| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <D5K3PNXEIKYK.11GZ8BMY02OA4@samsung.com>
Date: Tue, 12 Nov 2024 10:43:35 +0100
From: Daniel Gomez <da.gomez@...sung.com>
To: Christophe Leroy <christophe.leroy@...roup.eu>, Luis Chamberlain
<mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, Sami Tolvanen
<samitolvanen@...gle.com>, Kees Cook <kees@...nel.org>,
<linux-modules@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [RFC PATCH 2/3] module: Don't fail module loading when setting
ro_after_init section RO failed
On Mon Nov 11, 2024 at 7:53 PM CET, Christophe Leroy wrote:
>
>
> Le 09/11/2024 à 23:17, Daniel Gomez a écrit :
>> On Sat Nov 9, 2024 at 11:35 AM CET, Christophe Leroy wrote:
>>> Once module init has succeded it is too late to cancel loading.
>>> If setting ro_after_init data section to read-only fails, all we
>>> can do is to inform the user through a warning.
>>>
>>> Reported-by: Thomas Gleixner <tglx@...utronix.de>
>>> Closes: https://protect2.fireeye.com/v1/url?k=d3deb284-b2a35ac3-d3df39cb-74fe485fff30-288375d7d91e4ad9&q=1&e=701066ca-634d-4525-a77d-1a44451f897a&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Flore.kernel.org%252Fall%252F20230915082126.4187913-1-ruanjinjie%2540huawei.com%252F%26data%3D05%257C02%257Cchristophe.leroy%2540csgroup.eu%257C26b5ca7363e54210439b08dd010c4865%257C8b87af7d86474dc78df45f69a2011bb5%257C0%257C0%257C638667874457200373%257CUnknown%257CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%253D%253D%257C0%257C%257C%257C%26sdata%3DZeJ%252F3%252B2Nx%252FBf%252FWLFEkhxKlDhZk8LNkz0fs%252Fg2xMcOjY%253D%26reserved%3D0
>>> Fixes: d1909c022173 ("module: Don't ignore errors from set_memory_XX()")
>>> Signed-off-by: Christophe Leroy <christophe.leroy@...roup.eu>
>>> ---
>>> kernel/module/main.c | 6 +++---
>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/kernel/module/main.c b/kernel/module/main.c
>>> index 2de4ad7af335..1bf4b0db291b 100644
>>> --- a/kernel/module/main.c
>>> +++ b/kernel/module/main.c
>>> @@ -2583,7 +2583,9 @@ static noinline int do_init_module(struct module *mod)
>>> #endif
>>> ret = module_enable_rodata_ro_after_init(mod);
>>> if (ret)
>>> - goto fail_mutex_unlock;
>>> + pr_warn("%s: %s() returned %d, ro_after_init data might still be writable\n",
>>> + mod->name, __func__, ret);
>>> +
>>> mod_tree_remove_init(mod);
>>> module_arch_freeing_init(mod);
>>> for_class_mod_mem_type(type, init) {
>>> @@ -2622,8 +2624,6 @@ static noinline int do_init_module(struct module *mod)
>>>
>>> return 0;
>>
>> I think it would make sense to propagate the error. But that would
>> require changing modprobe.c. What kind of error can we expect when this
>> happens?
>
> AFAIK, on powerpc it fails with EINVAL when
> - The area is a vmalloc or module area and is a hugepage area
> - The area is not vmalloc or io register and MMU is not powerpc radix MMU
>
> Otherwise it propagates the error from apply_to_existing_page_range().
> IIUC it will return EINVAL when it hits a leaf PTE in upper directories.
Looking at that path I see we can also fail at __apply_to_page_range()
-> apply_to_p4d_range() and return with -ENOMEM.
My proposal was to do something like the change below in modprobe:
diff --git a/tools/modprobe.c b/tools/modprobe.c
index ec66e6f..8876e27 100644
--- a/tools/modprobe.c
+++ b/tools/modprobe.c
@@ -572,6 +572,11 @@ static int insmod_insert(struct kmod_module *mod, int flags, const char *extra_o
err = 0;
else {
switch (err) {
+ case -EINVAL:
+ ERR("module '%s'inserted: ro_after_init data might"
+ "still be writable (see dmesg)\n",
+ kmod_module_get_name(mod));
+ break;
case -EEXIST:
ERR("could not insert '%s': Module already in kernel\n",
kmod_module_get_name(mod));
But I think these error codes may be also be reported in other parts
such as simplify_symbols() so may not be a good idea after all.
Maybe we just need to change the default/catch all error message in
modprobe.c and to indicate/include this case:
diff --git a/tools/modprobe.c b/tools/modprobe.c
index ec66e6f..3647d37 100644
--- a/tools/modprobe.c
+++ b/tools/modprobe.c
@@ -582,7 +582,8 @@ static int insmod_insert(struct kmod_module *mod, int flags, const char *extra_o
kmod_module_get_name(mod));
break;
default:
- ERR("could not insert '%s': %s\n", kmod_module_get_name(mod),
+ ERR("could not insert '%s' or inserted with error %s, "
+ "(see dmesg)\n", kmod_module_get_name(mod),
strerror(-err));
break;
}
>
> On other architectures it can be different, I know some architecture try
> to split the pages when they hit hugepages and that can fail.
Is it worth it adding an error code for this case in case we want to
report it back?
>
>
> But I believe if it works the first time it should work next time as well.
Okay. It would be good to know if this is a common behaviour among
different architectures.
>
>>
>>>
>>> -fail_mutex_unlock:
>>> - mutex_unlock(&module_mutex);
>>> fail_free_freeinit:
>>> kfree(freeinit);
>>> fail:
>>
Powered by blists - more mailing lists