From patchwork Wed Sep 20 22:31:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9962713 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C5A2D601D5 for ; Wed, 20 Sep 2017 22:34:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6FA329258 for ; Wed, 20 Sep 2017 22:34:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ABD9829271; Wed, 20 Sep 2017 22:34:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2DB3129258 for ; Wed, 20 Sep 2017 22:34:49 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dunXQ-0007Fg-WE; Wed, 20 Sep 2017 22:32:12 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dunXP-0007FA-Mt for xen-devel@lists.xenproject.org; Wed, 20 Sep 2017 22:32:11 +0000 Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id D3/F2-03610-B6CE2C95; Wed, 20 Sep 2017 22:32:11 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAIsWRWlGSWpSXmKPExsVyMfTGId3MN4c iDX59Zbf4vmUykwOjx+EPV1gCGKNYM/OS8isSWDNu3d/DXnBSv2L1p8ksDYxPVbsYuTiEBGYw Sjx/Np+ti5GTg0XgA4vEo5suIAkJgWmsEgtnr2UFSUgIZEl0Hr0OVMQBZKdJXGxxgAhXSjx4P wesV0hASWLL5MeMEEMPMUkserCACSQhLKAnMfnbbUYQm01AX+Lp2mvMEHPcJD5d4wKpFxFoZ5 SYfeUXK4jDLHCEUaLvwC42iOZSibfTDrNAXKcqsaXtI9hBvALWEqf7FzFCXCEvMbF3GpjNKWA jsf9TJzPERdYST7aeZpvAKLyAkWEVo0ZxalFZapGuoaleUlFmekZJbmJmjq6hgZlebmpxcWJ6 ak5iUrFecn7uJkZgiDIAwQ7Gb8sCDjFKcjApifJavzwUKcSXlJ9SmZFYnBFfVJqTWnyIUYaDQ 0mCN+E1UE6wKDU9tSItMwcYLTBpCQ4eJRFeD5A0b3FBYm5xZjpE6hSjJceFO5f+MHEc2HMLSH bcvPuHSYglLz8vVUqc9+sroAYBkIaM0jy4cbCIvsQoKyXMywh0oBBPQWpRbmYJqvwrRnEORiV h3i6QtTyZeSVwW18BHcQEdFD2hgMgB5UkIqSkGhiNr4i9TWExfMLB/0fV09phXqVQ+gfJ8zfz g94sVxF6fUh0fzLrb9YNRekaL5sOTgoMu1c/If1ZUMsPliuNVzyvB2ySudLd/06Ag+X33cNaU tVqk8pPLvaVMjx0blb7rjecf57vYN1aPH9l4uairrR2tplr75UsWtOkkPVgy421d9XFVY6zHp JSYinOSDTUYi4qTgQAEkrjz+MCAAA= X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-5.tower-27.messagelabs.com!1505946728!112283199!1 X-Originating-IP: [209.85.216.194] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 44691 invoked from network); 20 Sep 2017 22:32:08 -0000 Received: from mail-qt0-f194.google.com (HELO mail-qt0-f194.google.com) (209.85.216.194) by server-5.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 20 Sep 2017 22:32:08 -0000 Received: by mail-qt0-f194.google.com with SMTP id t46so2661940qtj.3 for ; Wed, 20 Sep 2017 15:32:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=ONvYXwfJn2czmJ5pnE9Zc7/YqhITqDbFnISPfSa/0uM=; b=SxSi1GU1zzzCiRiX+qutknvEAyKLqZwgbzAM7t4DrSeDjF6HfMMXnxg6VSfdo7o9zY rlXMZzwrOM/rSXQAOBV9UEQ0P5IscXijEoR+mkAKH6L80lTc+CFHHUZJHWWnAnw/C62N wmTasb3Wg7pCoiy8mkYCWM2rjKeeu7KE3J9YrGtS1IYf+RvL324OZX8rNylbcqvEyY+5 gvb7QcbLPCKcCC8Kf06oKvA62EIKyfCDB7r89ekCeQIuZc+LnHYu2cBA562oieDnuO7i 6rb4+LdWeqSBkmjlxC2Xt/cyUDLZEZ0vAXvH4hglcPCbHIZO9xB4lpJ7fDSi15ind42G hoZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=ONvYXwfJn2czmJ5pnE9Zc7/YqhITqDbFnISPfSa/0uM=; b=NR2AftQ4u5dR+8wOgHREx1uISeBNNqYOG14QfQxvW+UEziU6mJ4Omwtn8ixsRWrtsg WySU6uBsHy2wP8/GrUSXyqM01oqeI2LlckpJdLtpJJ7IVP0Ieo2A2ppVhCssH9SM68KP 4g1wE2J9Q0zKyDum2QDUJL5FJCqOkfVL97w4v9p82iF3IUtYHHOtjtWb3zwLjf+zfxLq LPMMgB5k0+MKlidBJ4GLScXSWx76+KOG8bp2V422PCKJXMDT3nmvrxt1x/dbDWkJegXA y6hVYMGydK6VS8zf+wMGIx8UEQIog6uGBF4rFQcp4EywgRBzCX6MJiEsQH0JolmZ8U26 ye0g== X-Gm-Message-State: AHPjjUgLex7qMEhmiTUvH1Rrw+pRJD5tUBlRBwW1ozSkk9pQFu5mb+/z RTjITutRUExaasQPjzgMKqgNYw== X-Google-Smtp-Source: AOwi7QB9dQ7qL4PUkS6eKOeA9n024x8YxdadBsEfNOJ5bScp4+OStVs+haYxobSoe9kCHkF53gHD1A== X-Received: by 10.237.63.153 with SMTP id s25mr391377qth.134.1505946727413; Wed, 20 Sep 2017 15:32:07 -0700 (PDT) Received: from localhost.localdomain (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id z192sm2012656qka.91.2017.09.20.15.32.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Sep 2017 15:32:06 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, ross.lagerwall@citrix.com, konrad.wilk@oracle.com, julien.grall@arm.com, sstabellini@kernel.org Date: Wed, 20 Sep 2017 18:31:41 -0400 Message-Id: <20170920223148.13137-5-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170920223148.13137-1-konrad.wilk@oracle.com> References: <20170920223148.13137-1-konrad.wilk@oracle.com> Cc: Wei Liu , George Dunlap , andrew.cooper3@citrix.com, Ian Jackson , Tim Deegan , jbeulich@suse.com Subject: [Xen-devel] [PATCH v4 04/11] livepatch/arm[32, 64]: Don't load and crash on livepatches loaded with wrong text alignment. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP The ARM 32&64 ELF specification says "sections containing ARM code must be at least 32-bit aligned." This patch adds the check for that. We also make sure that this check is done when doing relocations for the types that are considered ARM code. However we don't have to check for all as we only implement a small subset of them - as such we only check for data types that are implemented - and if the type is anything else and not aligned to 32-bit, then we error out. Signed-off-by: Konrad Rzeszutek Wilk --- Cc: Ross Lagerwall Cc: Andrew Cooper Cc: George Dunlap Cc: Ian Jackson Cc: Jan Beulich Cc: Stefano Stabellini Cc: Tim Deegan Cc: Wei Liu v1: First posting. v2: Redo the commit to include the commits which fix the alignment issues. Also mention the need in the docs v3: Change the docs to explicitly mention text code section alignment requirements. Invert arch_livepatch_verify_alignment return value (true for alignment is ok). Drop the alignment check in check_special_sections. Make the alignment check in check_section only for executable sections. Rewrote the commit message as it is not applicable to v2 of the patch anymore. v4: Also do the check on ARM64 Put () around the section check Use vaddr_t instead of uint32_t as that won't work on ARM64. --- docs/misc/livepatch.markdown | 2 ++ xen/arch/arm/arm32/livepatch.c | 13 +++++++++++-- xen/arch/arm/livepatch.c | 9 +++++++++ xen/arch/x86/livepatch.c | 6 ++++++ xen/common/livepatch.c | 7 +++++++ xen/include/xen/livepatch.h | 1 + 6 files changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/misc/livepatch.markdown b/docs/misc/livepatch.markdown index 54a6b850cb..59f89aa292 100644 --- a/docs/misc/livepatch.markdown +++ b/docs/misc/livepatch.markdown @@ -279,6 +279,8 @@ It may also have some architecture-specific sections. For example: * Exception tables. * Relocations for each of these sections. +Note that on ARM 32 & 64 the sections containing code MUST be four byte aligned. + The Xen Live Patch core code loads the payload as a standard ELF binary, relocates it and handles the architecture-specifc sections as needed. This process is much like what the Linux kernel module loader does. diff --git a/xen/arch/arm/arm32/livepatch.c b/xen/arch/arm/arm32/livepatch.c index 41378a54ae..4fcbb59be5 100644 --- a/xen/arch/arm/arm32/livepatch.c +++ b/xen/arch/arm/arm32/livepatch.c @@ -233,7 +233,7 @@ int arch_livepatch_perform(struct livepatch_elf *elf, uint32_t val; void *dest; unsigned char type; - s32 addend; + s32 addend = 0; if ( use_rela ) { @@ -251,7 +251,6 @@ int arch_livepatch_perform(struct livepatch_elf *elf, symndx = ELF32_R_SYM(r->r_info); type = ELF32_R_TYPE(r->r_info); dest = base->load_addr + r->r_offset; /* P */ - addend = get_addend(type, dest); } if ( symndx == STN_UNDEF ) @@ -272,6 +271,16 @@ int arch_livepatch_perform(struct livepatch_elf *elf, elf->name, symndx); return -EINVAL; } + else if ( (type != R_ARM_ABS32 && type != R_ARM_REL32) /* Only check code. */ && + ((uint32_t)dest % sizeof(uint32_t)) ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: dest=%p (%s) is not aligned properly!\n", + elf->name, dest, base->name); + return -EINVAL; + } + + if ( !use_rela ) + addend = get_addend(type, dest); val = elf->sym[symndx].sym->st_value; /* S */ diff --git a/xen/arch/arm/livepatch.c b/xen/arch/arm/livepatch.c index 3e53524365..76723f1f1a 100644 --- a/xen/arch/arm/livepatch.c +++ b/xen/arch/arm/livepatch.c @@ -135,6 +135,15 @@ bool arch_livepatch_symbol_ok(const struct livepatch_elf *elf, return true; } +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec) +{ + if ( (sec->sec->sh_flags & SHF_EXECINSTR) && + ((vaddr_t)sec->load_addr % sizeof(uint32_t)) ) + return false; + + return true; +}; + int arch_livepatch_secure(const void *va, unsigned int pages, enum va_type type) { unsigned long start = (unsigned long)va; diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index 406eb910cc..48d20fdacd 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -148,6 +148,12 @@ bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf, return false; } +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec) +{ + /* Unaligned access on x86 is fine. */ + return true; +} + int arch_livepatch_perform_rel(struct livepatch_elf *elf, const struct livepatch_elf_sec *base, const struct livepatch_elf_sec *rela) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index b9376c94e9..f736c3a7ea 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -473,6 +473,13 @@ static bool section_ok(const struct livepatch_elf *elf, return false; } + if ( !arch_livepatch_verify_alignment(sec) ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: %s text section is not aligned properly!\n", + elf->name, sec->name); + return false; + } + return true; } diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 98ec01216b..e9bab87f28 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -76,6 +76,7 @@ void arch_livepatch_init(void); #include int arch_livepatch_verify_func(const struct livepatch_func *func); +bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec); static inline unsigned int livepatch_insn_len(const struct livepatch_func *func) {