From patchwork Wed Apr 10 01:14:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10892905 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CC6F1708 for ; Wed, 10 Apr 2019 01:14:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56ECF2850D for ; Wed, 10 Apr 2019 01:14:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4AC2E285AA; Wed, 10 Apr 2019 01:14:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id AA5162850D for ; Wed, 10 Apr 2019 01:14:40 +0000 (UTC) Received: (qmail 12131 invoked by uid 550); 10 Apr 2019 01:14:38 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 12097 invoked from network); 10 Apr 2019 01:14:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/wEJ9QgSWQExtL9FEwpxHdh0W+68e2Wgokpx5YSihvs=; b=QebYh4I7t0dRquzGgWE6N/9B3I9mO3IcMHH4lCVl4sIGFaGFgzqLcASk2GgTaspdfk bhDflTeIJrdzLm9sx6DDolubiVMgjz/3CT/2jVqlaAqNqPitPO/D5JIfsQase2VsXSF0 En/LorP0XKMcx33bbK3X8Q8txKCW/XAmAB1mw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/wEJ9QgSWQExtL9FEwpxHdh0W+68e2Wgokpx5YSihvs=; b=gXrsPxiw7jZCKH2ZfxJiSMLiOgFFZ+lVK/SQelPxfwvbb31X5XDxKIVZuKRTqMJamt umo5QWiR2pFIW9joEz79OYh+VU+1PskbjH9OcPelTT50VNTPdtoRBZUuBdbJ6qt/4TbR jkwwukh4mdRRuGafKc7+Y2g91rjzEcLyqWDgUNcAE3x6vX+BpcT7JT1HZm5/7Hh7ObEd 7jTrbLjZqfsUeXmdqYb8ypEIHTA8vcZAtWjU+GNAf5yVGHv91SQLdEZEW5IraYA3CzC7 0YlP8bIGJ0LhrTW9vyxc0Lyc2WpsqHKCDEhyyd2VKuqffQsI70Wo6STY9Irc+TP3grV6 JLfQ== X-Gm-Message-State: APjAAAXtNMnAaLLmcWGULy53PGvgp82Srvx8DKykYQbjN32Yvufvw2uX b8/JN+Fqb1SjverEvcDgWkrawg== X-Google-Smtp-Source: APXvYqxLlBL5FYJw5UICkZ/Jb2yPB/oD5tx+BWvugm8DYpfRursSQnHmjajv1STSNoynBQvKHREeLA== X-Received: by 2002:a17:902:f084:: with SMTP id go4mr39263903plb.235.1554858866306; Tue, 09 Apr 2019 18:14:26 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , paulmck@linux.vnet.ibm.com, rostedt@goodmis.org, mathieu.desnoyers@efficios.com, rcu@vger.kernel.org, kernel-hardening@lists.openwall.com, kernel-team@android.com, keescook@chromium.org, Jessica Yu Subject: [PATCH 1/2] module: Prepare for addition of new ro_after_init sections Date: Tue, 9 Apr 2019 21:14:17 -0400 Message-Id: <20190410011418.76408-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP For the purposes of hardening modules by adding sections to ro_after_init sections, prepare for addition of new ro_after_init entries which we do in future patches. Create a table to which new entries could be added later. This makes it less error prone and reduce code duplication. Cc: paulmck@linux.vnet.ibm.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: rcu@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: kernel-team@android.com Suggested-by: keescook@chromium.org Signed-off-by: Joel Fernandes (Google) --- kernel/module.c | 42 ++++++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 524da609c884..f9221381d076 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3300,11 +3300,28 @@ static bool blacklisted(const char *module_name) } core_param(module_blacklist, module_blacklist, charp, 0400); +/* + * Mark ro_after_init section with SHF_RO_AFTER_INIT so that + * layout_sections() can put it in the right place. + * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. + */ +static char *ro_after_init_sections[] = { + ".data..ro_after_init", + + /* + * __jump_table structures are never modified, with the exception of + * entries that refer to code in the __init section, which are + * annotated as such at module load time. + */ + "__jump_table", + NULL +}; + static struct module *layout_and_allocate(struct load_info *info, int flags) { struct module *mod; unsigned int ndx; - int err; + int err, i; err = check_modinfo(info->mod, info, flags); if (err) @@ -3319,23 +3336,12 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) /* We will do a special allocation for per-cpu sections later. */ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; - /* - * Mark ro_after_init section with SHF_RO_AFTER_INIT so that - * layout_sections() can put it in the right place. - * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. - */ - ndx = find_sec(info, ".data..ro_after_init"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; - /* - * Mark the __jump_table section as ro_after_init as well: these data - * structures are never modified, with the exception of entries that - * refer to code in the __init section, which are annotated as such - * at module load time. - */ - ndx = find_sec(info, "__jump_table"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; + /* Set sh_flags for read-only after init sections */ + for (i = 0; ro_after_init_sections[i]; i++) { + ndx = find_sec(info, ro_after_init_sections[i]); + if (ndx) + info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; + } /* Determine total sizes, and put offsets in sh_entsize. For now this is done generically; there doesn't appear to be any From patchwork Wed Apr 10 01:14:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10892907 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6A64B1708 for ; Wed, 10 Apr 2019 01:14:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 557C62850D for ; Wed, 10 Apr 2019 01:14:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 490EB28571; Wed, 10 Apr 2019 01:14:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 809FC2850D for ; Wed, 10 Apr 2019 01:14:46 +0000 (UTC) Received: (qmail 13852 invoked by uid 550); 10 Apr 2019 01:14:44 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 13737 invoked from network); 10 Apr 2019 01:14:43 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5twU0SQ7qeKqh0+CQCpWioa1s9Zf+6xNLzQqic9rlw4=; b=FHQSlTRZrxwWRPEy09RfK1EbzDl1zZ/P9DaKFB3KmUIfEkgu6OM3YJlfaFBN4rkxkl zSvWO+0TCb29HihZcJN1LzoQ7zSzMn+0Qq163kSLfVi8pivg9gruZWze/PBLZiriUT1/ ISRaHB5ujKTs+R24ynJfXQsOp3PURKr+7ESkY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5twU0SQ7qeKqh0+CQCpWioa1s9Zf+6xNLzQqic9rlw4=; b=Ge5SUto87jxL3km7fAblmQY5wxDoBeYDYcbwLqEAR9farfe+s4s5J0/swDizgRFK3x 8NssRnMnu+CoWhsEcXbeAtz+3dVKyijC7YLjl9t8OdL3PvWNm8NWIUm+nLfXa9GaPYpy XoRR1fQTtmwB7VjiGqGgRa71Zv26fmEBo3sk0zYJgow8JH/97aiHHK0OxZ34Bi6PjzIJ 9vhhuaySLjE41llRnWUq5vdtcEwIPX0bk0nN1eT4s8/c+Q7ghD2W9Ni2PezuYkk85wv4 8o1OcpLk8Qz/nuU5BattGmajRefAKY5HmZx1l48uGIQ0tTsANa5kjI+v1oQYo8Dmkj6z CdAQ== X-Gm-Message-State: APjAAAUM3w0od8zVEb44ZH9DhjoG6JNR2MzrdwnkSg8WdnPCFGri1QM7 vrxVrq6G/921x6lSKurXRezZvQ== X-Google-Smtp-Source: APXvYqzWxp9Z/Hj7HaokzBOYz+F4nLfRw5ZzJJ2S8R4un2zhiLFXnFe1Jd45s4Oi3qlLbH7oSko44Q== X-Received: by 2002:a17:902:e391:: with SMTP id ch17mr41547333plb.196.1554858871788; Tue, 09 Apr 2019 18:14:31 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , paulmck@linux.vnet.ibm.com, keescook@chromium.org, Jessica Yu , kernel-hardening@lists.openwall.com, kernel-team@android.com, mathieu.desnoyers@efficios.com, rcu@vger.kernel.org, rostedt@goodmis.org Subject: [PATCH 2/2] module: Make srcu_struct ptr array as read-only post init Date: Tue, 9 Apr 2019 21:14:18 -0400 Message-Id: <20190410011418.76408-2-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog In-Reply-To: <20190410011418.76408-1-joel@joelfernandes.org> References: <20190410011418.76408-1-joel@joelfernandes.org> MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Since commit title ("srcu: Allocate per-CPU data for DEFINE_SRCU() in modules"), modules that call DEFINE_{STATIC,}SRCU will have a new array of srcu_struct pointers which is used by srcu code to initialize and clean up these structures. There is no reason for this array of pointers to be writable, and can cause security or other hidden bugs. Mark these are read-only after the module init has completed. Suggested-by: paulmck@linux.vnet.ibm.com Suggested-by: keescook@chromium.org Signed-off-by: Joel Fernandes (Google) Acked-by: Steven Rostedt (VMware) --- kernel/module.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index f9221381d076..ed1f2612aebc 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3301,7 +3301,7 @@ static bool blacklisted(const char *module_name) core_param(module_blacklist, module_blacklist, charp, 0400); /* - * Mark ro_after_init section with SHF_RO_AFTER_INIT so that + * These are section names marked with SHF_RO_AFTER_INIT so that * layout_sections() can put it in the right place. * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. */ @@ -3314,6 +3314,13 @@ static char *ro_after_init_sections[] = { * annotated as such at module load time. */ "__jump_table", + + /* + * Used for SRCU structures which need to be initialized/cleaned up + * by the SRCU notifiers + */ + "___srcu_struct_ptrs", + NULL };