lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 Mar 2021 19:28:15 -0600
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Kees Cook <keescook@...omium.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
        Michal Marek <michal.lkml@...kovi.net>,
        linux-hardening@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Frank Eigler <fche@...hat.com>,
        Justin Forbes <jforbes@...hat.com>,
        Ondrej Mosnacek <omosnace@...hat.com>
Subject: Re: [PATCH] kbuild: rebuild GCC plugins when the compiler is upgraded

On Thu, Mar 04, 2021 at 08:25:00PM -0600, Josh Poimboeuf wrote:
> On Thu, Mar 04, 2021 at 03:37:14PM -0800, Linus Torvalds wrote:
> > On Thu, Mar 4, 2021 at 3:20 PM Kees Cook <keescook@...omium.org> wrote:
> > >
> > > This seems fine to me, but I want to make sure Josh has somewhere to
> > > actually go with this. Josh, does this get you any closer?
> 
> No, this doesn't seem to help me at all.
> 
> > > It sounds like the plugins need to move to another location for
> > > packaged kernels?
> > 
> > Well, it might be worth extending the stuff that gets installed with
> > /lib/modules/<kernel-version>/ with enough information and
> > infrastruvcture to then build any external modules.
> 
> The gcc plugins live in scripts/, which get installed by "make
> modules_install" already.  So the plugins' source and makefiles are in
> /lib/modules/<kernel-version>/build/scripts/gcc-plugins.
> 
> So everything needed for building the plugins is already there.  We just
> need the kernel makefiles to rebuild the plugins locally, when building
> an external module.

This seems to work with very limited testing...  Based on top of
Masahiro's recent patch:

  https://lkml.kernel.org/r/CAK7LNARHoTnZ3gAvHgnYB4n-wYuboxC10A6zURh1ODGhxWd2yA@mail.gmail.com

From: Josh Poimboeuf <jpoimboe@...hat.com>
Subject: [PATCH] gcc-plugins: Rebuild plugins in external module directory

When building external kernel modules, the build system doesn't require
the GCC version to match the version used to build the original kernel.

In fact, most distros release the compiler and the kernel in separate
packages, with separate release cadences.  So it's not uncommon for
mismatches to occur.

But with GCC plugins enabled, that's no longer allowed:

  cc1: error: incompatible gcc/plugin versions
  cc1: error: failed to initialize plugin ./scripts/gcc-plugins/structleak_plugin.so

That error comes from the plugin's call to
plugin_default_version_check(), which strictly enforces the GCC version.
The strict check makes sense, because there's nothing to prevent the GCC
plugin ABI from changing, and it often does.

Since plugins are tightly tied to the compiler version, just rebuild
them locally in the external module directory, and then use the local
version in the external module build.

Reported-by: Ondrej Mosnacek <omosnace@...hat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
---
 Makefile                     | 1 +
 scripts/Makefile.gcc-plugins | 2 +-
 scripts/gcc-plugins/Makefile | 8 ++++++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index bc208886fcce..90c6656de224 100644
--- a/Makefile
+++ b/Makefile
@@ -1784,6 +1784,7 @@ prepare:
 		echo "  The kernel was built by: "$(CONFIG_CC_VERSION_TEXT); \
 		echo "  You are using:           $(CC_VERSION_TEXT)"; \
 	fi
+	$(Q)$(MAKE) $(build)=scripts/gcc-plugins
 
 PHONY += help
 help:
diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins
index 952e46876329..be4303678942 100644
--- a/scripts/Makefile.gcc-plugins
+++ b/scripts/Makefile.gcc-plugins
@@ -48,7 +48,7 @@ export DISABLE_ARM_SSP_PER_TASK_PLUGIN
 
 # All the plugin CFLAGS are collected here in case a build target needs to
 # filter them out of the KBUILD_CFLAGS.
-GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(objtree)/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
+GCC_PLUGINS_CFLAGS := $(strip $(addprefix -fplugin=$(if $(KBUILD_EXTMOD),$(KBUILD_EXTMOD),$(objtree))/scripts/gcc-plugins/, $(gcc-plugin-y)) $(gcc-plugin-cflags-y))
 # The sancov_plugin.so is included via CFLAGS_KCOV, so it is removed here.
 GCC_PLUGINS_CFLAGS := $(filter-out %/sancov_plugin.so, $(GCC_PLUGINS_CFLAGS))
 export GCC_PLUGINS_CFLAGS
diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile
index b5487cce69e8..9f8e2ef3ab56 100644
--- a/scripts/gcc-plugins/Makefile
+++ b/scripts/gcc-plugins/Makefile
@@ -1,10 +1,14 @@
 # SPDX-License-Identifier: GPL-2.0
 
-$(obj)/randomize_layout_plugin.so: $(objtree)/$(obj)/randomize_layout_seed.h
+ifneq ($(KBUILD_EXTMOD),)
+override obj := $(KBUILD_EXTMOD)/$(obj)
+endif
+
+$(obj)/randomize_layout_plugin.so: $(objtree)/$(src)/randomize_layout_seed.h
 quiet_cmd_create_randomize_layout_seed = GENSEED $@
 cmd_create_randomize_layout_seed = \
   $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/include/generated/randomize_layout_hash.h
-$(objtree)/$(obj)/randomize_layout_seed.h: FORCE
+$(objtree)/$(src)/randomize_layout_seed.h: FORCE
 	$(call if_changed,create_randomize_layout_seed)
 targets += randomize_layout_seed.h randomize_layout_hash.h
 
-- 
2.29.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ