lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK7LNAQvQiExx5YkMqJvUyJJ96mST8jhvo2LF_iQVEjU2DLgng@mail.gmail.com>
Date:   Tue, 1 Sep 2020 00:46:54 +0900
From:   Masahiro Yamada <masahiroy@...nel.org>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Jessica Yu <jeyu@...nel.org>, Will Deacon <will@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Szabolcs Nagy <szabolcs.nagy@....com>,
        Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Kees Cook <keescook@...omium.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Miroslav Benes <mbenes@...e.cz>,
        Mark Rutland <mark.rutland@....com>, nd <nd@....com>
Subject: Re: [PATCH v2] module: Harden STRICT_MODULE_RWX

On Mon, Aug 31, 2020 at 10:25 PM Ard Biesheuvel <ardb@...nel.org> wrote:
>
> On Mon, 31 Aug 2020 at 13:43, Masahiro Yamada <masahiroy@...nel.org> wrote:
> >
> > On Mon, Aug 31, 2020 at 6:47 PM Jessica Yu <jeyu@...nel.org> wrote:
> > >
> > > +++ Will Deacon [21/08/20 13:30 +0100]:
> > > [snipped]
> > > >> > > > So module_enforce_rwx_sections() is already called after
> > > >> > > > module_frob_arch_sections() - which really baffled me at first, since
> > > >> > > > sh_type and sh_flags should have been set already in
> > > >> > > > module_frob_arch_sections().
> > > >> > > >
> > > >> > > > I added some debug prints to see which section the module code was
> > > >> > > > tripping on, and it was .text.ftrace_trampoline. See this snippet from
> > > >> > > > arm64's module_frob_arch_sections():
> > > >> > > >
> > > >> > > >                 else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) &&
> > > >> > > >                          !strcmp(secstrings + sechdrs[i].sh_name,
> > > >> > > >                                  ".text.ftrace_trampoline"))
> > > >> > > >                         tramp = sechdrs + i;
> > > >> > > >
> > > >> > > > Since Mauro's config doesn't have CONFIG_DYNAMIC_FTRACE enabled, tramp
> > > >> > > > is never set here and the if (tramp) check at the end of the function
> > > >> > > > fails, so its section flags are never set, so they remain WAX and fail
> > > >> > > > the rwx check.
> > > >> > >
> > > >> > > Right. Our module.lds does not go through the preprocessor, so we
> > > >> > > cannot add the #ifdef check there currently. So we should either drop
> > > >> > > the IS_ENABLED() check here, or simply rename the section, dropping
> > > >> > > the .text prefix (which doesn't seem to have any significance outside
> > > >> > > this context)
> > > >> > >
> > > >> > > I'll leave it to Will to make the final call here.
> > > >> >
> > > >> > Why don't we just preprocess the linker script, like we do for the main
> > > >> > kernel?
> > > >> >
> > > >>
> > > >> That should work as well, I just haven't checked how straight-forward
> > > >> it is to change that.
> > > >
> > > >Ok, if it's _not_ straightforward, then let's just drop the IS_ENABLED()
> > > >altogether.
> > >
> > > Unfortunately I've been getting more reports about this issue, so let's just
> > > get the aforementioned workaround merged first. Does the following look OK?
> > >
> > > diff --git a/arch/arm64/kernel/module-plts.c b/arch/arm64/kernel/module-plts.c
> > > index 0ce3a28e3347..2e224435c024 100644
> > > --- a/arch/arm64/kernel/module-plts.c
> > > +++ b/arch/arm64/kernel/module-plts.c
> > > @@ -305,8 +305,7 @@ int module_frob_arch_sections(Elf_Ehdr *ehdr, Elf_Shdr *sechdrs,
> > >                         mod->arch.core.plt_shndx = i;
> > >                 else if (!strcmp(secstrings + sechdrs[i].sh_name, ".init.plt"))
> > >                         mod->arch.init.plt_shndx = i;
> > > -               else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) &&
> > > -                        !strcmp(secstrings + sechdrs[i].sh_name,
> > > +               else if (!strcmp(secstrings + sechdrs[i].sh_name,
> > >                                  ".text.ftrace_trampoline"))
> > >                         tramp = sechdrs + i;
> > >                 else if (sechdrs[i].sh_type == SHT_SYMTAB)
> > >
> > > If so I'll turn it into a formal patch and we can get that merged in the next -rc.
> > >
> > > Thanks,
> > >
> > > Jessica
> >
> >
> >
> > Sorry for the delay.
> >
> > Please try the attached patch.
> >
>
> Thanks Masahiro,
>
> I'll leave it to the maintainers to make the final call, but this does
> look rather intrusive to me, especially for an -rc.

Sure, I am OK with putting this off.


> Renaming
> scripts/module-common.lds to scripts/module.lds means that the distros
> may have to update their scripts to generate the linux-headers
> packages etc,


It depends on how distributions
implement scripts in their packages.

It would be annoying if the packages were broken
every time a new script is added.


So, I expect the whole of scripts/
is copied to the module development package.


The in-kernel deb package is OK
because files under scripts/ are collected
by the 'find' command.


scripts/package/builddeb:59:
      find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f

scripts/package/builddeb:67:
      find arch/$SRCARCH/include Module.symvers include scripts -type f


The rpm packages are also OK.



But, downstream packages should be updated
if scripts/module-common.lds is hard-coded.



> so if we do this at all, we'd better do it between
> releases.

Sure.
We can go with Jessica's one-liner fix.

I will post mine as a separate patch
with linux-arch ML CCed to get more
attention.


-- 
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ