From patchwork Sat Nov 9 10:35:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe Leroy X-Patchwork-Id: 13869408 Received: from pegase2.c-s.fr (pegase2.c-s.fr [93.17.235.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D12E7233D73; Sat, 9 Nov 2024 10:35:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.17.235.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148550; cv=none; b=J1YmbheClnNePbDTDrHaKyR8k7cL3U2RobXqM69qjHvghJaoAyNWEbSag8fMhwWJIeVXshZCuVdeCqTdtRXLI16kdWyrAc7F+dsS/LGNopIqP6ZmN7SpS6YxDvRvRfxmO1svsFLXfBz651lYIhJQzXca5vSa1Ck8xFY2eZz0/XE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148550; c=relaxed/simple; bh=gXKRqLxxXBjIVDR5cFoLFoTIx1e73ApAKBiFehUXKEY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iLimqsHZgmvW2qkA4Qd+j79sKdeoch247JK3US3Lc8ULlCgT00t1YywkNwzK8M4dnmjCdvvEDVFXo5m8uHI6zzzYKfy92g/oSYWF32J7VgWjWzlKTrBhcpeylrF1sLMYqvbvgfKu3DbTHX18Q+UOBJqdVWCsEnHDrL2IKk7UAsw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu; spf=pass smtp.mailfrom=csgroup.eu; arc=none smtp.client-ip=93.17.235.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=csgroup.eu Received: from localhost (mailhub3.si.c-s.fr [172.26.127.67]) by localhost (Postfix) with ESMTP id 4XlsfB72XKz9sSL; Sat, 9 Nov 2024 11:35:46 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from pegase2.c-s.fr ([172.26.127.65]) by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7nDHsmj9Vh6; Sat, 9 Nov 2024 11:35:46 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase2.c-s.fr (Postfix) with ESMTP id 4XlsfB5zkXz9sSK; Sat, 9 Nov 2024 11:35:46 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id B68828B766; Sat, 9 Nov 2024 11:35:46 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id IdWHeTbrwF2J; Sat, 9 Nov 2024 11:35:46 +0100 (CET) Received: from PO20335.idsi0.si.c-s.fr (unknown [192.168.233.57]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 3A7228B764; Sat, 9 Nov 2024 11:35:46 +0100 (CET) From: Christophe Leroy To: Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Kees Cook , linux-modules@vger.kernel.org Cc: Christophe Leroy , linux-kernel@vger.kernel.org, Thomas Gleixner Subject: [RFC PATCH 1/3] module: Split module_enable_rodata_ro() Date: Sat, 9 Nov 2024 11:35:35 +0100 Message-ID: <737f952790c96a09ad5e51689918b97ef9b29174.1731148254.git.christophe.leroy@csgroup.eu> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-modules@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1731148536; l=3205; i=christophe.leroy@csgroup.eu; s=20211009; h=from:subject:message-id; bh=gXKRqLxxXBjIVDR5cFoLFoTIx1e73ApAKBiFehUXKEY=; b=uC3i/uZ9IPjgOa/m6rtFw0nMPbk6QyKHcwM5C6gHY/Q4NS8hSeUheJ4GO+ATsqX+qqO0bv3no 6y/eq2Xl1neD7jHbFzWLuTw8qWQa3yyvn+A+WtL9dL4FIvx6tTH3bjg X-Developer-Key: i=christophe.leroy@csgroup.eu; a=ed25519; pk=HIzTzUj91asvincQGOFx6+ZF5AoUuP9GdOtQChs7Mm0= module_enable_rodata_ro() is called twice, once before module init to set rodata sections readonly and once after module init to set rodata_after_init section readonly. The second time, only the rodata_after_init section needs to be set to read-only, no need to re-apply it to already set rodata. Split module_enable_rodata_ro() in two. Signed-off-by: Christophe Leroy Tested-by: Daniel Gomez --- kernel/module/internal.h | 3 ++- kernel/module/main.c | 4 ++-- kernel/module/strict_rwx.c | 13 +++++++++---- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 2ebece8a789f..994f35a779dc 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -322,7 +322,8 @@ static inline struct module *mod_find(unsigned long addr, struct mod_tree_root * } #endif /* CONFIG_MODULES_TREE_LOOKUP */ -int module_enable_rodata_ro(const struct module *mod, bool after_init); +int module_enable_rodata_ro(const struct module *mod); +int module_enable_rodata_ro_after_init(const struct module *mod); int module_enable_data_nx(const struct module *mod); int module_enable_text_rox(const struct module *mod); int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, diff --git a/kernel/module/main.c b/kernel/module/main.c index 49b9bca9de12..2de4ad7af335 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2581,7 +2581,7 @@ static noinline int do_init_module(struct module *mod) /* Switch to core kallsyms now init is done: kallsyms may be walking! */ rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); #endif - ret = module_enable_rodata_ro(mod, true); + ret = module_enable_rodata_ro_after_init(mod); if (ret) goto fail_mutex_unlock; mod_tree_remove_init(mod); @@ -2751,7 +2751,7 @@ static int complete_formation(struct module *mod, struct load_info *info) module_bug_finalize(info->hdr, info->sechdrs, mod); module_cfi_finalize(info->hdr, info->sechdrs, mod); - err = module_enable_rodata_ro(mod, false); + err = module_enable_rodata_ro(mod); if (err) goto out_strict_rwx; err = module_enable_data_nx(mod); diff --git a/kernel/module/strict_rwx.c b/kernel/module/strict_rwx.c index c45caa4690e5..f68c59974ae2 100644 --- a/kernel/module/strict_rwx.c +++ b/kernel/module/strict_rwx.c @@ -44,7 +44,7 @@ int module_enable_text_rox(const struct module *mod) return 0; } -int module_enable_rodata_ro(const struct module *mod, bool after_init) +int module_enable_rodata_ro(const struct module *mod) { int ret; @@ -58,12 +58,17 @@ int module_enable_rodata_ro(const struct module *mod, bool after_init) if (ret) return ret; - if (after_init) - return module_set_memory(mod, MOD_RO_AFTER_INIT, set_memory_ro); - return 0; } +int module_enable_rodata_ro_after_init(const struct module *mod) +{ + if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX) || !rodata_enabled) + return 0; + + return module_set_memory(mod, MOD_RO_AFTER_INIT, set_memory_ro); +} + int module_enable_data_nx(const struct module *mod) { if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) From patchwork Sat Nov 9 10:35:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe Leroy X-Patchwork-Id: 13869409 Received: from pegase2.c-s.fr (pegase2.c-s.fr [93.17.235.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D197F154C0D; Sat, 9 Nov 2024 10:35:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.17.235.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148554; cv=none; b=WqXMBTcEb/rLS2JVm9ZewMKSk7OsyhMOBlBxj6aH7C627tAHDA0URrroDVgG7n4zC9/55KB4ECthOlfF9fLSQa606C9qPvrLiTb19lXualdeaO9LgdMGSdefIDXKqroD2o7Rp9cOOXla+N36QHuAUgviw0/vMCm48CAfgNSFL0E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148554; c=relaxed/simple; bh=3RCZrcxbVk116xCD7F1o7CSTHwR93C3nC4/XjarUaFk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KL+j22kvkLmzlRD36uQSdrToETExo4r+IyS5Dgr091ad45UYX0LTZF9K+SM2u8bcMhjvIi/Qn2Ezuo+SzMaCbL/OI2E7NfUm+ef4B5Aa3lxm3dYU6j4I88Qa6ZX8nsZ1XECVO+9ONhjYNMI3qhVP+IjoJkI7q7HaAsr9rOvl0yA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu; spf=pass smtp.mailfrom=csgroup.eu; arc=none smtp.client-ip=93.17.235.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=csgroup.eu Received: from localhost (mailhub3.si.c-s.fr [172.26.127.67]) by localhost (Postfix) with ESMTP id 4XlsfF0BFhz9sSR; Sat, 9 Nov 2024 11:35:49 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from pegase2.c-s.fr ([172.26.127.65]) by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7KqNFX0DRXu; Sat, 9 Nov 2024 11:35:48 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase2.c-s.fr (Postfix) with ESMTP id 4XlsfC1tlhz9sSK; Sat, 9 Nov 2024 11:35:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 30B538B764; Sat, 9 Nov 2024 11:35:47 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id DaEZiiZcoRNw; Sat, 9 Nov 2024 11:35:47 +0100 (CET) Received: from PO20335.idsi0.si.c-s.fr (unknown [192.168.233.57]) by messagerie.si.c-s.fr (Postfix) with ESMTP id AC90B8B765; Sat, 9 Nov 2024 11:35:46 +0100 (CET) From: Christophe Leroy To: Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Kees Cook , linux-modules@vger.kernel.org Cc: Christophe Leroy , linux-kernel@vger.kernel.org, Thomas Gleixner Subject: [RFC PATCH 2/3] module: Don't fail module loading when setting ro_after_init section RO failed Date: Sat, 9 Nov 2024 11:35:36 +0100 Message-ID: <164e5f22f8ab59d1d516e3c992efdd9f83ab4819.1731148254.git.christophe.leroy@csgroup.eu> X-Mailer: git-send-email 2.44.0 In-Reply-To: <737f952790c96a09ad5e51689918b97ef9b29174.1731148254.git.christophe.leroy@csgroup.eu> References: <737f952790c96a09ad5e51689918b97ef9b29174.1731148254.git.christophe.leroy@csgroup.eu> Precedence: bulk X-Mailing-List: linux-modules@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1731148536; l=1312; i=christophe.leroy@csgroup.eu; s=20211009; h=from:subject:message-id; bh=3RCZrcxbVk116xCD7F1o7CSTHwR93C3nC4/XjarUaFk=; b=CBznfeRNltA2yb8Bahk2GTwJQHnBn6SjdjB6sFHq3Gb1iTFkpLtIaRyrWhUZYWitpivNzaUp/ t0O+UJ5yD9NCCT+hhwmRqkI+CJg7q4mLwnXalOD2DM8i0baOCONQ97k X-Developer-Key: i=christophe.leroy@csgroup.eu; a=ed25519; pk=HIzTzUj91asvincQGOFx6+ZF5AoUuP9GdOtQChs7Mm0= Once module init has succeded it is too late to cancel loading. If setting ro_after_init data section to read-only fails, all we can do is to inform the user through a warning. Reported-by: Thomas Gleixner Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com/ Fixes: d1909c022173 ("module: Don't ignore errors from set_memory_XX()") Signed-off-by: Christophe Leroy --- kernel/module/main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/module/main.c b/kernel/module/main.c index 2de4ad7af335..1bf4b0db291b 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2583,7 +2583,9 @@ static noinline int do_init_module(struct module *mod) #endif ret = module_enable_rodata_ro_after_init(mod); if (ret) - goto fail_mutex_unlock; + pr_warn("%s: %s() returned %d, ro_after_init data might still be writable\n", + mod->name, __func__, ret); + mod_tree_remove_init(mod); module_arch_freeing_init(mod); for_class_mod_mem_type(type, init) { @@ -2622,8 +2624,6 @@ static noinline int do_init_module(struct module *mod) return 0; -fail_mutex_unlock: - mutex_unlock(&module_mutex); fail_free_freeinit: kfree(freeinit); fail: From patchwork Sat Nov 9 10:35:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe Leroy X-Patchwork-Id: 13869410 Received: from pegase2.c-s.fr (pegase2.c-s.fr [93.17.235.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97CD04EB38; Sat, 9 Nov 2024 10:35:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.17.235.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148559; cv=none; b=NdsEGVSK2C5U5GO45Az8dWNtX+YnYakDBfZFDSbjJjFK3Crs/IEeAiKTJ3i/xrmRcrnNipwMC3gW1RuIggXqLPvv+KteURjUdm9SZaRs5CkyOMwy3L8gvSmwsECpbaNVACeFbJglBu7CiBS7M9rOAIh/oQbxZ/mB2DJ8n2uwQR4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731148559; c=relaxed/simple; bh=+0JA3VREL+CP75q52bwUhSocLz0H9J80XdmFDi/uuF8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FHqYF3oGzHHPfB2hraWqes/FU6bGjkPrYFXWhUias+7JyEMyddZcuEIagq+PETkZQaOOXjywP4NDSG57z281Qo+CYANB10C0Dr6BHjHKuzSln+LXyK+FCQWgLeoLpSmp8IEma1Eno8T0w1IJlGNUrGds+M84KhmpCoyXpBzc1LM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu; spf=pass smtp.mailfrom=csgroup.eu; arc=none smtp.client-ip=93.17.235.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=csgroup.eu Received: from localhost (mailhub3.si.c-s.fr [172.26.127.67]) by localhost (Postfix) with ESMTP id 4XlsfG4FvVz9sSK; Sat, 9 Nov 2024 11:35:50 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from pegase2.c-s.fr ([172.26.127.65]) by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmPlaWsk7gR4; Sat, 9 Nov 2024 11:35:50 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase2.c-s.fr (Postfix) with ESMTP id 4XlsfC5CByz9sSN; Sat, 9 Nov 2024 11:35:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id A0E958B764; Sat, 9 Nov 2024 11:35:47 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id qn5FBAAisxfx; Sat, 9 Nov 2024 11:35:47 +0100 (CET) Received: from PO20335.idsi0.si.c-s.fr (unknown [192.168.233.57]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 3202A8B766; Sat, 9 Nov 2024 11:35:47 +0100 (CET) From: Christophe Leroy To: Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Kees Cook , linux-modules@vger.kernel.org Cc: Christophe Leroy , linux-kernel@vger.kernel.org, Thomas Gleixner Subject: [RFC PATCH 3/3] module: pre-test setting ro_after_init data read-only Date: Sat, 9 Nov 2024 11:35:37 +0100 Message-ID: X-Mailer: git-send-email 2.44.0 In-Reply-To: <737f952790c96a09ad5e51689918b97ef9b29174.1731148254.git.christophe.leroy@csgroup.eu> References: <737f952790c96a09ad5e51689918b97ef9b29174.1731148254.git.christophe.leroy@csgroup.eu> Precedence: bulk X-Mailing-List: linux-modules@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1731148536; l=1703; i=christophe.leroy@csgroup.eu; s=20211009; h=from:subject:message-id; bh=+0JA3VREL+CP75q52bwUhSocLz0H9J80XdmFDi/uuF8=; b=rA59hj9bUGX0f12Cvp96RyTYI3g4ko1UQG50/59qdgEAWjDifJH3wf0QdI6jQrbbEt45+GTk9 IuVbBTm+60CCw29mxZviRiHVSWDKw0IwTiLlOywwwfVZGFP+TbW0wLe X-Developer-Key: i=christophe.leroy@csgroup.eu; a=ed25519; pk=HIzTzUj91asvincQGOFx6+ZF5AoUuP9GdOtQChs7Mm0= To be on the safe side, try to set ro_after_init data section readonly at the same time as rodata. If it fails it will likely fail again later so let's cancel module loading while we still can do it. If it doesn't fail, put it back to read-only, continue module loading and cross fingers so that it still works after module init. Then it should in principle never fail so add a WARN_ON_ONCE() to get a big fat warning in case it happens anyway. Signed-off-by: Christophe Leroy --- kernel/module/main.c | 2 +- kernel/module/strict_rwx.c | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/module/main.c b/kernel/module/main.c index 1bf4b0db291b..b603c9647e73 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -2582,7 +2582,7 @@ static noinline int do_init_module(struct module *mod) rcu_assign_pointer(mod->kallsyms, &mod->core_kallsyms); #endif ret = module_enable_rodata_ro_after_init(mod); - if (ret) + if (WARN_ON_ONCE(ret)) pr_warn("%s: %s() returned %d, ro_after_init data might still be writable\n", mod->name, __func__, ret); diff --git a/kernel/module/strict_rwx.c b/kernel/module/strict_rwx.c index f68c59974ae2..329afd43f06b 100644 --- a/kernel/module/strict_rwx.c +++ b/kernel/module/strict_rwx.c @@ -58,7 +58,10 @@ int module_enable_rodata_ro(const struct module *mod) if (ret) return ret; - return 0; + ret = module_set_memory(mod, MOD_RO_AFTER_INIT, set_memory_ro); + if (ret) + return ret; + return module_set_memory(mod, MOD_RO_AFTER_INIT, set_memory_rw); } int module_enable_rodata_ro_after_init(const struct module *mod)