From patchwork Wed Apr 10 19:08:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10894537 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C63AC17E1 for ; Wed, 10 Apr 2019 19:08:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B055328B8E for ; Wed, 10 Apr 2019 19:08:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A421C28B93; Wed, 10 Apr 2019 19:08:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 8694A28B8E for ; Wed, 10 Apr 2019 19:08:53 +0000 (UTC) Received: (qmail 28640 invoked by uid 550); 10 Apr 2019 19:08:51 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28609 invoked from network); 10 Apr 2019 19:08:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8MLZ+t6ETSfRle4Yyv8Mm0sNY1lMjkcgD31AFFbnzGI=; b=mAmKGVVliYohNshCebOGyJXdNnT43u/87bX4lv2U011EPP6yc131xXdOTkqgDjm7OR 2bBlnuIERechK8bCubXNkOWMRumNUdgt/9mPfTGKuHJ+7KCMx2nAqUC68Jsdy/0tPqwS jLDL2n2QsVXVNPSoaq/CxBzgKixt98UA2PBTQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8MLZ+t6ETSfRle4Yyv8Mm0sNY1lMjkcgD31AFFbnzGI=; b=F3sOv6n+G3dT+JpTH94sjwOyui/5xHqELEIMHTO001BWCvjJeS9RFGbSBzREIbHwsS Ch7r7vvDzHOBhTTPOQLy7XLAk87VxILQPVyHQjITOk8Hu+PW55et6gNiMhmc0DfdmpHS 5eVOryYwmNi44ZNJ6+8GJCD/kvK/xsNPog7egelSnZ0LdJGRIYLREXPdqgUyUCuNlFJd wEJhiXFUlM9RUQqvm3xwJEwJZ5Igs/1GbDoU5uhk0EJnRIXvXrgbt05QSo9UJnXFpeMM yenH9Ce5JUCYp0nKLUGXg26CsYQkLW0deBpi2PstQkbNmBLHYh8/m/KS+OUE5ndoSvVK mimg== X-Gm-Message-State: APjAAAWANbmabuaaOmBpvNWTypkuq9Q/2Ni/8VOgf/Kdiub681kdZ+S3 gs+mZLPcGSycErZSwN9yp1xfKA== X-Google-Smtp-Source: APXvYqzDqdN+0RxHkfe+U3K1sjSDbZdx15C05NwTwL+PwOR4SFz+tMlJS5PgpUFZ+icJYUk6Tsp7zQ== X-Received: by 2002:a62:1a0d:: with SMTP id a13mr45887924pfa.198.1554923318525; Wed, 10 Apr 2019 12:08:38 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , paulmck@linux.vnet.ibm.com, rostedt@goodmis.org, mathieu.desnoyers@efficios.com, rcu@vger.kernel.org, kernel-hardening@lists.openwall.com, kernel-team@android.com, keescook@chromium.org, Jessica Yu Subject: [PATCH v2 1/3] module: Prepare for addition of new ro_after_init sections Date: Wed, 10 Apr 2019 15:08:21 -0400 Message-Id: <20190410190823.109172-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP For the purposes of hardening modules by adding sections to ro_after_init sections, prepare for addition of new ro_after_init entries which we do in future patches. Create a table to which new entries could be added later. This makes it less error prone and reduce code duplication. Cc: paulmck@linux.vnet.ibm.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: rcu@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: kernel-team@android.com Suggested-by: keescook@chromium.org Reviewed-by: keescook@chromium.org Acked-by: rostedt@goodmis.org Signed-off-by: Joel Fernandes (Google) --- kernel/module.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 524da609c884..1acddb93282a 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3300,11 +3300,27 @@ static bool blacklisted(const char *module_name) } core_param(module_blacklist, module_blacklist, charp, 0400); +/* + * Mark ro_after_init section with SHF_RO_AFTER_INIT so that + * layout_sections() can put it in the right place. + * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. + */ +static char *ro_after_init_sections[] = { + ".data..ro_after_init", + + /* + * __jump_table structures are never modified, with the exception of + * entries that refer to code in the __init section, which are + * annotated as such at module load time. + */ + "__jump_table", +}; + static struct module *layout_and_allocate(struct load_info *info, int flags) { struct module *mod; unsigned int ndx; - int err; + int err, i; err = check_modinfo(info->mod, info, flags); if (err) @@ -3319,23 +3335,12 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) /* We will do a special allocation for per-cpu sections later. */ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; - /* - * Mark ro_after_init section with SHF_RO_AFTER_INIT so that - * layout_sections() can put it in the right place. - * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. - */ - ndx = find_sec(info, ".data..ro_after_init"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; - /* - * Mark the __jump_table section as ro_after_init as well: these data - * structures are never modified, with the exception of entries that - * refer to code in the __init section, which are annotated as such - * at module load time. - */ - ndx = find_sec(info, "__jump_table"); - if (ndx) - info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; + /* Set sh_flags for read-only after init sections */ + for (i = 0; ro_after_init_sections[i]; i++) { + ndx = find_sec(info, ro_after_init_sections[i]); + if (ndx) + info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; + } /* Determine total sizes, and put offsets in sh_entsize. For now this is done generically; there doesn't appear to be any From patchwork Wed Apr 10 19:08:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10894539 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7063617E0 for ; Wed, 10 Apr 2019 19:09:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C52128B91 for ; Wed, 10 Apr 2019 19:09:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4FF4328B8E; Wed, 10 Apr 2019 19:09:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 7A52A28B8E for ; Wed, 10 Apr 2019 19:08:59 +0000 (UTC) Received: (qmail 29864 invoked by uid 550); 10 Apr 2019 19:08:53 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 29803 invoked from network); 10 Apr 2019 19:08:52 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=l1Qx3/w7WRcsYn9eaUPF4C/V6e/ThCB6vwEWsBbRAUs=; b=K1niSa9XrmXDprUUjfMYdOBFSp2971yq6KfPCwZQB8zLkTG1hoq4Be1dObMgZbLp0D FgA32CQNknYoP/LwUlvsogre3kTd77MjYHx13oD0Jew4VYRShWVM/pJBSYocrrntdmAu D1sXx3I/JxMC9QxZQlnvOYUI8RX8F/VfgZzSg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l1Qx3/w7WRcsYn9eaUPF4C/V6e/ThCB6vwEWsBbRAUs=; b=JgxecCxVgx16o5GtwrqUyvV9c/eL0uJWzdFg1hmBUx/1G/3HuXyyxrUM5YTaeMcgdM dcEIunYxn08/lHzrh/xlo3wbzKAMTC1ygcaGfD9MbZgX1Z+JyWYuNlXpWNsZBpy8AFuk hWEAatWU0gGXJNSPhqD8XZcU8ODhlmmVDkaKlNCX3zMPBF0gcKc1ecLt5glmhgHOgAdm VsrjlADJta/LMnINaoDPNDHhJWQsKfzFkWhbOI5q1cN5JjLWMY3hc5zvDFGR3p4WyS9w 0pBhd9Yqs8pSCI3JAeZp0k/wE7/OMcnldey0D0JliE8OYMp6wVz1Zsz6wJgUGUYwNVkO LU9w== X-Gm-Message-State: APjAAAWaGvvXg5dH1VzRs03VmG3x/bKwN1hDIVilxppmcowsS0GrCMp8 QFP0SI7WO21WXl2GZwINaL8ToQ== X-Google-Smtp-Source: APXvYqz+MW7nlOFWhyh3M8V1FDWmZWoua6y9RzTsKCv7M5lQ1B8chUn0jXM05TM41vfWXGVzHTm4EQ== X-Received: by 2002:a62:e304:: with SMTP id g4mr39107478pfh.71.1554923320781; Wed, 10 Apr 2019 12:08:40 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , paulmck@linux.vnet.ibm.com, keescook@chromium.org, Jessica Yu , kernel-hardening@lists.openwall.com, kernel-team@android.com, mathieu.desnoyers@efficios.com, rcu@vger.kernel.org, rostedt@goodmis.org Subject: [PATCH v2 2/3] module: Make srcu_struct ptr array as read-only post init Date: Wed, 10 Apr 2019 15:08:22 -0400 Message-Id: <20190410190823.109172-2-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog In-Reply-To: <20190410190823.109172-1-joel@joelfernandes.org> References: <20190410190823.109172-1-joel@joelfernandes.org> MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Since commit title ("srcu: Allocate per-CPU data for DEFINE_SRCU() in modules"), modules that call DEFINE_{STATIC,}SRCU will have a new array of srcu_struct pointers which is used by srcu code to initialize and clean up these structures. There is no reason for this array of pointers to be writable, and can cause security or other hidden bugs. Mark these are read-only after the module init has completed. Suggested-by: paulmck@linux.vnet.ibm.com Suggested-by: keescook@chromium.org Acked-by: keescook@chromium.org Signed-off-by: Joel Fernandes (Google) --- kernel/module.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 1acddb93282a..8b9631e789f0 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3305,7 +3305,7 @@ core_param(module_blacklist, module_blacklist, charp, 0400); * layout_sections() can put it in the right place. * Note: ro_after_init sections also have SHF_{WRITE,ALLOC} set. */ -static char *ro_after_init_sections[] = { +static const char * const ro_after_init_sections[] = { ".data..ro_after_init", /* @@ -3314,6 +3314,12 @@ static char *ro_after_init_sections[] = { * annotated as such at module load time. */ "__jump_table", + + /* + * Used for SRCU structures which need to be initialized/cleaned up + * by the SRCU notifiers + */ + "___srcu_struct_ptrs", }; static struct module *layout_and_allocate(struct load_info *info, int flags) @@ -3336,7 +3342,7 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; /* Set sh_flags for read-only after init sections */ - for (i = 0; ro_after_init_sections[i]; i++) { + for (i = 0; i < ARRAY_SIZE(ro_after_init_sections); i++) { ndx = find_sec(info, ro_after_init_sections[i]); if (ndx) info->sechdrs[ndx].sh_flags |= SHF_RO_AFTER_INIT; From patchwork Wed Apr 10 19:08:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10894541 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E039017E0 for ; Wed, 10 Apr 2019 19:09:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C9CC728B8E for ; Wed, 10 Apr 2019 19:09:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BDC4A28B92; Wed, 10 Apr 2019 19:09:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id D848628B8E for ; Wed, 10 Apr 2019 19:09:05 +0000 (UTC) Received: (qmail 30183 invoked by uid 550); 10 Apr 2019 19:08:55 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 30061 invoked from network); 10 Apr 2019 19:08:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+zEMNc7324kqJ6udI8dxNG1UczLiZYFItO/G9LMbCUw=; b=qTG4GW66i99y0JN8DLJIq2jNVfkuBzXgqFI0rmEU3GAPdkdJkateK3pWGh2YF+dLCI dmCEvn8CTEoJR/E1Rvlb42hCcIqCFcAeT1dyTbRv8THAR3vjr3E3jzeOKTkMic8zxMwQ oPm5VzkaHGwgPje6vpMhHBkngYlRQKLcSonyA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+zEMNc7324kqJ6udI8dxNG1UczLiZYFItO/G9LMbCUw=; b=Jwla5aKYCG+zri7heud+B2RMh4AcRMdYtiakgnS2HMJQLK+QlkA9x39OBWqJZJA0mt EXiK5ivkKtNtkTLqVz5QFWtLdzlfbjlKcc8M+e1CHYMgeIhpYciKjG4SCHP3SBbLDWW+ x4zpMVVcbOY1cjI3uiYbT/6zzSZL0TiG5oco5LUV+/cVFAqf9h/PB4a1FLykXCC6/kk1 sEfjztIxHQmPuaQWILPr5blxuTXPzXz2h73oZAjUs4b54Aakc9p5JhABC3GdNBEkD7Hj phL6witKaLUpkHd7SMXsEoL4YUS06qIacFYKlpENQ7iJamJqfMa9Yrv39kf4JUY8s9IF 5u6Q== X-Gm-Message-State: APjAAAU4isPJCPM/flXBSUfLL7dvXutvHXvnbVHif/vE3OAATIlbgioz cXKbiNWEKbr8wdaRWSEpygjtdg== X-Google-Smtp-Source: APXvYqx2g6ttnni7llCeY5WLmqUlBGENhUrlnraL8MwbYXYx9R51uq9J7J1caYKZxyWZNNqdgPHTzQ== X-Received: by 2002:a17:902:b706:: with SMTP id d6mr45474278pls.250.1554923322871; Wed, 10 Apr 2019 12:08:42 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , paulmck@linux.vnet.ibm.com, keescook@chromium.org, mathieu.desnoyers@efficios.com, rostedt@goodmis.org, Jessica Yu , kernel-hardening@lists.openwall.com, kernel-team@android.com, rcu@vger.kernel.org Subject: [PATCH v2 3/3] module: Make __tracepoints_ptrs as read-only Date: Wed, 10 Apr 2019 15:08:23 -0400 Message-Id: <20190410190823.109172-3-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog In-Reply-To: <20190410190823.109172-1-joel@joelfernandes.org> References: <20190410190823.109172-1-joel@joelfernandes.org> MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP This series hardens the tracepoints in modules by making the array of pointers referring to the tracepoints as read-only. This array is needed during module unloading to verify that the tracepoint is quiescent. There is no reason for the array to be to be writable after init, and can cause security or other hidden bugs. Mark these as ro_after_init. Suggested-by: paulmck@linux.vnet.ibm.com Suggested-by: keescook@chromium.org Suggested-by: mathieu.desnoyers@efficios.com Cc: rostedt@goodmis.org Signed-off-by: Joel Fernandes (Google) --- kernel/module.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/module.c b/kernel/module.c index 8b9631e789f0..be980aaa8804 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3320,6 +3320,12 @@ static const char * const ro_after_init_sections[] = { * by the SRCU notifiers */ "___srcu_struct_ptrs", + + /* + * Array of tracepoint pointers used for checking if tracepoints are + * quiescent during unloading. + */ + "__tracepoints_ptrs", }; static struct module *layout_and_allocate(struct load_info *info, int flags)