lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 27 Aug 2019 17:37:18 +0200
From:   Jessica Yu <jeyu@...nel.org>
To:     Matthias Maennich <maennich@...gle.com>
Cc:     linux-kernel@...r.kernel.org, kernel-team@...roid.com,
        arnd@...db.de, geert@...ux-m68k.org, gregkh@...uxfoundation.org,
        hpa@...or.com, joel@...lfernandes.org,
        kstewart@...uxfoundation.org, linux-arch@...r.kernel.org,
        linux-kbuild@...r.kernel.org, linux-m68k@...ts.linux-m68k.org,
        linux-modules@...r.kernel.org, linux-scsi@...r.kernel.org,
        linux-usb@...r.kernel.org, lucas.de.marchi@...il.com,
        maco@...roid.com, maco@...gle.com, michal.lkml@...kovi.net,
        mingo@...hat.com, oneukum@...e.com, pombredanne@...b.com,
        sam@...nborg.org, sspatil@...gle.com, stern@...land.harvard.edu,
        tglx@...utronix.de, usb-storage@...ts.one-eyed-alien.net,
        x86@...nel.org, yamada.masahiro@...ionext.com,
        Michael Ellerman <mpe@...erman.id.au>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>
Subject: Re: [PATCH v3 03/11] module: add support for symbol namespaces.

+++ Matthias Maennich [21/08/19 12:49 +0100]:
>The EXPORT_SYMBOL_NS() and EXPORT_SYMBOL_NS_GPL() macros can be used to
>export a symbol to a specific namespace.  There are no _GPL_FUTURE and
>_UNUSED variants because these are currently unused, and I'm not sure
>they are necessary.
>
>I didn't add EXPORT_SYMBOL_NS() for ASM exports; this patch sets the
>namespace of ASM exports to NULL by default. In case of relative
>references, it will be relocatable to NULL. If there's a need, this
>should be pretty easy to add.
>
>A module that wants to use a symbol exported to a namespace must add a
>MODULE_IMPORT_NS() statement to their module code; otherwise, modpost
>will complain when building the module, and the kernel module loader
>will emit an error and fail when loading the module.
>
>MODULE_IMPORT_NS() adds a modinfo tag 'import_ns' to the module. That
>tag can be observed by the modinfo command, modpost and kernel/module.c
>at the time of loading the module.
>
>The ELF symbols are renamed to include the namespace with an asm label;
>for example, symbol 'usb_stor_suspend' in namespace USB_STORAGE becomes
>'usb_stor_suspend.USB_STORAGE'.  This allows modpost to do namespace
>checking, without having to go through all the effort of parsing ELF and
>relocation records just to get to the struct kernel_symbols.
>
>On x86_64 I saw no difference in binary size (compression), but at
>runtime this will require a word of memory per export to hold the
>namespace. An alternative could be to store namespaced symbols in their
>own section and use a separate 'struct namespaced_kernel_symbol' for
>that section, at the cost of making the module loader more complex.
>
>Co-developed-by: Martijn Coenen <maco@...roid.com>
>Signed-off-by: Martijn Coenen <maco@...roid.com>
>Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>Signed-off-by: Matthias Maennich <maennich@...gle.com>
>---
> include/asm-generic/export.h |  6 +--
> include/linux/export.h       | 85 ++++++++++++++++++++++++++++++------
> include/linux/module.h       |  2 +
> kernel/module.c              | 43 ++++++++++++++++++
> 4 files changed, 120 insertions(+), 16 deletions(-)
>
>diff --git a/include/asm-generic/export.h b/include/asm-generic/export.h
>index 63f54907317b..e2b5d0f569d3 100644
>--- a/include/asm-generic/export.h
>+++ b/include/asm-generic/export.h
>@@ -17,11 +17,11 @@
>
> .macro __put, val, name
> #ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS
>-	.long	\val - ., \name - .
>+	.long	\val - ., \name - ., 0 - .
> #elif defined(CONFIG_64BIT)
>-	.quad	\val, \name
>+	.quad	\val, \name, 0
> #else
>-	.long	\val, \name
>+	.long	\val, \name, 0
> #endif
> .endm
>
>diff --git a/include/linux/export.h b/include/linux/export.h
>index 28a4d2150689..8e12e05444d1 100644
>--- a/include/linux/export.h
>+++ b/include/linux/export.h
>@@ -20,6 +20,8 @@ extern struct module __this_module;
>
> #ifdef CONFIG_MODULES
>
>+#define NS_SEPARATOR "."
>+
> #if defined(__KERNEL__) && !defined(__GENKSYMS__)
> #ifdef CONFIG_MODVERSIONS
> /* Mark the CRC weak since genksyms apparently decides not to
>@@ -49,6 +51,16 @@ extern struct module __this_module;
>  * absolute relocations that require runtime processing on relocatable
>  * kernels.
>  */
>+#define __KSYMTAB_ENTRY_NS(sym, sec, ns)				\
>+	__ADDRESSABLE(sym)						\
>+	asm("	.section \"___ksymtab" sec "+" #sym "\", \"a\"	\n"	\
>+	    "	.balign	4					\n"	\
>+	    "__ksymtab_" #sym NS_SEPARATOR #ns ":		\n"	\
>+	    "	.long	" #sym "- .				\n"	\
>+	    "	.long	__kstrtab_" #sym "- .			\n"	\
>+	    "	.long	__kstrtab_ns_" #sym "- .		\n"	\
>+	    "	.previous					\n")
>+
> #define __KSYMTAB_ENTRY(sym, sec)					\
> 	__ADDRESSABLE(sym)						\
> 	asm("	.section \"___ksymtab" sec "+" #sym "\", \"a\"	\n"	\
>@@ -56,32 +68,53 @@ extern struct module __this_module;
> 	    "__ksymtab_" #sym ":				\n"	\
> 	    "	.long	" #sym "- .				\n"	\
> 	    "	.long	__kstrtab_" #sym "- .			\n"	\
>+	    "	.long	0 - .					\n"	\
> 	    "	.previous					\n")
>
> struct kernel_symbol {
> 	int value_offset;
> 	int name_offset;
>+	int namespace_offset;
> };
> #else
>+#define __KSYMTAB_ENTRY_NS(sym, sec, ns)				\
>+	static const struct kernel_symbol __ksymtab_##sym##__##ns	\
>+	asm("__ksymtab_" #sym NS_SEPARATOR #ns)				\
>+	__attribute__((section("___ksymtab" sec "+" #sym), used))	\
>+	__aligned(sizeof(void *))					\
>+	= { (unsigned long)&sym, __kstrtab_##sym, __kstrtab_ns_##sym}

Style nit: missing space after __kstrtab_ns_##sym.

>+
> #define __KSYMTAB_ENTRY(sym, sec)					\
> 	static const struct kernel_symbol __ksymtab_##sym		\
>+	asm("__ksymtab_" #sym)						\
> 	__attribute__((section("___ksymtab" sec "+" #sym), used))	\
> 	__aligned(sizeof(void *))					\
>-	= { (unsigned long)&sym, __kstrtab_##sym }
>+	= { (unsigned long)&sym, __kstrtab_##sym, NULL }
>
> struct kernel_symbol {
> 	unsigned long value;
> 	const char *name;
>+	const char *namespace;
> };
> #endif
>
>-/* For every exported symbol, place a struct in the __ksymtab section */
>-#define ___EXPORT_SYMBOL(sym, sec)					\
>+#define ___export_symbol_common(sym, sec)				\
> 	extern typeof(sym) sym;						\
> 	__CRC_SYMBOL(sym, sec)						\
> 	static const char __kstrtab_##sym[]				\
> 	__attribute__((section("__ksymtab_strings"), used, aligned(1)))	\
>-	= #sym;								\
>+	= #sym								\

Any particular reason for this change? Not that it's important, just
noticing the inconsistent inclusion of the semicolon in some of the
macros (e.g. __CRC_SYMBOL includes it but __export_symbol_common doesn't).

>+
>+/* For every exported symbol, place a struct in the __ksymtab section */
>+#define ___EXPORT_SYMBOL_NS(sym, sec, ns)				\
>+	___export_symbol_common(sym, sec);			\
>+	static const char __kstrtab_ns_##sym[]				\
>+	__attribute__((section("__ksymtab_strings"), used, aligned(1)))	\
>+	= #ns;								\
>+	__KSYMTAB_ENTRY_NS(sym, sec, ns)
>+
>+#define ___EXPORT_SYMBOL(sym, sec)					\
>+	___export_symbol_common(sym, sec);				\
> 	__KSYMTAB_ENTRY(sym, sec)
>
> #if defined(__DISABLE_EXPORTS)
>@@ -91,6 +124,7 @@ struct kernel_symbol {
>  * be reused in other execution contexts such as the UEFI stub or the
>  * decompressor.
>  */
>+#define __EXPORT_SYMBOL_NS(sym, sec, ns)
> #define __EXPORT_SYMBOL(sym, sec)
>
> #elif defined(CONFIG_TRIM_UNUSED_KSYMS)
>@@ -117,18 +151,26 @@ struct kernel_symbol {
> #define __cond_export_sym_1(sym, sec) ___EXPORT_SYMBOL(sym, sec)
> #define __cond_export_sym_0(sym, sec) /* nothing */
>
>+#define __EXPORT_SYMBOL_NS(sym, sec, ns)				\
>+	__ksym_marker(sym);						\
>+	__cond_export_ns_sym(sym, sec, ns, __is_defined(__KSYM_##sym))
>+#define __cond_export_ns_sym(sym, sec, ns, conf)			\
>+	___cond_export_ns_sym(sym, sec, ns, conf)
>+#define ___cond_export_ns_sym(sym, sec, ns, enabled)			\
>+	__cond_export_ns_sym_##enabled(sym, sec, ns)
>+#define __cond_export_ns_sym_1(sym, sec, ns) ___EXPORT_SYMBOL_NS(sym, sec, ns)
>+#define __cond_export_ns_sym_0(sym, sec, ns) /* nothing */
>+
> #else
>+#define __EXPORT_SYMBOL_NS ___EXPORT_SYMBOL_NS
> #define __EXPORT_SYMBOL ___EXPORT_SYMBOL
> #endif
>
>-#define EXPORT_SYMBOL(sym)					\
>-	__EXPORT_SYMBOL(sym, "")
>-
>-#define EXPORT_SYMBOL_GPL(sym)					\
>-	__EXPORT_SYMBOL(sym, "_gpl")
>-
>-#define EXPORT_SYMBOL_GPL_FUTURE(sym)				\
>-	__EXPORT_SYMBOL(sym, "_gpl_future")
>+#define EXPORT_SYMBOL(sym) __EXPORT_SYMBOL(sym, "")
>+#define EXPORT_SYMBOL_GPL(sym) __EXPORT_SYMBOL(sym, "_gpl")
>+#define EXPORT_SYMBOL_GPL_FUTURE(sym) __EXPORT_SYMBOL(sym, "_gpl_future")
>+#define EXPORT_SYMBOL_NS(sym, ns) __EXPORT_SYMBOL_NS(sym, "", ns)
>+#define EXPORT_SYMBOL_NS_GPL(sym, ns) __EXPORT_SYMBOL_NS(sym, "_gpl", ns)
>
> #ifdef CONFIG_UNUSED_SYMBOLS
> #define EXPORT_UNUSED_SYMBOL(sym) __EXPORT_SYMBOL(sym, "_unused")
>@@ -138,11 +180,28 @@ struct kernel_symbol {
> #define EXPORT_UNUSED_SYMBOL_GPL(sym)
> #endif
>
>-#endif	/* __GENKSYMS__ */
>+#endif	/* __KERNEL__ && !__GENKSYMS__ */
>+
>+#if defined(__GENKSYMS__)
>+/*
>+ * When we're running genksyms, ignore the namespace and make the _NS
>+ * variants look like the normal ones. There are two reasons for this:
>+ * 1) In the normal definition of EXPORT_SYMBOL_NS, the 'ns' macro
>+ *    argument is itself not expanded because it's always tokenized or
>+ *    concatenated; but when running genksyms, a blank definition of the
>+ *    macro does allow the argument to be expanded; if a namespace
>+ *    happens to collide with a #define, this can cause issues.
>+ * 2) There's no need to modify genksyms to deal with the _NS variants
>+ */
>+#define EXPORT_SYMBOL_NS(sym, ns) EXPORT_SYMBOL(sym)
>+#define EXPORT_SYMBOL_NS_GPL(sym, ns) EXPORT_SYMBOL_GPL(sym)
>+#endif
>
> #else /* !CONFIG_MODULES... */
>
> #define EXPORT_SYMBOL(sym)
>+#define EXPORT_SYMBOL_NS(sym, ns)
>+#define EXPORT_SYMBOL_NS_GPL(sym, ns)
> #define EXPORT_SYMBOL_GPL(sym)
> #define EXPORT_SYMBOL_GPL_FUTURE(sym)
> #define EXPORT_UNUSED_SYMBOL(sym)
>diff --git a/include/linux/module.h b/include/linux/module.h
>index 1455812dd325..b3611e749f72 100644
>--- a/include/linux/module.h
>+++ b/include/linux/module.h
>@@ -280,6 +280,8 @@ struct notifier_block;
>
> #ifdef CONFIG_MODULES
>
>+#define MODULE_IMPORT_NS(ns) MODULE_INFO(import_ns, #ns)
>+
> extern int modules_disabled; /* for sysctl */
> /* Get/put a kernel symbol (calls must be symmetric) */
> void *__symbol_get(const char *symbol);
>diff --git a/kernel/module.c b/kernel/module.c
>index a23067907169..57e8253f2251 100644
>--- a/kernel/module.c
>+++ b/kernel/module.c
>@@ -544,6 +544,15 @@ static const char *kernel_symbol_name(const struct kernel_symbol *sym)
> #endif
> }
>
>+static const char *kernel_symbol_namespace(const struct kernel_symbol *sym)
>+{
>+#ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS
>+	return offset_to_ptr(&sym->namespace_offset);
>+#else
>+	return sym->namespace;
>+#endif
>+}
>+
> static int cmp_name(const void *va, const void *vb)
> {
> 	const char *a;
>@@ -1379,6 +1388,34 @@ static inline int same_magic(const char *amagic, const char *bmagic,
> }
> #endif /* CONFIG_MODVERSIONS */
>
>+static char *get_modinfo(const struct load_info *info, const char *tag);
>+static char *get_next_modinfo(const struct load_info *info, const char *tag,
>+			      char *prev);
>+
>+static int verify_namespace_is_imported(const struct load_info *info,
>+					const struct kernel_symbol *sym,
>+					struct module *mod)
>+{
>+	const char *namespace;
>+	char *imported_namespace;
>+
>+	namespace = kernel_symbol_namespace(sym);
>+	if (namespace) {
>+		imported_namespace = get_modinfo(info, "import_ns");
>+		while (imported_namespace) {
>+			if (strcmp(namespace, imported_namespace) == 0)
>+				return 0;
>+			imported_namespace = get_next_modinfo(
>+				info, "import_ns", imported_namespace);
>+		}
>+		pr_err("%s: module uses symbol (%s) from namespace %s, but does not import it.\n",
>+		       mod->name, kernel_symbol_name(sym), namespace);
>+		return -EINVAL;
>+	}
>+	return 0;
>+}
>+
>+
> /* Resolve a symbol for this module.  I.e. if we find one, record usage. */
> static const struct kernel_symbol *resolve_symbol(struct module *mod,
> 						  const struct load_info *info,
>@@ -1413,6 +1450,12 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod,
> 		goto getname;
> 	}
>
>+	err = verify_namespace_is_imported(info, sym, mod);
>+	if (err) {
>+		sym = ERR_PTR(err);
>+		goto getname;
>+	}

I think we should verify the namespace before taking a reference to
the owner module (just swap the verify_namespace_is_imported() and
ref_module() calls here).

Other than that, this patch looks good. Thanks!

>+
> getname:
> 	/* We must make copy under the lock if we failed to get ref. */
> 	strncpy(ownername, module_name(owner), MODULE_NAME_LEN);
>-- 
>2.23.0.rc1.153.gdeed80330f-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ