From patchwork Tue Sep 12 00:37:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9948227 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 03C24603FB for ; Tue, 12 Sep 2017 00:41:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E42F328D32 for ; Tue, 12 Sep 2017 00:41:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D60CA28D9D; Tue, 12 Sep 2017 00:41:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1D84128D43 for ; Tue, 12 Sep 2017 00:41:04 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drZD7-0000dX-PM; Tue, 12 Sep 2017 00:37:53 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drZD7-0000d3-7k for xen-devel@lists.xenproject.org; Tue, 12 Sep 2017 00:37:53 +0000 Received: from [193.109.254.147] by server-3.bemta-6.messagelabs.com id A8/CF-03093-06C27B95; Tue, 12 Sep 2017 00:37:52 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrHIsWRWlGSWpSXmKPExsVyMfTOId14ne2 RBu0nDSy+b5nM5MDocfjDFZYAxijWzLyk/IoE1owJd5rYC+boVSz8uI2pgfG4ShcjF4eQwAxG iebP69hBHBaBDywSl4+cAHMkBKaxSpx7eJ+li5EDyImT2Dg5uYuRE8hMk+i5cJEZIlwl8XiWG EhYSEBJYsvkx4wQQw8yScz+cYsNJCEsoCcx+dttRhCbTUBf4unaa1C9bhKfrnGB1IsItDNKzL 7yixWkhlnAUKL17VGo3hKJbT9bweIsAqoSa/pmM4PYvAKWEucv9DJD3CMvMbF3Gth8TgErid8 /5rFCHGQp0bHgCtMERuEFjAyrGNWLU4vKUot0DfWSijLTM0pyEzNzdA0NzPRyU4uLE9NTcxKT ivWS83M3MQLDkwEIdjDufO50iFGSg0lJlPe38PZIIb6k/JTKjMTijPii0pzU4kOMMhwcShK8L 7SAcoJFqempFWmZOcBIgUlLcPAoifBmgaR5iwsSc4sz0yFSpxgtOS7cufSHiePAnltAsuPm3T 9MQix5+XmpUuK8v0EaBEAaMkrz4MbBovkSo6yUMC8j0IFCPAWpRbmZJajyrxjFORiVhHnVtYG m8GTmlcBtfQV0EBPQQTyXtoAcVJKIkJJqYEw4sC3kgs/v3U57lY88OikzN29boObxCzLWndOe 9MaLr3l46BrnjO7JD9MUnt7vSnC7k229efXWPU4nFKIfVFy2mcBqZLP10oyHJXG1l9Yxett93 cKWti84WuR8ce31leon5ac99A78qJK4o2JqvUdVT9v/BXeMPq+2m1NyI2vFjMJ2t+U+gXeUWI ozEg21mIuKEwEgHv1Z4QIAAA== X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-11.tower-27.messagelabs.com!1505176670!84416865!1 X-Originating-IP: [209.85.220.194] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 46908 invoked from network); 12 Sep 2017 00:37:51 -0000 Received: from mail-qk0-f194.google.com (HELO mail-qk0-f194.google.com) (209.85.220.194) by server-11.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 12 Sep 2017 00:37:51 -0000 Received: by mail-qk0-f194.google.com with SMTP id c69so6371605qke.5 for ; Mon, 11 Sep 2017 17:37:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=sgO/K0kt8S7wZBFlYd8EUmvQnTV4/InH0VmWLJ00Tq8=; b=bFY4iBQgm/hGHaBDSUehZFpfJwrSapQTH1Ji1MYuwAbFSvm2lDMD+L3ffleyapnLlK PKNjDVEzvx26LB1c2Ac3+BIjY7meAeQ6JHxr7GVsUSqjYETrUrdVUFPSWCA48JCiGjO6 qH3abWwHLNjt25nT+GR6pLSkmuJExsAarGhph+SGVedXclfVgwuUuVzE/9n0bjQNgvgN WUA8bm3EuiEYPIqzxAdylhU0MtGm0NLUS3+iWKIdHVSHWziCN47WVZNa1ucLySPsNGDj 3TNIscztht1hjkH7hCMGO4gbBov2B/5ho02mDeWgjh4CH/Q4y+ucJcDDhfG6ZFS61zzl wfjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=sgO/K0kt8S7wZBFlYd8EUmvQnTV4/InH0VmWLJ00Tq8=; b=QPOV5plN0S1a4DQnhYgDg8t0aItVI8FflWQh6un118g8A/Vfxcr+/GmhJ9G5FAb8mW OyDCi7e1LYqQkQBbpE9TQllLcTLpGGkFtqpV60TW1TC3hZSgOqzVHyROJ0bCinG55534 dHo0ugh+pVgJOLlrrOSk8NJbg61C5Ut44am3oK1u6gy2iCg7IG4UPTqO9tYwsx89uEK9 7tvXNgLlZSYTHm0XdBOsL62TmuXWJU/XeyAoTFPjqvZc1D4V0N4/CSAz4dd8PTSsnMDc AeJ3UKLsZpcx0OIKmhL+KqUgQ8vmz1YylThKQybdgrO7Qac64IT/yt79RENuj1FLyQ+G EThQ== X-Gm-Message-State: AHPjjUg1Z7jcmIPzeUu0cI5IjHKZatpJmh00bx2h3j7452FSNtt/j8rb oJ7zSs5ApKJD9cwY X-Google-Smtp-Source: AOwi7QBARIYv9BaHpU3v5EHJxg2fjNeKOgQI44DbG2BWTvkBnB9UC253rK8QlD+hAzPz81yjqtDXhw== X-Received: by 10.55.12.133 with SMTP id 127mr16911986qkm.251.1505176670191; Mon, 11 Sep 2017 17:37:50 -0700 (PDT) Received: from localhost.localdomain (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id z75sm6771034qkb.71.2017.09.11.17.37.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Sep 2017 17:37:49 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, ross.lagerwall@citrix.com, konrad.wilk@oracle.com, julien.grall@arm.com, sstabellini@kernel.org Date: Mon, 11 Sep 2017 20:37:13 -0400 Message-Id: <20170912003726.368-5-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170912003726.368-1-konrad.wilk@oracle.com> References: <20170912003726.368-1-konrad.wilk@oracle.com> Cc: andrew.cooper3@citrix.com, jbeulich@suse.com Subject: [Xen-devel] [PATCH v3 04/17] xen/livepatch/ARM32: Don't load and crash on livepatches loaded with wrong text alignment. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP The ARM 32&64 ELF specification says "sections containing ARM code must be at least 32-bit aligned." This patch adds the check for that. We also make sure that this check is done when doing relocations for the types that are considered ARM code. However we don't have to check for all as we only implement a small subset of them - as such we only check for data types that are implemented - and if the type is anything else and not aligned to 32-bit, then we error out. Signed-off-by: Konrad Rzeszutek Wilk --- v1: Initial patch v2: Redo the commit to include the commits which fix the alignment issues. Also mention the need in the docs v3: Change the docs to explicitly mention text code section alignment requirements. Invert arch_livepatch_verify_alignment return value (true for alignment is ok). Drop the alignment check in check_special_sections. Make the alignment check in check_section only for executable sections. Rewrote the commit message as it is not applicable to v2 of the patch anymore. --- docs/misc/livepatch.markdown | 2 ++ xen/arch/arm/arm32/livepatch.c | 22 ++++++++++++++++++++-- xen/arch/arm/arm64/livepatch.c | 6 ++++++ xen/arch/x86/livepatch.c | 6 ++++++ xen/common/livepatch.c | 7 +++++++ xen/include/xen/livepatch.h | 1 + 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/docs/misc/livepatch.markdown b/docs/misc/livepatch.markdown index 54a6b850cb..505dc37cda 100644 --- a/docs/misc/livepatch.markdown +++ b/docs/misc/livepatch.markdown @@ -279,6 +279,8 @@ It may also have some architecture-specific sections. For example: * Exception tables. * Relocations for each of these sections. +Note that on ARM 32 the sections containing code MUST be four byte aligned. + The Xen Live Patch core code loads the payload as a standard ELF binary, relocates it and handles the architecture-specifc sections as needed. This process is much like what the Linux kernel module loader does. diff --git a/xen/arch/arm/arm32/livepatch.c b/xen/arch/arm/arm32/livepatch.c index 41378a54ae..10887ace81 100644 --- a/xen/arch/arm/arm32/livepatch.c +++ b/xen/arch/arm/arm32/livepatch.c @@ -112,6 +112,15 @@ bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf, return false; } +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec) +{ + if ( sec->sec->sh_flags & SHF_EXECINSTR && + ((uint32_t)sec->load_addr % sizeof(uint32_t)) ) + return false; + + return true; +}; + static s32 get_addend(unsigned char type, void *dest) { s32 addend = 0; @@ -233,7 +242,7 @@ int arch_livepatch_perform(struct livepatch_elf *elf, uint32_t val; void *dest; unsigned char type; - s32 addend; + s32 addend = 0; if ( use_rela ) { @@ -251,7 +260,6 @@ int arch_livepatch_perform(struct livepatch_elf *elf, symndx = ELF32_R_SYM(r->r_info); type = ELF32_R_TYPE(r->r_info); dest = base->load_addr + r->r_offset; /* P */ - addend = get_addend(type, dest); } if ( symndx == STN_UNDEF ) @@ -272,6 +280,16 @@ int arch_livepatch_perform(struct livepatch_elf *elf, elf->name, symndx); return -EINVAL; } + else if ( (type != R_ARM_ABS32 && type != R_ARM_REL32) /* Only check code. */ && + ((uint32_t)dest % sizeof(uint32_t)) ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: dest=%p (%s) is not aligned properly!\n", + elf->name, dest, base->name); + return -EINVAL; + } + + if ( !use_rela ) + addend = get_addend(type, dest); val = elf->sym[symndx].sym->st_value; /* S */ diff --git a/xen/arch/arm/arm64/livepatch.c b/xen/arch/arm/arm64/livepatch.c index 2247b925a0..2728e2a125 100644 --- a/xen/arch/arm/arm64/livepatch.c +++ b/xen/arch/arm/arm64/livepatch.c @@ -86,6 +86,12 @@ bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf, return false; } +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec) +{ + /* Unaligned access on ARM 64 is OK. */ + return true; +} + enum aarch64_reloc_op { RELOC_OP_NONE, RELOC_OP_ABS, diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index 406eb910cc..48d20fdacd 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -148,6 +148,12 @@ bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf, return false; } +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec) +{ + /* Unaligned access on x86 is fine. */ + return true; +} + int arch_livepatch_perform_rel(struct livepatch_elf *elf, const struct livepatch_elf_sec *base, const struct livepatch_elf_sec *rela) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index c6ee95fbcf..dbab8a3f6f 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -473,6 +473,13 @@ static bool section_ok(const struct livepatch_elf *elf, return false; } + if ( !arch_livepatch_verify_alignment(sec) ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: %s text section is not aligned properly!\n", + elf->name, sec->name); + return false; + } + return true; } diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 98ec01216b..e9bab87f28 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -76,6 +76,7 @@ void arch_livepatch_init(void); #include int arch_livepatch_verify_func(const struct livepatch_func *func); +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec); static inline unsigned int livepatch_insn_len(const struct livepatch_func *func) {