From: Suren Baghdasaryan <surenb@google.com>
To: akpm@linux-foundation.org
Cc: kent.overstreet@linux.dev, mhocko@suse.com, vbabka@suse.cz,
hannes@cmpxchg.org, roman.gushchin@linux.dev, mgorman@suse.de,
dave@stgolabs.net, willy@infradead.org, liam.howlett@oracle.com,
corbet@lwn.net, void@manifault.com, peterz@infradead.org,
juri.lelli@redhat.com, ldufour@linux.ibm.com,
catalin.marinas@arm.com, will@kernel.org, arnd@arndb.de,
tglx@linutronix.de, mingo@redhat.com,
dave.hansen@linux.intel.com, x86@kernel.org, peterx@redhat.com,
david@redhat.com, axboe@kernel.dk, mcgrof@kernel.org,
masahiroy@kernel.org, nathan@kernel.org, dennis@kernel.org,
tj@kernel.org, muchun.song@linux.dev, rppt@kernel.org,
paulmck@kernel.org, pasha.tatashin@soleen.com,
yosryahmed@google.com, yuzhao@google.com, dhowells@redhat.com,
hughd@google.com, andreyknvl@gmail.com, keescook@chromium.org,
ndesaulniers@google.com, vvvvvv@google.com,
gregkh@linuxfoundation.org, ebiggers@google.com,
ytcoode@gmail.com, vincent.guittot@linaro.org,
dietmar.eggemann@arm.com, rostedt@goodmis.org,
bsegall@google.com, bristot@redhat.com, vschneid@redhat.com,
cl@linux.com, penberg@kernel.org, iamjoonsoo.kim@lge.com,
42.hyeyoo@gmail.com, glider@google.com, elver@google.com,
dvyukov@google.com, shakeelb@google.com,
songmuchun@bytedance.com, jbaron@akamai.com,
rientjes@google.com, minchan@google.com, kaleshsingh@google.com,
surenb@google.com, kernel-team@android.com,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
iommu@lists.linux.dev, linux-arch@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-modules@vger.kernel.org, kasan-dev@googlegroups.com,
cgroups@vger.kernel.org
Subject: [PATCH v2 14/39] lib: prevent module unloading if memory is not freed
Date: Tue, 24 Oct 2023 06:46:11 -0700 [thread overview]
Message-ID: <20231024134637.3120277-15-surenb@google.com> (raw)
In-Reply-To: <20231024134637.3120277-1-surenb@google.com>
Skip freeing module's data section if there are non-zero allocation tags
because otherwise, once these allocations are freed, the access to their
code tag would cause UAF.
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
include/linux/codetag.h | 6 +++---
kernel/module/main.c | 23 +++++++++++++++--------
lib/codetag.c | 11 ++++++++---
3 files changed, 26 insertions(+), 14 deletions(-)
diff --git a/include/linux/codetag.h b/include/linux/codetag.h
index 386733e89b31..d98e4c8e86f0 100644
--- a/include/linux/codetag.h
+++ b/include/linux/codetag.h
@@ -44,7 +44,7 @@ struct codetag_type_desc {
size_t tag_size;
void (*module_load)(struct codetag_type *cttype,
struct codetag_module *cmod);
- void (*module_unload)(struct codetag_type *cttype,
+ bool (*module_unload)(struct codetag_type *cttype,
struct codetag_module *cmod);
};
@@ -74,10 +74,10 @@ codetag_register_type(const struct codetag_type_desc *desc);
#ifdef CONFIG_CODE_TAGGING
void codetag_load_module(struct module *mod);
-void codetag_unload_module(struct module *mod);
+bool codetag_unload_module(struct module *mod);
#else
static inline void codetag_load_module(struct module *mod) {}
-static inline void codetag_unload_module(struct module *mod) {}
+static inline bool codetag_unload_module(struct module *mod) { return true; }
#endif
#endif /* _LINUX_CODETAG_H */
diff --git a/kernel/module/main.c b/kernel/module/main.c
index c0d3f562c7ab..079f40792ce8 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1211,15 +1211,19 @@ static void *module_memory_alloc(unsigned int size, enum mod_mem_type type)
return module_alloc(size);
}
-static void module_memory_free(void *ptr, enum mod_mem_type type)
+static void module_memory_free(void *ptr, enum mod_mem_type type,
+ bool unload_codetags)
{
+ if (!unload_codetags && mod_mem_type_is_core_data(type))
+ return;
+
if (mod_mem_use_vmalloc(type))
vfree(ptr);
else
module_memfree(ptr);
}
-static void free_mod_mem(struct module *mod)
+static void free_mod_mem(struct module *mod, bool unload_codetags)
{
for_each_mod_mem_type(type) {
struct module_memory *mod_mem = &mod->mem[type];
@@ -1230,20 +1234,23 @@ static void free_mod_mem(struct module *mod)
/* Free lock-classes; relies on the preceding sync_rcu(). */
lockdep_free_key_range(mod_mem->base, mod_mem->size);
if (mod_mem->size)
- module_memory_free(mod_mem->base, type);
+ module_memory_free(mod_mem->base, type,
+ unload_codetags);
}
/* MOD_DATA hosts mod, so free it at last */
lockdep_free_key_range(mod->mem[MOD_DATA].base, mod->mem[MOD_DATA].size);
- module_memory_free(mod->mem[MOD_DATA].base, MOD_DATA);
+ module_memory_free(mod->mem[MOD_DATA].base, MOD_DATA, unload_codetags);
}
/* Free a module, remove from lists, etc. */
static void free_module(struct module *mod)
{
+ bool unload_codetags;
+
trace_module_free(mod);
- codetag_unload_module(mod);
+ unload_codetags = codetag_unload_module(mod);
mod_sysfs_teardown(mod);
/*
@@ -1285,7 +1292,7 @@ static void free_module(struct module *mod)
kfree(mod->args);
percpu_modfree(mod);
- free_mod_mem(mod);
+ free_mod_mem(mod, unload_codetags);
}
void *__symbol_get(const char *symbol)
@@ -2295,7 +2302,7 @@ static int move_module(struct module *mod, struct load_info *info)
return 0;
out_enomem:
for (t--; t >= 0; t--)
- module_memory_free(mod->mem[t].base, t);
+ module_memory_free(mod->mem[t].base, t, true);
return ret;
}
@@ -2425,7 +2432,7 @@ static void module_deallocate(struct module *mod, struct load_info *info)
percpu_modfree(mod);
module_arch_freeing_init(mod);
- free_mod_mem(mod);
+ free_mod_mem(mod, true);
}
int __weak module_finalize(const Elf_Ehdr *hdr,
diff --git a/lib/codetag.c b/lib/codetag.c
index 4ea57fb37346..0ad4ea66c769 100644
--- a/lib/codetag.c
+++ b/lib/codetag.c
@@ -5,6 +5,7 @@
#include <linux/module.h>
#include <linux/seq_buf.h>
#include <linux/slab.h>
+#include <linux/vmalloc.h>
struct codetag_type {
struct list_head link;
@@ -219,12 +220,13 @@ void codetag_load_module(struct module *mod)
mutex_unlock(&codetag_lock);
}
-void codetag_unload_module(struct module *mod)
+bool codetag_unload_module(struct module *mod)
{
struct codetag_type *cttype;
+ bool unload_ok = true;
if (!mod)
- return;
+ return true;
mutex_lock(&codetag_lock);
list_for_each_entry(cttype, &codetag_types, link) {
@@ -241,7 +243,8 @@ void codetag_unload_module(struct module *mod)
}
if (found) {
if (cttype->desc.module_unload)
- cttype->desc.module_unload(cttype, cmod);
+ if (!cttype->desc.module_unload(cttype, cmod))
+ unload_ok = false;
cttype->count -= range_size(cttype, &cmod->range);
idr_remove(&cttype->mod_idr, mod_id);
@@ -250,4 +253,6 @@ void codetag_unload_module(struct module *mod)
up_write(&cttype->mod_lock);
}
mutex_unlock(&codetag_lock);
+
+ return unload_ok;
}
--
2.42.0.758.gaed0368e0e-goog
next prev parent reply other threads:[~2023-10-24 13:47 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-24 13:45 [PATCH v2 00/39] Memory allocation profiling Suren Baghdasaryan
2023-10-24 13:45 ` [PATCH v2 01/39] lib/string_helpers: Add flags param to string_get_size() Suren Baghdasaryan
2023-10-24 13:45 ` [PATCH v2 02/39] scripts/kallysms: Always include __start and __stop symbols Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 03/39] fs: Convert alloc_inode_sb() to a macro Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 04/39] nodemask: Split out include/linux/nodemask_types.h Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 05/39] prandom: Remove unused include Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 06/39] mm: enumerate all gfp flags Suren Baghdasaryan
2023-10-25 5:46 ` Petr Tesařík
2023-10-25 15:28 ` Suren Baghdasaryan
2023-10-28 17:21 ` Petr Tesařík
2023-10-24 13:46 ` [PATCH v2 07/39] mm: introduce slabobj_ext to support slab object extensions Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 08/39] mm: introduce __GFP_NO_OBJ_EXT flag to selectively prevent slabobj_ext creation Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 09/39] mm/slab: introduce SLAB_NO_OBJ_EXT to avoid obj_ext creation Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 10/39] mm: prevent slabobj_ext allocations for slabobj_ext and kmem_cache objects Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 11/39] slab: objext: introduce objext_flags as extension to page_memcg_data_flags Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 12/39] lib: code tagging framework Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 13/39] lib: code tagging module support Suren Baghdasaryan
2023-10-24 13:46 ` Suren Baghdasaryan [this message]
2023-10-24 13:46 ` [PATCH v2 15/39] lib: add allocation tagging support for memory allocation profiling Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 16/39] lib: introduce support for page allocation tagging Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 17/39] change alloc_pages name in dma_map_ops to avoid name conflicts Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 18/39] change alloc_pages name in ivpu_bo_ops to avoid conflicts Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 19/39] mm: enable page allocation tagging Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 20/39] mm: create new codetag references during page splitting Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 21/39] mm/page_ext: enable early_page_ext when CONFIG_MEM_ALLOC_PROFILING_DEBUG=y Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 22/39] lib: add codetag reference into slabobj_ext Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 23/39] mm/slab: add allocation accounting into slab allocation and free paths Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 24/39] mm/slab: enable slab allocation tagging for kmalloc and friends Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 25/39] mm/slub: Mark slab_free_freelist_hook() __always_inline Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 26/39] mempool: Hook up to memory allocation profiling Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 27/39] xfs: Memory allocation profiling fixups Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 28/39] timekeeping: Fix a circular include dependency Suren Baghdasaryan
2023-10-25 17:33 ` Thomas Gleixner
2023-10-26 18:33 ` Suren Baghdasaryan
2023-10-26 23:05 ` Thomas Gleixner
2023-10-26 23:54 ` Kent Overstreet
2023-10-27 6:35 ` Arnd Bergmann
2023-10-27 15:28 ` Nick Desaulniers
2023-10-24 13:46 ` [PATCH v2 29/39] mm: percpu: Introduce pcpuobj_ext Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 30/39] mm: percpu: Add codetag reference into pcpuobj_ext Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 31/39] mm: percpu: enable per-cpu allocation tagging Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 32/39] arm64: Fix circular header dependency Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 33/39] mm: vmalloc: Enable memory allocation profiling Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 34/39] rhashtable: Plumb through alloc tag Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 35/39] lib: add memory allocations report in show_mem() Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 36/39] codetag: debug: skip objext checking when it's for objext itself Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 37/39] codetag: debug: mark codetags for reserved pages as empty Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 38/39] codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations Suren Baghdasaryan
2023-10-24 13:46 ` [PATCH v2 39/39] MAINTAINERS: Add entries for code tagging and memory allocation profiling Suren Baghdasaryan
2023-10-24 18:29 ` [PATCH v2 00/39] Memory " Roman Gushchin
2023-10-24 18:38 ` Suren Baghdasaryan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231024134637.3120277-15-surenb@google.com \
--to=surenb@google.com \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=arnd@arndb.de \
--cc=axboe@kernel.dk \
--cc=bristot@redhat.com \
--cc=bsegall@google.com \
--cc=catalin.marinas@arm.com \
--cc=cgroups@vger.kernel.org \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dave@stgolabs.net \
--cc=david@redhat.com \
--cc=dennis@kernel.org \
--cc=dhowells@redhat.com \
--cc=dietmar.eggemann@arm.com \
--cc=dvyukov@google.com \
--cc=ebiggers@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=iommu@lists.linux.dev \
--cc=jbaron@akamai.com \
--cc=juri.lelli@redhat.com \
--cc=kaleshsingh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=kent.overstreet@linux.dev \
--cc=kernel-team@android.com \
--cc=ldufour@linux.ibm.com \
--cc=liam.howlett@oracle.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-modules@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=mcgrof@kernel.org \
--cc=mgorman@suse.de \
--cc=mhocko@suse.com \
--cc=minchan@google.com \
--cc=mingo@redhat.com \
--cc=muchun.song@linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=pasha.tatashin@soleen.com \
--cc=paulmck@kernel.org \
--cc=penberg@kernel.org \
--cc=peterx@redhat.com \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=shakeelb@google.com \
--cc=songmuchun@bytedance.com \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=vbabka@suse.cz \
--cc=vincent.guittot@linaro.org \
--cc=void@manifault.com \
--cc=vschneid@redhat.com \
--cc=vvvvvv@google.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yosryahmed@google.com \
--cc=ytcoode@gmail.com \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).