From patchwork Thu Dec 2 22:32:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Lobakin X-Patchwork-Id: 12653689 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A977C433EF for ; Thu, 2 Dec 2021 22:33:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377216AbhLBWgs (ORCPT ); Thu, 2 Dec 2021 17:36:48 -0500 Received: from mga12.intel.com ([192.55.52.136]:32132 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349448AbhLBWgg (ORCPT ); Thu, 2 Dec 2021 17:36:36 -0500 X-IronPort-AV: E=McAfee;i="6200,9189,10186"; a="216877428" X-IronPort-AV: E=Sophos;i="5.87,282,1631602800"; d="scan'208";a="216877428" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2021 14:33:13 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,282,1631602800"; d="scan'208";a="655540569" Received: from irvmail001.ir.intel.com ([10.43.11.63]) by fmsmga001.fm.intel.com with ESMTP; 02 Dec 2021 14:33:05 -0800 Received: from newjersey.igk.intel.com (newjersey.igk.intel.com [10.102.20.203]) by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id 1B2MWmYZ028552; Thu, 2 Dec 2021 22:33:03 GMT From: Alexander Lobakin To: linux-hardening@vger.kernel.org, x86@kernel.org Cc: Alexander Lobakin , Jesse Brandeburg , Kristen Carlson Accardi , Kees Cook , Miklos Szeredi , Ard Biesheuvel , Tony Luck , Bruce Schlobohm , Jessica Yu , kernel test robot , Miroslav Benes , Evgenii Shatokhin , Jonathan Corbet , Masahiro Yamada , Michal Marek , Nick Desaulniers , Herbert Xu , "David S. Miller" , Thomas Gleixner , Will Deacon , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Arnd Bergmann , Josh Poimboeuf , Nathan Chancellor , Masami Hiramatsu , Marios Pomonis , Sami Tolvanen , linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-arch@vger.kernel.org, live-patching@vger.kernel.org, llvm@lists.linux.dev Subject: [PATCH v8 08/14] livepatch: only match unique symbols when using FG-KASLR Date: Thu, 2 Dec 2021 23:32:08 +0100 Message-Id: <20211202223214.72888-9-alexandr.lobakin@intel.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211202223214.72888-1-alexandr.lobakin@intel.com> References: <20211202223214.72888-1-alexandr.lobakin@intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org If any type of function granular randomization is enabled, the sympos algorithm will fail, as it will be impossible to resolve symbols when there are duplicates using the previous symbol position. We could override sympos to 0, but make it more clear to the user and bail out if the symbol is not unique. Suggested-by: Miroslav Benes Signed-off-by: Alexander Lobakin --- kernel/livepatch/core.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index 335d988bd811..10ea75111057 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -169,6 +169,17 @@ static int klp_find_object_symbol(const char *objname, const char *name, else kallsyms_on_each_symbol(klp_find_callback, &args); + /* + * If function granular randomization is enabled, it is impossible + * to resolve symbols when there are duplicates using the previous + * symbol position (i.e. sympos != 0). + */ + if (IS_ENABLED(CONFIG_FG_KASLR) && sympos) { + pr_err("FG-KASLR is enabled, specifying symbol position %lu for symbol '%s' in object '%s' does not work\n", + sympos, name, objname ? objname : "vmlinux"); + goto out_err; + } + /* * Ensure an address was found. If sympos is 0, ensure symbol is unique; * otherwise ensure the symbol position count matches sympos. @@ -186,6 +197,7 @@ static int klp_find_object_symbol(const char *objname, const char *name, return 0; } +out_err: *addr = 0; return -EINVAL; }