Re: [PATCH] lkdtm: support llvm-objcopy

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Nick Desaulniers <ndesaulniers@google.com>
Cc: Nathan Chancellor <natechancellor@gmail.com>,
	clang-built-linux <clang-built-linux@googlegroups.com>,
	Nathan Chancellor <nathanchance@gmail.com>,
	Jordan Rupprect <rupprecht@google.com>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] lkdtm: support llvm-objcopy
Date: Tue, 14 May 2019 11:10:57 -0700	[thread overview]
Message-ID: <201905141041.C38DA1B305@keescook> (raw)
In-Reply-To: <CAKwvOd=W9nm04zvRQ3iu=AGHnitongZ7VQ9S32U9hBZKwNyeMw@mail.gmail.com>

On Mon, May 13, 2019 at 04:50:05PM -0700, Nick Desaulniers wrote:
> On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor
> <natechancellor@gmail.com> wrote:
> >
> > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:
> > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:
> > > llvm-objcopy: error: --set-section-flags=.text conflicts with
> > > --rename-section=.text=.rodata
> > >
> > > Rather than support setting flags then renaming sections vs renaming
> > > then setting flags, it's simpler to just change both at the same time
> > > via --rename-section.
> > >
> > > This can be verified with:
> > > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o
> > > ...
> > > Section Headers:
> > >   [Nr] Name              Type             Address           Offset
> > >        Size              EntSize          Flags  Link  Info  Align
> > > ...
> > >   [ 1] .rodata           PROGBITS         0000000000000000  00000040
> > >        0000000000000004  0000000000000000   A       0     0     4
> > > ...
> > >
> > > Which shows in the Flags field that .text is now renamed .rodata, the
> > > append flag A is set, and the section is not flagged as writeable W.
> > >
> > > Link: https://github.com/ClangBuiltLinux/linux/issues/448
> > > Reported-by: Nathan Chancellor <nathanchance@gmail.com>
> >
> > This should be natechancellor@gmail.com (although I think I do own that
> > email, just haven't been into it for 10+ years...)
> 
> Sorry, I should have looked it up.  I'll just fix this, my earlier
> mistake, and collect Kees's reviewed by tag in a v2 sent directly to
> GKH.

Sounds good.

> > I ran this script to see if there was any change for GNU objcopy and it
> > looks like .rodata's type gets changed, is this intentional? Otherwise,
> > this works for llvm-objcopy like you show.
> >
> > -----------
> >
> > 1c1
> > < There are 11 section headers, starting at offset 0x240:
> > ---
> > > There are 11 section headers, starting at offset 0x230:
> > 8c8
> > <   [ 1] .rodata           PROGBITS         0000000000000000  00000040
> > ---
> > >   [ 1] .rodata           NOBITS           0000000000000000  00000040
> > 10c10

Oh, very good catch; thank you!

> 
> Interesting find.  the .rodata of vmlinux itself is marked PROGBITS,
> so its curious that GNU binutils changes the "Type" after the rename.
> I doubt the code in question relies on NOBITS for this section.  Kees,
> can you clarify?  Jordan, do you know what the differences are between
> PROGBITS vs NOBITS?
> https://people.redhat.com/mpolacek/src/devconf2012.pdf seems to
> suggest NOBITS zero initializes data but I'm not sure that's what this
> code wants.

Yes, the linker treats this as a zeroed section. My testing only checked that the NX protection check kicked, but in looking at the memory, the failure mode wouldn't have returned, because it got zeroed instead of seeing a "ret":

Before the patch (with a two-byte target dump added):

	lkdtm: attempting bad execution at ffffffff986db2b0
	lkdtm: f3 c3

After the patch:

	lkdtm: attempting bad execution at ffffffff986db2b0
	lkdtm: 00 00

So, yes, this breaks the fall-back case and should not be used. It seems
that objcopy BFD breaks the PROGBITS in this case, but llvm-objcopy
does not...

$ objcopy --set-section-flags .text=alloc,readonly --rename-section .text=.rodata rodata.o rodata_objcopy.o
$ readelf -S rodata_objcopy.o | grep -A1 \.rodata
  [ 1] .rodata           PROGBITS         0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16

$ objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy.o
$ readelf -S rodata_objcopy.o | grep -A1 \.rodata
  [ 1] .rodata           NOBITS           0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16

$ llvm-objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy-llvm.o
$ readelf -S rodata_objcopy-llvm.o | grep -A1 \.rodata
  [ 1] .rodata           PROGBITS         0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16


llvm-objcopy doesn't like doing both arguments at the same time,
and BFD gets it wrong when using the appended flags. How about just a
two-stage copy, like this?

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index 951c984de61a..715832c844c8 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -14,9 +14,12 @@ KASAN_SANITIZE_stackleak.o	:= n
 KCOV_INSTRUMENT_rodata.o	:= n
 
 OBJCOPYFLAGS :=
+OBJCOPYFLAGS_rodata_flags.o	:= \
+			--set-section-flags .text=alloc,readonly
 OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--set-section-flags .text=alloc,readonly \
 			--rename-section .text=.rodata
-targets += rodata.o rodata_objcopy.o
-$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
+targets += rodata.o rodata_flags.o rodata_objcopy.o
+$(obj)/rodata_flags.o: $(obj)/rodata.o FORCE
+	$(call if_changed,objcopy)
+$(obj)/rodata_objcopy.o: $(obj)/rodata_flags.o FORCE
 	$(call if_changed,objcopy)


-- 
Kees Cook

next prev parent reply	other threads:[~2019-05-14 18:11 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-13 22:21 [PATCH] lkdtm: support llvm-objcopy Nick Desaulniers
2019-05-13 22:26 ` Nick Desaulniers
2019-05-13 23:04 ` Kees Cook
2019-05-13 23:29 ` Nathan Chancellor
2019-05-13 23:38   ` Jordan Rupprecht
2019-05-13 23:47     ` Nathan Chancellor
2019-05-13 23:50   ` Nick Desaulniers
2019-05-14 18:10     ` Kees Cook [this message]
2019-05-14 20:24       ` Nick Desaulniers
2019-05-15 16:42         ` Kees Cook
2019-05-15 17:37           ` Nick Desaulniers
2019-05-15 18:12             ` [PATCH v2] " Nick Desaulniers
2019-05-15 18:19               ` Nathan Chancellor
2019-05-15 18:24                 ` [PATCH v3] " Nick Desaulniers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:951c984de61 dfblob:715832c844c )
 OR (
bs:"Re: [PATCH] lkdtm: support llvm-objcopy" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201905141041.C38DA1B305@keescook \
    --to=keescook@chromium.org \
    --cc=arnd@arndb.de \
    --cc=clang-built-linux@googlegroups.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=natechancellor@gmail.com \
    --cc=nathanchance@gmail.com \
    --cc=ndesaulniers@google.com \
    --cc=rupprecht@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox