From: Konrad Rzeszutek Wilk <konrad@kernel.org>
To: xen-devel@lists.xenproject.org, ross.lagerwall@citrix.com,
konrad.wilk@oracle.com, julien.grall@arm.com,
sstabellini@kernel.org
Cc: Wei Liu <wei.liu2@citrix.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
andrew.cooper3@citrix.com,
Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
jbeulich@suse.com
Subject: [PATCH v4 04/11] livepatch/arm[32, 64]: Don't load and crash on livepatches loaded with wrong text alignment.
Date: Wed, 20 Sep 2017 18:31:41 -0400 [thread overview]
Message-ID: <20170920223148.13137-5-konrad.wilk@oracle.com> (raw)
In-Reply-To: <20170920223148.13137-1-konrad.wilk@oracle.com>
The ARM 32&64 ELF specification says "sections containing ARM
code must be at least 32-bit aligned." This patch adds the
check for that. We also make sure that this check is done
when doing relocations for the types that are considered
ARM code. However we don't have to check for all as we only
implement a small subset of them - as such we only check for
data types that are implemented - and if the type is anything else
and not aligned to 32-bit, then we error out.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
Cc: Ross Lagerwall <ross.lagerwall@citrix.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wei.liu2@citrix.com>
v1: First posting.
v2: Redo the commit to include the commits which fix the alignment issues.
Also mention the need in the docs
v3: Change the docs to explicitly mention text code section alignment requirements.
Invert arch_livepatch_verify_alignment return value (true for alignment is ok).
Drop the alignment check in check_special_sections.
Make the alignment check in check_section only for executable sections.
Rewrote the commit message as it is not applicable to v2 of the patch anymore.
v4: Also do the check on ARM64
Put () around the section check
Use vaddr_t instead of uint32_t as that won't work on ARM64.
---
docs/misc/livepatch.markdown | 2 ++
xen/arch/arm/arm32/livepatch.c | 13 +++++++++++--
xen/arch/arm/livepatch.c | 9 +++++++++
xen/arch/x86/livepatch.c | 6 ++++++
xen/common/livepatch.c | 7 +++++++
xen/include/xen/livepatch.h | 1 +
6 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/docs/misc/livepatch.markdown b/docs/misc/livepatch.markdown
index 54a6b850cb..59f89aa292 100644
--- a/docs/misc/livepatch.markdown
+++ b/docs/misc/livepatch.markdown
@@ -279,6 +279,8 @@ It may also have some architecture-specific sections. For example:
* Exception tables.
* Relocations for each of these sections.
+Note that on ARM 32 & 64 the sections containing code MUST be four byte aligned.
+
The Xen Live Patch core code loads the payload as a standard ELF binary, relocates it
and handles the architecture-specifc sections as needed. This process is much
like what the Linux kernel module loader does.
diff --git a/xen/arch/arm/arm32/livepatch.c b/xen/arch/arm/arm32/livepatch.c
index 41378a54ae..4fcbb59be5 100644
--- a/xen/arch/arm/arm32/livepatch.c
+++ b/xen/arch/arm/arm32/livepatch.c
@@ -233,7 +233,7 @@ int arch_livepatch_perform(struct livepatch_elf *elf,
uint32_t val;
void *dest;
unsigned char type;
- s32 addend;
+ s32 addend = 0;
if ( use_rela )
{
@@ -251,7 +251,6 @@ int arch_livepatch_perform(struct livepatch_elf *elf,
symndx = ELF32_R_SYM(r->r_info);
type = ELF32_R_TYPE(r->r_info);
dest = base->load_addr + r->r_offset; /* P */
- addend = get_addend(type, dest);
}
if ( symndx == STN_UNDEF )
@@ -272,6 +271,16 @@ int arch_livepatch_perform(struct livepatch_elf *elf,
elf->name, symndx);
return -EINVAL;
}
+ else if ( (type != R_ARM_ABS32 && type != R_ARM_REL32) /* Only check code. */ &&
+ ((uint32_t)dest % sizeof(uint32_t)) )
+ {
+ dprintk(XENLOG_ERR, LIVEPATCH "%s: dest=%p (%s) is not aligned properly!\n",
+ elf->name, dest, base->name);
+ return -EINVAL;
+ }
+
+ if ( !use_rela )
+ addend = get_addend(type, dest);
val = elf->sym[symndx].sym->st_value; /* S */
diff --git a/xen/arch/arm/livepatch.c b/xen/arch/arm/livepatch.c
index 3e53524365..76723f1f1a 100644
--- a/xen/arch/arm/livepatch.c
+++ b/xen/arch/arm/livepatch.c
@@ -135,6 +135,15 @@ bool arch_livepatch_symbol_ok(const struct livepatch_elf *elf,
return true;
}
+bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec)
+{
+ if ( (sec->sec->sh_flags & SHF_EXECINSTR) &&
+ ((vaddr_t)sec->load_addr % sizeof(uint32_t)) )
+ return false;
+
+ return true;
+};
+
int arch_livepatch_secure(const void *va, unsigned int pages, enum va_type type)
{
unsigned long start = (unsigned long)va;
diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
index 406eb910cc..48d20fdacd 100644
--- a/xen/arch/x86/livepatch.c
+++ b/xen/arch/x86/livepatch.c
@@ -148,6 +148,12 @@ bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf,
return false;
}
+bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec)
+{
+ /* Unaligned access on x86 is fine. */
+ return true;
+}
+
int arch_livepatch_perform_rel(struct livepatch_elf *elf,
const struct livepatch_elf_sec *base,
const struct livepatch_elf_sec *rela)
diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
index b9376c94e9..f736c3a7ea 100644
--- a/xen/common/livepatch.c
+++ b/xen/common/livepatch.c
@@ -473,6 +473,13 @@ static bool section_ok(const struct livepatch_elf *elf,
return false;
}
+ if ( !arch_livepatch_verify_alignment(sec) )
+ {
+ dprintk(XENLOG_ERR, LIVEPATCH "%s: %s text section is not aligned properly!\n",
+ elf->name, sec->name);
+ return false;
+ }
+
return true;
}
diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h
index 98ec01216b..e9bab87f28 100644
--- a/xen/include/xen/livepatch.h
+++ b/xen/include/xen/livepatch.h
@@ -76,6 +76,7 @@ void arch_livepatch_init(void);
#include <asm/livepatch.h>
int arch_livepatch_verify_func(const struct livepatch_func *func);
+bool arch_livepatch_verify_alignment(const struct livepatch_elf_sec *sec);
static inline
unsigned int livepatch_insn_len(const struct livepatch_func *func)
{
--
2.13.3
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-09-20 22:32 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 22:31 [PATCH v4] Livepatching patch set for 4.10 Konrad Rzeszutek Wilk
2017-09-20 22:31 ` [PATCH v4 01/11] livepatch: Expand check for safe_for_reapply if livepatch has only .rodata Konrad Rzeszutek Wilk
2017-10-05 13:47 ` Ross Lagerwall
2017-10-05 13:51 ` Konrad Rzeszutek Wilk
2017-10-05 14:08 ` Ross Lagerwall
2017-09-20 22:31 ` [PATCH v4 02/11] livepatch: Tighten alignment checks Konrad Rzeszutek Wilk
2017-09-20 22:31 ` [PATCH v4 03/11] livepatch: Include sizes when an mismatch occurs Konrad Rzeszutek Wilk
2017-09-21 11:58 ` Jan Beulich
2017-10-05 14:06 ` Ross Lagerwall
2017-09-20 22:31 ` Konrad Rzeszutek Wilk [this message]
2017-09-22 14:05 ` [PATCH v4 04/11] livepatch/arm[32, 64]: Don't load and crash on livepatches loaded with wrong text alignment Jan Beulich
2017-10-09 8:35 ` Ross Lagerwall
2017-09-20 22:31 ` [PATCH v4 05/11] alternative/x86/arm32: Align altinstructions (and altinstr_replacement) sections Konrad Rzeszutek Wilk
2017-09-21 12:01 ` Jan Beulich
2017-09-20 22:31 ` [PATCH v4 06/11] mkhex: Move it to tools/misc Konrad Rzeszutek Wilk
2017-09-21 8:56 ` Wei Liu
2017-09-20 22:31 ` [PATCH v4 07/11] livepatch/x86/arm[32, 64]: Force .livepatch.depends section to be uint32_t aligned Konrad Rzeszutek Wilk
2017-10-05 14:11 ` Ross Lagerwall
2017-09-20 22:31 ` [PATCH v4 08/11] livepatch/arm/x86: Rename note_depends symbol from test-cases Konrad Rzeszutek Wilk
2017-09-21 12:05 ` Jan Beulich
2017-09-20 22:31 ` [PATCH v4 09/11] livepatch/tests: Make sure all .livepatch.funcs sections are read-only Konrad Rzeszutek Wilk
2017-09-20 22:31 ` [PATCH v4 10/11] livepatch/arm[32, 64]: Modify .livepatch.funcs section to be RW when patching Konrad Rzeszutek Wilk
2017-09-21 12:16 ` Jan Beulich
2017-09-21 14:58 ` Julien Grall
2017-09-21 15:09 ` Jan Beulich
2017-09-20 22:31 ` [PATCH v4 11/11] livepatch: Declare live patching as a supported feature Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170920223148.13137-5-konrad.wilk@oracle.com \
--to=konrad@kernel.org \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).