| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 03 Jun 2024 14:31:53 -0300
From: Marcos Paulo de Souza <mpdesouza@...e.com>
To: Josh Poimboeuf <jpoimboe@...nel.org>, Jiri Kosina <jikos@...nel.org>,
Miroslav Benes
<mbenes@...e.cz>, Petr Mladek <pmladek@...e.com>, Joe Lawrence
<joe.lawrence@...hat.com>, Shuah Khan <shuah@...nel.org>
Cc: live-patching@...r.kernel.org, linux-kselftest@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] selftests: livepatch: Test atomic replace against
multiple modules
On Mon, 2024-06-03 at 14:26 -0300, Marcos Paulo de Souza wrote:
> Adapt the current test-livepatch.sh script to account the number of
> applied livepatches and ensure that an atomic replace livepatch
> disables
> all previously applied livepatches.
>
> Signed-off-by: Marcos Paulo de Souza <mpdesouza@...e.com>
> ---
> Changes since v2:
> * Used variables to stop the name of other livepatches applied to
Typo here :)
s/stop/show
> test
> the atomic replace. (Joe)
>
> Changes since v1:
> * Added checks in the existing test-livepatch.sh instead of creating
> a
> new test file. (Joe)
> * Fixed issues reported by ShellCheck (Joe)
> ---
> Changes in v3:
> - EDITME: describe what is new in this series revision.
> - EDITME: use bulletpoints and terse descriptions.
> - Link to v2:
> https://lore.kernel.org/r/20240525-lp-atomic-replace-v2-1-142199bb65a1@suse.com
> ---
> .../testing/selftests/livepatch/test-livepatch.sh | 138
> +++++++++++++--------
> 1 file changed, 89 insertions(+), 49 deletions(-)
>
> diff --git a/tools/testing/selftests/livepatch/test-livepatch.sh
> b/tools/testing/selftests/livepatch/test-livepatch.sh
> index e3455a6b1158..ca770b8c62fc 100755
> --- a/tools/testing/selftests/livepatch/test-livepatch.sh
> +++ b/tools/testing/selftests/livepatch/test-livepatch.sh
> @@ -4,7 +4,9 @@
>
> . $(dirname $0)/functions.sh
>
> -MOD_LIVEPATCH=test_klp_livepatch
> +MOD_LIVEPATCH1=test_klp_livepatch
> +MOD_LIVEPATCH2=test_klp_syscall
> +MOD_LIVEPATCH3=test_klp_callbacks_demo
> MOD_REPLACE=test_klp_atomic_replace
>
> setup_config
> @@ -16,33 +18,33 @@ setup_config
>
> start_test "basic function patching"
>
> -load_lp $MOD_LIVEPATCH
> +load_lp $MOD_LIVEPATCH1
>
> -if [[ "$(cat /proc/cmdline)" != "$MOD_LIVEPATCH: this has been live
> patched" ]] ; then
> +if [[ "$(cat /proc/cmdline)" != "$MOD_LIVEPATCH1: this has been live
> patched" ]] ; then
> echo -e "FAIL\n\n"
> die "livepatch kselftest(s) failed"
> fi
>
> -disable_lp $MOD_LIVEPATCH
> -unload_lp $MOD_LIVEPATCH
> +disable_lp $MOD_LIVEPATCH1
> +unload_lp $MOD_LIVEPATCH1
>
> -if [[ "$(cat /proc/cmdline)" == "$MOD_LIVEPATCH: this has been live
> patched" ]] ; then
> +if [[ "$(cat /proc/cmdline)" == "$MOD_LIVEPATCH1: this has been live
> patched" ]] ; then
> echo -e "FAIL\n\n"
> die "livepatch kselftest(s) failed"
> fi
>
> -check_result "% insmod test_modules/$MOD_LIVEPATCH.ko
> -livepatch: enabling patch '$MOD_LIVEPATCH'
> -livepatch: '$MOD_LIVEPATCH': initializing patching transition
> -livepatch: '$MOD_LIVEPATCH': starting patching transition
> -livepatch: '$MOD_LIVEPATCH': completing patching transition
> -livepatch: '$MOD_LIVEPATCH': patching complete
> -% echo 0 > /sys/kernel/livepatch/$MOD_LIVEPATCH/enabled
> -livepatch: '$MOD_LIVEPATCH': initializing unpatching transition
> -livepatch: '$MOD_LIVEPATCH': starting unpatching transition
> -livepatch: '$MOD_LIVEPATCH': completing unpatching transition
> -livepatch: '$MOD_LIVEPATCH': unpatching complete
> -% rmmod $MOD_LIVEPATCH"
> +check_result "% insmod test_modules/$MOD_LIVEPATCH1.ko
> +livepatch: enabling patch '$MOD_LIVEPATCH1'
> +livepatch: '$MOD_LIVEPATCH1': initializing patching transition
> +livepatch: '$MOD_LIVEPATCH1': starting patching transition
> +livepatch: '$MOD_LIVEPATCH1': completing patching transition
> +livepatch: '$MOD_LIVEPATCH1': patching complete
> +% echo 0 > /sys/kernel/livepatch/$MOD_LIVEPATCH1/enabled
> +livepatch: '$MOD_LIVEPATCH1': initializing unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': starting unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': completing unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': unpatching complete
> +% rmmod $MOD_LIVEPATCH1"
>
>
> # - load a livepatch that modifies the output from /proc/cmdline and
> @@ -53,7 +55,7 @@ livepatch: '$MOD_LIVEPATCH': unpatching complete
>
> start_test "multiple livepatches"
>
> -load_lp $MOD_LIVEPATCH
> +load_lp $MOD_LIVEPATCH1
>
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
> @@ -69,26 +71,26 @@ unload_lp $MOD_REPLACE
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
>
> -disable_lp $MOD_LIVEPATCH
> -unload_lp $MOD_LIVEPATCH
> +disable_lp $MOD_LIVEPATCH1
> +unload_lp $MOD_LIVEPATCH1
>
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
>
> -check_result "% insmod test_modules/$MOD_LIVEPATCH.ko
> -livepatch: enabling patch '$MOD_LIVEPATCH'
> -livepatch: '$MOD_LIVEPATCH': initializing patching transition
> -livepatch: '$MOD_LIVEPATCH': starting patching transition
> -livepatch: '$MOD_LIVEPATCH': completing patching transition
> -livepatch: '$MOD_LIVEPATCH': patching complete
> -$MOD_LIVEPATCH: this has been live patched
> +check_result "% insmod test_modules/$MOD_LIVEPATCH1.ko
> +livepatch: enabling patch '$MOD_LIVEPATCH1'
> +livepatch: '$MOD_LIVEPATCH1': initializing patching transition
> +livepatch: '$MOD_LIVEPATCH1': starting patching transition
> +livepatch: '$MOD_LIVEPATCH1': completing patching transition
> +livepatch: '$MOD_LIVEPATCH1': patching complete
> +$MOD_LIVEPATCH1: this has been live patched
> % insmod test_modules/$MOD_REPLACE.ko replace=0
> livepatch: enabling patch '$MOD_REPLACE'
> livepatch: '$MOD_REPLACE': initializing patching transition
> livepatch: '$MOD_REPLACE': starting patching transition
> livepatch: '$MOD_REPLACE': completing patching transition
> livepatch: '$MOD_REPLACE': patching complete
> -$MOD_LIVEPATCH: this has been live patched
> +$MOD_LIVEPATCH1: this has been live patched
> $MOD_REPLACE: this has been live patched
> % echo 0 > /sys/kernel/livepatch/$MOD_REPLACE/enabled
> livepatch: '$MOD_REPLACE': initializing unpatching transition
> @@ -96,35 +98,57 @@ livepatch: '$MOD_REPLACE': starting unpatching
> transition
> livepatch: '$MOD_REPLACE': completing unpatching transition
> livepatch: '$MOD_REPLACE': unpatching complete
> % rmmod $MOD_REPLACE
> -$MOD_LIVEPATCH: this has been live patched
> -% echo 0 > /sys/kernel/livepatch/$MOD_LIVEPATCH/enabled
> -livepatch: '$MOD_LIVEPATCH': initializing unpatching transition
> -livepatch: '$MOD_LIVEPATCH': starting unpatching transition
> -livepatch: '$MOD_LIVEPATCH': completing unpatching transition
> -livepatch: '$MOD_LIVEPATCH': unpatching complete
> -% rmmod $MOD_LIVEPATCH"
> +$MOD_LIVEPATCH1: this has been live patched
> +% echo 0 > /sys/kernel/livepatch/$MOD_LIVEPATCH1/enabled
> +livepatch: '$MOD_LIVEPATCH1': initializing unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': starting unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': completing unpatching transition
> +livepatch: '$MOD_LIVEPATCH1': unpatching complete
> +% rmmod $MOD_LIVEPATCH1"
>
>
> # - load a livepatch that modifies the output from /proc/cmdline and
> # verify correct behavior
> -# - load an atomic replace livepatch and verify that only the second
> is active
> -# - remove the first livepatch and verify that the atomic replace
> livepatch
> -# is still active
> +# - load two addtional livepatches and check the number of livepatch
> modules
> +# applied
> +# - load an atomic replace livepatch and check that the other three
> modules were
> +# disabled
> +# - remove all livepatches besides the atomic replace one and verify
> that the
> +# atomic replace livepatch is still active
> # - remove the atomic replace livepatch and verify that none are
> active
>
> start_test "atomic replace livepatch"
>
> -load_lp $MOD_LIVEPATCH
> +load_lp $MOD_LIVEPATCH1
>
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
>
> +for mod in $MOD_LIVEPATCH2 $MOD_LIVEPATCH3; do
> + load_lp "$mod"
> +done
> +
> +mods=(/sys/kernel/livepatch/*)
> +nmods=${#mods[@]}
> +if [ "$nmods" -ne 3 ]; then
> + die "Expecting three modules listed, found $nmods"
> +fi
> +
> load_lp $MOD_REPLACE replace=1
>
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
>
> -unload_lp $MOD_LIVEPATCH
> +mods=(/sys/kernel/livepatch/*)
> +nmods=${#mods[@]}
> +if [ "$nmods" -ne 1 ]; then
> + die "Expecting only one moduled listed, found $nmods"
> +fi
> +
> +# These modules were disabled by the atomic replace
> +for mod in $MOD_LIVEPATCH3 $MOD_LIVEPATCH2 $MOD_LIVEPATCH1; do
> + unload_lp "$mod"
> +done
>
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
> @@ -135,13 +159,27 @@ unload_lp $MOD_REPLACE
> grep 'live patched' /proc/cmdline > /dev/kmsg
> grep 'live patched' /proc/meminfo > /dev/kmsg
>
> -check_result "% insmod test_modules/$MOD_LIVEPATCH.ko
> -livepatch: enabling patch '$MOD_LIVEPATCH'
> -livepatch: '$MOD_LIVEPATCH': initializing patching transition
> -livepatch: '$MOD_LIVEPATCH': starting patching transition
> -livepatch: '$MOD_LIVEPATCH': completing patching transition
> -livepatch: '$MOD_LIVEPATCH': patching complete
> -$MOD_LIVEPATCH: this has been live patched
> +check_result "% insmod test_modules/$MOD_LIVEPATCH1.ko
> +livepatch: enabling patch '$MOD_LIVEPATCH1'
> +livepatch: '$MOD_LIVEPATCH1': initializing patching transition
> +livepatch: '$MOD_LIVEPATCH1': starting patching transition
> +livepatch: '$MOD_LIVEPATCH1': completing patching transition
> +livepatch: '$MOD_LIVEPATCH1': patching complete
> +$MOD_LIVEPATCH1: this has been live patched
> +% insmod test_modules/$MOD_LIVEPATCH2.ko
> +livepatch: enabling patch '$MOD_LIVEPATCH2'
> +livepatch: '$MOD_LIVEPATCH2': initializing patching transition
> +livepatch: '$MOD_LIVEPATCH2': starting patching transition
> +livepatch: '$MOD_LIVEPATCH2': completing patching transition
> +livepatch: '$MOD_LIVEPATCH2': patching complete
> +% insmod test_modules/$MOD_LIVEPATCH3.ko
> +livepatch: enabling patch '$MOD_LIVEPATCH3'
> +livepatch: '$MOD_LIVEPATCH3': initializing patching transition
> +$MOD_LIVEPATCH3: pre_patch_callback: vmlinux
> +livepatch: '$MOD_LIVEPATCH3': starting patching transition
> +livepatch: '$MOD_LIVEPATCH3': completing patching transition
> +$MOD_LIVEPATCH3: post_patch_callback: vmlinux
> +livepatch: '$MOD_LIVEPATCH3': patching complete
> % insmod test_modules/$MOD_REPLACE.ko replace=1
> livepatch: enabling patch '$MOD_REPLACE'
> livepatch: '$MOD_REPLACE': initializing patching transition
> @@ -149,7 +187,9 @@ livepatch: '$MOD_REPLACE': starting patching
> transition
> livepatch: '$MOD_REPLACE': completing patching transition
> livepatch: '$MOD_REPLACE': patching complete
> $MOD_REPLACE: this has been live patched
> -% rmmod $MOD_LIVEPATCH
> +% rmmod $MOD_LIVEPATCH3
> +% rmmod $MOD_LIVEPATCH2
> +% rmmod $MOD_LIVEPATCH1
> $MOD_REPLACE: this has been live patched
> % echo 0 > /sys/kernel/livepatch/$MOD_REPLACE/enabled
> livepatch: '$MOD_REPLACE': initializing unpatching transition
>
> ---
> base-commit: 6d69b6c12fce479fde7bc06f686212451688a102
> change-id: 20240525-lp-atomic-replace-90b33ed018dc
>
> Best regards,
Powered by blists - more mailing lists