From patchwork Wed Feb 21 19:40:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suren Baghdasaryan X-Patchwork-Id: 13566193 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F716C5478B for ; Wed, 21 Feb 2024 19:41:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 010736B00A2; Wed, 21 Feb 2024 14:41:28 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EDB4F6B00A3; Wed, 21 Feb 2024 14:41:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C907E6B00A4; Wed, 21 Feb 2024 14:41:27 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id AFD566B00A2 for ; Wed, 21 Feb 2024 14:41:27 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 61ED7120951 for ; Wed, 21 Feb 2024 19:41:27 +0000 (UTC) X-FDA: 81816830214.06.5A1EEA7 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf17.hostedemail.com (Postfix) with ESMTP id C8B2140014 for ; Wed, 21 Feb 2024 19:41:25 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=H+HADhDS; spf=pass (imf17.hostedemail.com: domain of 35FHWZQYKCBcFHE1Ay3BB381.zB985AHK-997Ixz7.BE3@flex--surenb.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=35FHWZQYKCBcFHE1Ay3BB381.zB985AHK-997Ixz7.BE3@flex--surenb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1708544485; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=BvZ08b/3oavcBvAkiQZyOMSmbVmpa+4ihUtpMl+Uc6w=; b=uTRxaZyTFO/UfUt+0q6f2z7RUtkb2CgCu+usi4k2tyZjrv3sBWRsKtR1vHbWKA2nWDK9tk 3+ozKFLM4SZjVlSCcyMOFwYxQJ7b3zX7wGl+rIOVgTAeND/7t7oTEW04UtJJLmymEiG9x1 rei8XN6F4Lm0Yhn+QxNEb2toGEDaH8k= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=H+HADhDS; spf=pass (imf17.hostedemail.com: domain of 35FHWZQYKCBcFHE1Ay3BB381.zB985AHK-997Ixz7.BE3@flex--surenb.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=35FHWZQYKCBcFHE1Ay3BB381.zB985AHK-997Ixz7.BE3@flex--surenb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1708544485; a=rsa-sha256; cv=none; b=xl542zgSYC1q1qG/31Zg588VmfXWSDMjnabHNxXetpTdYM/OwJLJ/A6Fzgcck/SWjp1mSN MLJHLIFNi0vEc+AWbZqr+SDvmzxR2JZSfaivyyy6gONjo/lU0WZKj7QuzTYxSMSYZBn2hP 1DCxHW/g8zn8/womDpG8PBP6PXWVt2o= Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-608886b1a3aso15399287b3.3 for ; Wed, 21 Feb 2024 11:41:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1708544485; x=1709149285; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=BvZ08b/3oavcBvAkiQZyOMSmbVmpa+4ihUtpMl+Uc6w=; b=H+HADhDSKgp1qOWPdQCkYLBZsmEFJh8sYQvawy5Jv30/IiTo+fcQaRk8BEK/wH1Su/ Pnp2GmD5S9pTlnwZlKJeJYsyAhAZxw7K1ftQPIzaE5nMrBGC/O2nFZeoS/u5nO8c0nOB cTIKbCUX24Oty7gTCalYoBSRzz+SZB2Rgt8uVyJHB3ZhPV3q25RWWeWwj3oPgcpfdisg 2FvbESpDdxraUQ5GQEBw9zqd3r+uqGQiVEb1ftjpO86df2Nmj2UoyCCvwwVb4O2KpHGm IR46nbS+R83rSN7OLXeKuz+/6zZLA4Km52V/9AfDKmciB9yP3C7DX0TDzrgTWtCK2Vlq VKMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708544485; x=1709149285; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BvZ08b/3oavcBvAkiQZyOMSmbVmpa+4ihUtpMl+Uc6w=; b=Bo7TGxl+4BoLU8XD4BQ1MjN7vegvMZBFlQ2Ox7cP9pjORBR4jOPuqmeyEsQCIbPa3C vWMksHwv15nfyr1+92FR5h5FRbYcLav5/tkpVl+Dsr7gGZnwxHFz8yhH4MBLvUn7ZKF0 z+Wt/JmdFjI2iQ/bzBj7BymwPXkGCBpMXYTc6ObVxP6iDIHUfIhSVUpr/114Efkr+wNp T4IpQMma0zyX+QNGS1+Rwv/XUu0iCArrL3+Mn3YkXTaDmmivlC35aNg2LxHpYU1+hvi4 GpICSCLfXLNWOnk7QuA4cnyvMC1V5lMMdLfBOH+wNmDneVULMARp8XQ6Gn0x6Q/SCiLT yylA== X-Forwarded-Encrypted: i=1; AJvYcCV7XdH7dJid0ToOyvDSmVc92LRIkAbB3Q5kKqnqls7h1VDvvkdnDNDEfuYUE2eLI5tOHnMRmC/qIXl7it55wWhUuks= X-Gm-Message-State: AOJu0Yx2xlfrPZkNtH11PRePmEw8eU3gvdPN0Wf3xfzAwQPhhcLKCJn8 Zg8bYmNZlS4JC5VUDiG7clB0sqwvN5/pSU2NyZmuyPftUs9UGVpZiUvakQ5k5nMvjK4oK3YTb9p B7g== X-Google-Smtp-Source: AGHT+IFD0XqCfLl4qYutYla1ZL6XgTrX5S7AO9uCahzWsTmMPZ4BnZi9haYMKld7cdjfFju71XrA0wuJzw0= X-Received: from surenb-desktop.mtv.corp.google.com ([2620:15c:211:201:953b:9a4e:1e10:3f07]) (user=surenb job=sendgmr) by 2002:a81:7956:0:b0:607:c633:2997 with SMTP id u83-20020a817956000000b00607c6332997mr4958335ywc.5.1708544484752; Wed, 21 Feb 2024 11:41:24 -0800 (PST) Date: Wed, 21 Feb 2024 11:40:26 -0800 In-Reply-To: <20240221194052.927623-1-surenb@google.com> Mime-Version: 1.0 References: <20240221194052.927623-1-surenb@google.com> X-Mailer: git-send-email 2.44.0.rc0.258.g7320e95886-goog Message-ID: <20240221194052.927623-14-surenb@google.com> Subject: [PATCH v4 13/36] lib: prevent module unloading if memory is not freed From: Suren Baghdasaryan To: akpm@linux-foundation.org Cc: kent.overstreet@linux.dev, mhocko@suse.com, vbabka@suse.cz, hannes@cmpxchg.org, roman.gushchin@linux.dev, mgorman@suse.de, dave@stgolabs.net, willy@infradead.org, liam.howlett@oracle.com, penguin-kernel@i-love.sakura.ne.jp, corbet@lwn.net, void@manifault.com, peterz@infradead.org, juri.lelli@redhat.com, catalin.marinas@arm.com, will@kernel.org, arnd@arndb.de, tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com, x86@kernel.org, peterx@redhat.com, david@redhat.com, axboe@kernel.dk, mcgrof@kernel.org, masahiroy@kernel.org, nathan@kernel.org, dennis@kernel.org, tj@kernel.org, muchun.song@linux.dev, rppt@kernel.org, paulmck@kernel.org, pasha.tatashin@soleen.com, yosryahmed@google.com, yuzhao@google.com, dhowells@redhat.com, hughd@google.com, andreyknvl@gmail.com, keescook@chromium.org, ndesaulniers@google.com, vvvvvv@google.com, gregkh@linuxfoundation.org, ebiggers@google.com, ytcoode@gmail.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, bristot@redhat.com, vschneid@redhat.com, cl@linux.com, penberg@kernel.org, iamjoonsoo.kim@lge.com, 42.hyeyoo@gmail.com, glider@google.com, elver@google.com, dvyukov@google.com, shakeelb@google.com, songmuchun@bytedance.com, jbaron@akamai.com, rientjes@google.com, minchan@google.com, kaleshsingh@google.com, surenb@google.com, kernel-team@android.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, iommu@lists.linux.dev, linux-arch@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-modules@vger.kernel.org, kasan-dev@googlegroups.com, cgroups@vger.kernel.org X-Rspamd-Queue-Id: C8B2140014 X-Rspam-User: X-Stat-Signature: eynm9f7oadut9quapjy9iuyuy7n3fs44 X-Rspamd-Server: rspam01 X-HE-Tag: 1708544485-974454 X-HE-Meta: U2FsdGVkX18fJ+XqYNsNYX4o6YFpJCohZLv3So8XmTV15/tM9AO1IMomp4OltyxJ2gMMFNUntSu9g8gD0D9sKIwX2p2fzwXbeUBgfDODlrpAl8is52TQzT26hfY/XwD2e1HLB+Ud9IJw2awyjU4NWfPhTN4U9rZP5p/cQkmUZCqWdbo3uC+S9zucFgRERzxQznrKAv16+flwLDuo0hGUncj5mgWnz79QoiIVbzMNHuu69yFprclCQRvKlRbMk0UyF7ca5x5EXOMNJXURG2gOMx4G0FxVcpF0mdQ8dNT5sGz2TJ17iNrfgqeSWujU8y+S3MKo7cV0z/QYyFOqRXFIGfmszDCa7QpPZ2ryn3Dp0PKgMeuOfmhTiCLx2pz6xtGEdLAZyMJarDl6ftn+Ewii+qdUyPCX311SoX9duBsJ+zMv3wL/UfNOBYaemM4fQP8HaQuap6tuI8GOh4BD91bFT6RUPMJgkssNHBcy38SWIE8gYhX0ZO88gDv14+n9Bg1OG3PojuAO6RPLADOCoCY1zfjREnQMeebthSg88OrbIAGnAJP2D6Va+FkSCqUn5TWJ+1h8gHlIkzX+V1jLEQFE3PWoCQuVzgwUKBkluEtsfbW+7lnjllrlojZ06UfTPFoY2SBsf88GTnm5woE8ZdgI3umkPkyQbSfvr5DCkGIr90xcgaBvp2zt4jOywj/4WNefdl+eJQWPFToEUesTLI+nhna5Bz3s/JKwp/2FEce5oj5rvnFom4CE2pz0QVZxBRytZxtABKzt809uvEGHbUn/0KEortzGVi1JKWwfO9daUkiH8swmMef/N/2udeX4bYQCyw8lUgex7aH38JvGuDUjY7WeTdbiwLbP60336mzfmiAwaQL9FEEQsiwsSBRK6EJ/Hz2+aYBtlhv+1knau2RVlcaGYyBwAEoLPmo33wegBA0HsDNgAEwKc+x84RR7Z/kxJmiTgSWXNsQufxbhp/n XCtcNOs8 xgbDCvLoANEDpTKbI7f0Ixk7V7BAuzK2gwNpRTNHN1bzCRH8wjM9LXYbS+fa8gatyEyaiM8RF/etLvp4lm3aPz+ONKOB3ETsPWWk2Jqky6IvfBBmXclWo22QiTT2+L4gyOSpIi5W+J7SC8XE7kdtIS04hzwFgT1PQBlvgdSLqktI56P9UcGXmZUuvyeJpKvzLXBa4o/dxnS9aFbW0YmmXX01LCM8my92cJKuPbTVGAwauu/AjdJtrAA8UschJ96nzu1mHkKqZ8pt+gWj7i3Hzl7lmXlhP28P/OCPLstN8/08OSS7wfbnjDksDoeq+a2ZNHPGqTFtaAGvLGJY+rfxk4/nH/9+062n28jt3dMvtdniHGiDYAOth6hfbkKrN1s9Uwg8PgI3PVYMFC+C8oe6/TUYSd4DorGgdgs8C2RgM+o1gOPQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Skip freeing module's data section if there are non-zero allocation tags because otherwise, once these allocations are freed, the access to their code tag would cause UAF. Signed-off-by: Suren Baghdasaryan --- include/linux/codetag.h | 6 +++--- kernel/module/main.c | 23 +++++++++++++++-------- lib/codetag.c | 11 ++++++++--- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/include/linux/codetag.h b/include/linux/codetag.h index c44f5b83f24d..bfd0ba5c4185 100644 --- a/include/linux/codetag.h +++ b/include/linux/codetag.h @@ -35,7 +35,7 @@ struct codetag_type_desc { size_t tag_size; void (*module_load)(struct codetag_type *cttype, struct codetag_module *cmod); - void (*module_unload)(struct codetag_type *cttype, + bool (*module_unload)(struct codetag_type *cttype, struct codetag_module *cmod); }; @@ -71,10 +71,10 @@ codetag_register_type(const struct codetag_type_desc *desc); #if defined(CONFIG_CODE_TAGGING) && defined(CONFIG_MODULES) void codetag_load_module(struct module *mod); -void codetag_unload_module(struct module *mod); +bool codetag_unload_module(struct module *mod); #else static inline void codetag_load_module(struct module *mod) {} -static inline void codetag_unload_module(struct module *mod) {} +static inline bool codetag_unload_module(struct module *mod) { return true; } #endif #endif /* _LINUX_CODETAG_H */ diff --git a/kernel/module/main.c b/kernel/module/main.c index f400ba076cc7..658b631e76ad 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -1211,15 +1211,19 @@ static void *module_memory_alloc(unsigned int size, enum mod_mem_type type) return module_alloc(size); } -static void module_memory_free(void *ptr, enum mod_mem_type type) +static void module_memory_free(void *ptr, enum mod_mem_type type, + bool unload_codetags) { + if (!unload_codetags && mod_mem_type_is_core_data(type)) + return; + if (mod_mem_use_vmalloc(type)) vfree(ptr); else module_memfree(ptr); } -static void free_mod_mem(struct module *mod) +static void free_mod_mem(struct module *mod, bool unload_codetags) { for_each_mod_mem_type(type) { struct module_memory *mod_mem = &mod->mem[type]; @@ -1230,20 +1234,23 @@ static void free_mod_mem(struct module *mod) /* Free lock-classes; relies on the preceding sync_rcu(). */ lockdep_free_key_range(mod_mem->base, mod_mem->size); if (mod_mem->size) - module_memory_free(mod_mem->base, type); + module_memory_free(mod_mem->base, type, + unload_codetags); } /* MOD_DATA hosts mod, so free it at last */ lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size); - module_memory_free(mod->mem[MOD_DATA].base, MOD_DATA); + module_memory_free(mod->mem[MOD_DATA].base, MOD_DATA, unload_codetags); } /* Free a module, remove from lists, etc. */ static void free_module(struct module *mod) { + bool unload_codetags; + trace_module_free(mod); - codetag_unload_module(mod); + unload_codetags = codetag_unload_module(mod); mod_sysfs_teardown(mod); /* @@ -1285,7 +1292,7 @@ static void free_module(struct module *mod) kfree(mod->args); percpu_modfree(mod); - free_mod_mem(mod); + free_mod_mem(mod, unload_codetags); } void *__symbol_get(const char *symbol) @@ -2298,7 +2305,7 @@ static int move_module(struct module *mod, struct load_info *info) return 0; out_enomem: for (t--; t >= 0; t--) - module_memory_free(mod->mem[t].base, t); + module_memory_free(mod->mem[t].base, t, true); return ret; } @@ -2428,7 +2435,7 @@ static void module_deallocate(struct module *mod, struct load_info *info) percpu_modfree(mod); module_arch_freeing_init(mod); - free_mod_mem(mod); + free_mod_mem(mod, true); } int __weak module_finalize(const Elf_Ehdr *hdr, diff --git a/lib/codetag.c b/lib/codetag.c index 9af22648dbfa..b13412ca57cc 100644 --- a/lib/codetag.c +++ b/lib/codetag.c @@ -5,6 +5,7 @@ #include #include #include +#include struct codetag_type { struct list_head link; @@ -239,12 +240,13 @@ void codetag_load_module(struct module *mod) mutex_unlock(&codetag_lock); } -void codetag_unload_module(struct module *mod) +bool codetag_unload_module(struct module *mod) { struct codetag_type *cttype; + bool unload_ok = true; if (!mod) - return; + return true; mutex_lock(&codetag_lock); list_for_each_entry(cttype, &codetag_types, link) { @@ -261,7 +263,8 @@ void codetag_unload_module(struct module *mod) } if (found) { if (cttype->desc.module_unload) - cttype->desc.module_unload(cttype, cmod); + if (!cttype->desc.module_unload(cttype, cmod)) + unload_ok = false; cttype->count -= range_size(cttype, &cmod->range); idr_remove(&cttype->mod_idr, mod_id); @@ -270,4 +273,6 @@ void codetag_unload_module(struct module *mod) up_write(&cttype->mod_lock); } mutex_unlock(&codetag_lock); + + return unload_ok; }