From patchwork Thu Apr 11 20:24:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10896767 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C1D2E139A for ; Thu, 11 Apr 2019 20:25:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA8461FFB1 for ; Thu, 11 Apr 2019 20:25:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9DA6327B13; Thu, 11 Apr 2019 20:25:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 8B2BE1FFB1 for ; Thu, 11 Apr 2019 20:25:01 +0000 (UTC) Received: (qmail 28014 invoked by uid 550); 11 Apr 2019 20:25:00 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 27983 invoked from network); 11 Apr 2019 20:24:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0XAAoJMQYYHBabtYZU8wXhfvLmJ0BpLBYplGunmAPog=; b=lxz7mY/51X26t6FEaF+gANwsZdHfNVP/G0wjZmEjLrBLmsROq89ZfO4DpRvBaaKIOu SRJbBQ+OC/vhmuJ8V8kEgTAuwQq9CNE0hgaJPc0l4OULeoyY+62PRF326uYRI8EbDLFK cxtwwzozUSGqdwBOjghgylmn33ED7nCZ0Ge+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=0XAAoJMQYYHBabtYZU8wXhfvLmJ0BpLBYplGunmAPog=; b=dwqo0+am2TxYUAOIIlLjyX9G0THMtzsxhy1myisfE21QDIIjZkSP5B3DCnivBbtwmA okRL0B5O23RA9mc4o9+qq/h6j0OzbKgyxguZdKXeod8yNxJIo0n2dLH0Gxi9E9dqaslP bCDuS+pbfswUb7cqSQWZtnn402DP3T2u/z2Cn0BbQQdlSvhxeDr5bc/D5BgvC/sJHq4K 8LXa70V8douq6Vl/M1pRzw8dcAfgcuGc+oU5ezTPltdDRXSPwxSqteBv25z+05UpM6bS wGCDEzmMbPnD7Gv8sub33MLDh8PQyt8o2cVqWxeL/6yW1+7WVTWInXsnM3k2Fr9a6y8i QTqg== X-Gm-Message-State: APjAAAUlij7G1b47EM+s3Z2xENzOR7c5jrL4PemwYUIDEK4wEqcoHFMu Il9X4DC+zSKF5g42NC5yMPRZ4g== X-Google-Smtp-Source: APXvYqxOSqHn39xQQXfMLHPaX1VnjfvUKDkXLMBJxgK/E3tSuHlnNTxfaLnLnPCcKEX4s6LK1Ft+TA== X-Received: by 2002:a63:2c09:: with SMTP id s9mr44830837pgs.411.1555014287981; Thu, 11 Apr 2019 13:24:47 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , Rasmus Villemoes , paulmck@linux.vnet.ibm.com, rostedt@goodmis.org, mathieu.desnoyers@efficios.com, rcu@vger.kernel.org, kernel-hardening@lists.openwall.com, kernel-team@android.com, Josh Triplett , Lai Jiangshan , "Paul E. McKenney" Subject: [PATCH] module: Make srcu_struct ptr array as read-only Date: Thu, 11 Apr 2019 16:24:21 -0400 Message-Id: <20190411202421.131779-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Since commit title ("srcu: Allocate per-CPU data for DEFINE_SRCU() in modules"), modules that call DEFINE_{STATIC,}SRCU will have a new array of srcu_struct pointers, which is used by srcu code to initialize and clean up these structures and save valuable per-cpu reserved space. There is no reason for this array of pointers to be writable, and can cause security or other hidden bugs. Mark these are read-only after the module init has completed. Tested with the following diff to ensure array not writable: (diff is a bit reduced to avoid patch command getting confused) a/kernel/module.c b/kernel/module.c -3506,6 +3506,14 static noinline int do_init_module [snip] rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); #endif module_enable_ro(mod, true); + + if (mod->srcu_struct_ptrs) { + // Check if srcu_struct_ptrs access is possible + char x = *(char *)mod->srcu_struct_ptrs; + *(char *)mod->srcu_struct_ptrs = 0; + *(char *)mod->srcu_struct_ptrs = x; + } + mod_tree_remove_init(mod); disable_ro_nx(&mod->init_layout); module_arch_freeing_init(mod); Cc: Rasmus Villemoes Cc: paulmck@linux.vnet.ibm.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: rcu@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: kernel-team@android.com Signed-off-by: Joel Fernandes (Google) --- This single patch superceded the patches at: https://lore.kernel.org/patchwork/patch/1060298/ https://lore.kernel.org/patchwork/patch/1060298/ include/linux/srcutree.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/srcutree.h b/include/linux/srcutree.h index 8af1824c46a8..9cfcc8a756ae 100644 --- a/include/linux/srcutree.h +++ b/include/linux/srcutree.h @@ -123,7 +123,7 @@ struct srcu_struct { #ifdef MODULE # define __DEFINE_SRCU(name, is_static) \ is_static struct srcu_struct name; \ - struct srcu_struct *__srcu_struct_##name \ + struct srcu_struct * const __srcu_struct_##name \ __section("___srcu_struct_ptrs") = &name #else # define __DEFINE_SRCU(name, is_static) \