| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8c6972c4-c1bb-402a-a72d-f92b87ee5a89@suse.com>
Date: Fri, 24 Jan 2025 13:59:55 +0100
From: Petr Pavlu <petr.pavlu@...e.com>
To: Mike Rapoport <rppt@...nel.org>
Cc: x86@...nel.org, Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Borislav Petkov <bp@...en8.de>, Brendan Higgins <brendan.higgins@...ux.dev>,
Daniel Gomez <da.gomez@...sung.com>, Daniel Thompson <danielt@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>, David Gow <davidgow@...gle.com>,
Douglas Anderson <dianders@...omium.org>, Ingo Molnar <mingo@...hat.com>,
Jason Wessel <jason.wessel@...driver.com>, Jiri Kosina <jikos@...nel.org>,
Joe Lawrence <joe.lawrence@...hat.com>,
Johannes Berg <johannes@...solutions.net>,
Josh Poimboeuf <jpoimboe@...nel.org>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Luis Chamberlain <mcgrof@...nel.org>, Mark Rutland <mark.rutland@....com>,
Masami Hiramatsu <mhiramat@...nel.org>, Miroslav Benes <mbenes@...e.cz>,
"H. Peter Anvin" <hpa@...or.com>, Peter Zijlstra <peterz@...radead.org>,
Petr Mladek <pmladek@...e.com>, Rae Moar <rmoar@...gle.com>,
Richard Weinberger <richard@....at>, Sami Tolvanen
<samitolvanen@...gle.com>, Shuah Khan <shuah@...nel.org>,
Song Liu <song@...nel.org>, Steven Rostedt <rostedt@...dmis.org>,
Thomas Gleixner <tglx@...utronix.de>, kgdb-bugreport@...ts.sourceforge.net,
kunit-dev@...glegroups.com, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-mm@...ck.org,
linux-modules@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
linux-um@...ts.infradead.org, live-patching@...r.kernel.org
Subject: Re: [PATCH v2 06/10] module: introduce MODULE_STATE_GONE
On 1/24/25 12:06, Mike Rapoport wrote:
> On Thu, Jan 23, 2025 at 03:16:28PM +0100, Petr Pavlu wrote:
>> On 1/21/25 10:57, Mike Rapoport wrote:
>>> In order to use execmem's API for temporal remapping of the memory
>>> allocated from ROX cache as writable, there is a need to distinguish
>>> between the state when the module is being formed and the state when it is
>>> deconstructed and freed so that when module_memory_free() is called from
>>> error paths during module loading it could restore ROX mappings.
>>>
>>> Replace open coded checks for MODULE_STATE_UNFORMED with a helper
>>> function module_is_formed() and add a new MODULE_STATE_GONE that will be
>>> set when the module is deconstructed and freed.
>>
>> I don't fully follow why this case requires a new module state. My
>> understanding it that the function load_module() has the necessary
>> context that after calling layout_and_allocate(), the updated ROX
>> mappings need to be restored. I would then expect the function to be
>> appropriately able to unwind this operation in case of an error. It
>> could be done by having a helper that walks the mappings and calls
>> execmem_restore_rox(), or if you want to keep it in module_memory_free()
>> as done in the patch #7 then a flag could be passed down to
>> module_deallocate() -> free_mod_mem() -> module_memory_free()?
>
> Initially I wanted to track ROX <-> RW transitions in struct module_memory
> so that module_memory_free() could do the right thing depending on memory
> state. But that meant either ugly games with const'ness in strict_rwx.c,
> an additional helper or a new global module state. The latter seemed the
> most elegant to me.
> If a new global module state is really that intrusive, I can drop it in
> favor a helper that will be called from error handling paths. E.g.
> something like the patch below (on top of this series and with this patch
> reverted)
>
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 7164cd353a78..4a02503836d7 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1268,13 +1268,20 @@ static int module_memory_alloc(struct module *mod, enum mod_mem_type type)
> return 0;
> }
>
> +static void module_memory_restore_rox(struct module *mod)
> +{
> + for_class_mod_mem_type(type, text) {
> + struct module_memory *mem = &mod->mem[type];
> +
> + if (mem->is_rox)
> + execmem_restore_rox(mem->base, mem->size);
> + }
> +}
> +
> static void module_memory_free(struct module *mod, enum mod_mem_type type)
> {
> struct module_memory *mem = &mod->mem[type];
>
> - if (mod->state == MODULE_STATE_UNFORMED && mem->is_rox)
> - execmem_restore_rox(mem->base, mem->size);
> -
> execmem_free(mem->base);
> }
>
> @@ -2617,6 +2624,7 @@ static int move_module(struct module *mod, struct load_info *info)
>
> return 0;
> out_err:
> + module_memory_restore_rox(mod);
> for (t--; t >= 0; t--)
> module_memory_free(mod, t);
> if (codetag_section_found)
> @@ -3372,6 +3380,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
> mod->mem[type].size);
> }
>
> + module_memory_restore_rox(mod);
> module_deallocate(mod, info);
> free_copy:
> /*
>
This looks better to me.
My view is that the module_state tracks major stages of a module during
its lifecycle. It provides information to the module loader itself,
other subsystems that need to closely interact with modules, and to the
userspace via the initstate sysfs attribute.
Adding a new state means potentially more complexity for all these
parts. In this case, the state was needed because of a logic that is
local only to the module loader, or even just to the function
load_module(). I think it is better to avoid adding a new state only for
that.
--
Thanks,
Petr
Powered by blists - more mailing lists