lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 4 Sep 2021 07:40:08 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Josh Poimboeuf <jpoimboe@...hat.com>
Cc:     Arnd Bergmann <arnd@...db.de>, Jessica Yu <jeyu@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        linux-arch@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ibm.com>,
        Alexander Egorenkov <egorenar@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Ilya Leoshkevich <iii@...ux.ibm.com>,
        "Steven Rostedt (VMware)" <rostedt@...dmis.org>,
        Ingo Molnar <mingo@...nel.org>,
        Sami Tolvanen <samitolvanen@...gle.com>,
        linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org,
        linux-hardening@...r.kernel.org,
        Sean Christopherson <seanjc@...gle.com>
Subject: Re: [PATCH 3/4] module: Use a list of strings for ro_after_init
 sections

On Fri, Sep 03, 2021 at 09:09:03PM -0700, Josh Poimboeuf wrote:
> On Fri, Sep 03, 2021 at 09:38:42AM -0700, Kees Cook wrote:
> > On Thu, Sep 02, 2021 at 11:49:51PM -0700, Josh Poimboeuf wrote:
> > > On Wed, Sep 01, 2021 at 04:37:56PM -0700, Kees Cook wrote:
> > > > Instead of open-coding the section names, use a list for the sections that
> > > > need to be marked read-only after init. Unfortunately, it seems we can't
> > > > do normal section merging with scripts/module.lds.S as ld.bfd doesn't
> > > > correctly update symbol tables. For more details, see commit 6a3193cdd5e5
> > > > ("kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG
> > > > is enabled").
> > > 
> > > I'm missing what this has to do with section merging.  Can you connect
> > > the dots here, i.e. what sections would we want to merge and how would
> > > that help here?
> > 
> > Right, sorry, if ld.bfd didn't have this issue, we could use section
> > merging in the module.lds.S file the way we do in vmlinux.lds:
> > 
> > #ifndef RO_AFTER_INIT_DATA
> > #define RO_AFTER_INIT_DATA                                              \
> >         . = ALIGN(8);                                                   \
> >         __start_ro_after_init = .;                                      \
> >         *(.data..ro_after_init)                                         \
> >         JUMP_TABLE_DATA                                                 \
> >         STATIC_CALL_DATA                                                \
> >         __end_ro_after_init = .;
> > #endif
> > ...
> >         . = ALIGN((align));                                             \
> >         .rodata           : AT(ADDR(.rodata) - LOAD_OFFSET) {           \
> >                 __start_rodata = .;                                     \
> >                 *(.rodata) *(.rodata.*)                                 \
> >                 SCHED_DATA                                              \
> >                 RO_AFTER_INIT_DATA      /* Read only after init */      \
> >                 . = ALIGN(8);                                           \
> >                 __start___tracepoints_ptrs = .;                         \
> >                 KEEP(*(__tracepoints_ptrs)) /* Tracepoints: pointer array */ \
> >                 __stop___tracepoints_ptrs = .;                          \
> >                 *(__tracepoints_strings)/* Tracepoints: strings */      \
> >         }                                                               \
> > 
> > Then jump_table and static_call sections could be collected into a
> > new section, as the module loader would only need to look for that
> > single name.
> 
> Hm, that could be a really nice way to converge things for vmlinux and
> module linking.

Agreed! I had really wanted to do more of this, but was stumped by the
weird symbol behavior.

> After some digging, 6a3193cdd5e5 isn't necessarily a linker bug.  It may
> be some kind of undefined behavior when the section address isn't
> specified.  If you just explicitly set the section address to zero then
> the "bug" goes away.

Well that's a nice find! I'll play more with this to see if I can make a
cleaner solution.

Thanks!

-Kees

> 
> diff --git a/scripts/module.lds.S b/scripts/module.lds.S
> index 04c5685c25cf..80b09b7d405c 100644
> --- a/scripts/module.lds.S
> +++ b/scripts/module.lds.S
> @@ -30,23 +30,22 @@ SECTIONS {
>  
>  	__patchable_function_entries : { *(__patchable_function_entries) }
>  
> -#ifdef CONFIG_LTO_CLANG
>  	/*
>  	 * With CONFIG_LTO_CLANG, LLD always enables -fdata-sections and
>  	 * -ffunction-sections, which increases the size of the final module.
>  	 * Merge the split sections in the final binary.
>  	 */
> -	.bss : {
> +	.bss 0 : {
>  		*(.bss .bss.[0-9a-zA-Z_]*)
>  		*(.bss..L*)
>  	}
>  
> -	.data : {
> +	.data 0 : {
>  		*(.data .data.[0-9a-zA-Z_]*)
>  		*(.data..L*)
>  	}
>  
> -	.rodata : {
> +	.rodata 0 : {
>  		*(.rodata .rodata.[0-9a-zA-Z_]*)
>  		*(.rodata..L*)
>  	}
> @@ -55,11 +54,10 @@ SECTIONS {
>  	 * With CONFIG_CFI_CLANG, we assume __cfi_check is at the beginning
>  	 * of the .text section, and is aligned to PAGE_SIZE.
>  	 */
> -	.text : ALIGN_CFI {
> +	.text 0 : ALIGN_CFI {
>  		*(.text.__cfi_check)
>  		*(.text .text.[0-9a-zA-Z_]* .text..L.cfi*)
>  	}
> -#endif
>  }
>  
>  /* bring in arch-specific sections */
> 

-- 
Kees Cook

Powered by blists - more mailing lists