v2_bad_module’ defined but not used [-Wunused-variable]
static bool spectre_v2_bad_module;
^
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-01-27 13:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-25 23:50 [PATCH v4] retpoline/module: Warn for missing retpoline in module Andi Kleen
2018-01-25 23:53 ` Randy Dunlap
2018-01-26 14:59 ` [tip:x86/pti] module/retpoline: Warn about " tip-bot for Andi Kleen
2018-01-26 17:51 ` Randy Dunlap
2018-01-27 13:40 ` Borislav Petkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).