lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d65wbmp54onniprsai73siwa4pqcmmzlzag53l72sucq6irp6r@vwhbn2bkvptu>
Date: Thu, 20 Mar 2025 13:33:12 +0100
From: Daniel Gomez <da.gomez@...nel.org>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>, 
	Sami Tolvanen <samitolvanen@...gle.com>, Daniel Gomez <da.gomez@...sung.com>, Kees Cook <kees@...nel.org>, 
	Petr Mladek <pmladek@...e.com>, Jani Nikula <jani.nikula@...el.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, John Ogness <john.ogness@...utronix.de>, 
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-modules@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] module: Taint the kernel when write-protecting
 ro_after_init fails

On Thu, Mar 06, 2025 at 11:36:55AM +0100, Petr Pavlu wrote:
> In the unlikely case that setting ro_after_init data to read-only fails, it
> is too late to cancel loading of the module. The loader then issues only
> a warning about the situation. Given that this reduces the kernel's
> protection, it was suggested to make the failure more visible by tainting
> the kernel.
> 
> Allow TAINT_BAD_PAGE to be set per-module and use it in this case. The flag
> is set in similar situations and has the following description in
> Documentation/admin-guide/tainted-kernels.rst: "bad page referenced or some
> unexpected page flags".
> 
> Adjust the warning that reports the failure to avoid references to internal
> functions and to add information about the kernel being tainted, both to
> match the style of other messages in the file. Additionally, merge the
> message on a single line because checkpatch.pl recommends that for the
> ability to grep for the string.
> 
> Suggested-by: Kees Cook <kees@...nel.org>
> Signed-off-by: Petr Pavlu <petr.pavlu@...e.com>
> ---
> I opted to use TAINT_BAD_PAGE for now because it seemed unnecessary to me
> to introduce a new flag only for this specific case. However, if we end up
> similarly checking set_memory_*() in the boot context, a separate flag
> would be probably better.
> ---
>  kernel/module/main.c | 7 ++++---
>  kernel/panic.c       | 2 +-
>  2 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 1fb9ad289a6f..8f424a107b92 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -3030,10 +3030,11 @@ static noinline int do_init_module(struct module *mod)
>  	rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms);
>  #endif
>  	ret = module_enable_rodata_ro_after_init(mod);
> -	if (ret)
> -		pr_warn("%s: module_enable_rodata_ro_after_init() returned %d, "
> -			"ro_after_init data might still be writable\n",
> +	if (ret) {
> +		pr_warn("%s: write-protecting ro_after_init data failed with %d, the data might still be writable - tainting kernel\n",

This is quite large. Can we simplify it?

For 1 line grep parsing we can start writing at the beginning of the line as
it's done in some cases in fs/xfs/xfs_super.c. Proposals:

diff --git a/kernel/module/main.c b/kernel/module/main.c
index 6d1094c6dea8..fc5510b8aa14 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2982,7 +2982,8 @@ static noinline int do_init_module(struct module *mod)
 #endif
        ret = module_enable_rodata_ro_after_init(mod);
        if (ret) {
-               pr_warn("%s: write-protecting ro_after_init data failed with %d, the data might still be writable - tainting kernel\n",
+               pr_warn(
+"%s: write-protecting ro_after_init failed with %d - tainting kernel\n",
                        mod->name, ret);
                add_taint_module(mod, TAINT_BAD_PAGE, LOCKDEP_STILL_OK);
        }


diff --git a/kernel/module/main.c b/kernel/module/main.c
index 6d1094c6dea8..4fa0c80b2bb4 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -2982,7 +2982,8 @@ static noinline int do_init_module(struct module *mod)
 #endif
        ret = module_enable_rodata_ro_after_init(mod);
        if (ret) {
-               pr_warn("%s: write-protecting ro_after_init data failed with %d, the data might still be writable - tainting kernel\n",
+               pr_warn(
+"%s: ro_after_init failed with %d, data might be writable - tainting kernel\n",
                        mod->name, ret);
                add_taint_module(mod, TAINT_BAD_PAGE, LOCKDEP_STILL_OK);
        }

Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ