Message ID | 20210611093959.821525-2-npiggin@gmail.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | powerpc/64: Option to use ELF V2 ABI for big-endian | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch powerpc/merge (c53db722ec7ab3ebf29ecf61e922820f31e5284b) |
snowpatch_ozlabs/checkpatch | warning | total: 0 errors, 0 warnings, 1 checks, 19 lines checked |
snowpatch_ozlabs/needsstable | success | Patch has no Fixes tags |
+++ Nicholas Piggin [11/06/21 19:39 +1000]: >The elf_check_arch() function is used to test usermode binaries, but >kernel modules may have more specific requirements. powerpc would like >to test for ABI version compatibility. > >Add an arch-overridable function elf_check_module_arch() that defaults >to elf_check_arch() and use it in elf_validity_check(). > >Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >[np: split patch, added changelog] >Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >--- > include/linux/moduleloader.h | 5 +++++ > kernel/module.c | 2 +- > 2 files changed, 6 insertions(+), 1 deletion(-) > >diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >index 9e09d11ffe5b..fdc042a84562 100644 >--- a/include/linux/moduleloader.h >+++ b/include/linux/moduleloader.h >@@ -13,6 +13,11 @@ > * must be implemented by each architecture. > */ > >+// Allow arch to optionally do additional checking of module ELF header >+#ifndef elf_check_module_arch >+#define elf_check_module_arch elf_check_arch >+#endif Hi Nicholas, Why not make elf_check_module_arch() consistent with the other arch-specific functions? Please see module_frob_arch_sections(), module_{init,exit}_section(), etc in moduleloader.h. That is, they are all __weak functions that are overridable by arches. We can maybe make elf_check_module_arch() a weak symbol, available for arches to override if they want to perform additional elf checks. Then we don't have to have this one-off #define. Thanks, Jessica >+ > /* Adjust arch-specific sections. Return 0 on success. */ > int module_frob_arch_sections(Elf_Ehdr *hdr, > Elf_Shdr *sechdrs, >diff --git a/kernel/module.c b/kernel/module.c >index 7e78dfabca97..7c3f9b7478dc 100644 >--- a/kernel/module.c >+++ b/kernel/module.c >@@ -2946,7 +2946,7 @@ static int elf_validity_check(struct load_info *info) > > if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0 > || info->hdr->e_type != ET_REL >- || !elf_check_arch(info->hdr) >+ || !elf_check_module_arch(info->hdr) > || info->hdr->e_shentsize != sizeof(Elf_Shdr)) > return -ENOEXEC; > >-- >2.23.0 >
Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: > +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>The elf_check_arch() function is used to test usermode binaries, but >>kernel modules may have more specific requirements. powerpc would like >>to test for ABI version compatibility. >> >>Add an arch-overridable function elf_check_module_arch() that defaults >>to elf_check_arch() and use it in elf_validity_check(). >> >>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>[np: split patch, added changelog] >>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>--- >> include/linux/moduleloader.h | 5 +++++ >> kernel/module.c | 2 +- >> 2 files changed, 6 insertions(+), 1 deletion(-) >> >>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>index 9e09d11ffe5b..fdc042a84562 100644 >>--- a/include/linux/moduleloader.h >>+++ b/include/linux/moduleloader.h >>@@ -13,6 +13,11 @@ >> * must be implemented by each architecture. >> */ >> >>+// Allow arch to optionally do additional checking of module ELF header >>+#ifndef elf_check_module_arch >>+#define elf_check_module_arch elf_check_arch >>+#endif > > Hi Nicholas, > > Why not make elf_check_module_arch() consistent with the other > arch-specific functions? Please see module_frob_arch_sections(), > module_{init,exit}_section(), etc in moduleloader.h. That is, they are > all __weak functions that are overridable by arches. We can maybe make > elf_check_module_arch() a weak symbol, available for arches to > override if they want to perform additional elf checks. Then we don't > have to have this one-off #define. Like this? I like it. Good idea. Thanks, Nick diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h index 9e09d11ffe5b..7b4587a19189 100644 --- a/include/linux/moduleloader.h +++ b/include/linux/moduleloader.h @@ -13,6 +13,9 @@ * must be implemented by each architecture. */ +/* arch may override to do additional checking of ELF header architecture */ +bool module_elf_check_arch(Elf_Ehdr *hdr); + /* Adjust arch-specific sections. Return 0 on success. */ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, diff --git a/kernel/module.c b/kernel/module.c index 7e78dfabca97..8b31c0b7c2a0 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -3459,6 +3459,11 @@ static void flush_module_icache(const struct module *mod) (unsigned long)mod->core_layout.base + mod->core_layout.size); } +bool __weak module_elf_check_arch(Elf_Ehdr *hdr) +{ + return elf_check_arch(hdr); +} + int __weak module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, char *secstrings,
+++ Nicholas Piggin [15/06/21 12:05 +1000]: >Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>The elf_check_arch() function is used to test usermode binaries, but >>>kernel modules may have more specific requirements. powerpc would like >>>to test for ABI version compatibility. >>> >>>Add an arch-overridable function elf_check_module_arch() that defaults >>>to elf_check_arch() and use it in elf_validity_check(). >>> >>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>[np: split patch, added changelog] >>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>--- >>> include/linux/moduleloader.h | 5 +++++ >>> kernel/module.c | 2 +- >>> 2 files changed, 6 insertions(+), 1 deletion(-) >>> >>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>index 9e09d11ffe5b..fdc042a84562 100644 >>>--- a/include/linux/moduleloader.h >>>+++ b/include/linux/moduleloader.h >>>@@ -13,6 +13,11 @@ >>> * must be implemented by each architecture. >>> */ >>> >>>+// Allow arch to optionally do additional checking of module ELF header >>>+#ifndef elf_check_module_arch >>>+#define elf_check_module_arch elf_check_arch >>>+#endif >> >> Hi Nicholas, >> >> Why not make elf_check_module_arch() consistent with the other >> arch-specific functions? Please see module_frob_arch_sections(), >> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >> all __weak functions that are overridable by arches. We can maybe make >> elf_check_module_arch() a weak symbol, available for arches to >> override if they want to perform additional elf checks. Then we don't >> have to have this one-off #define. > > >Like this? I like it. Good idea. Yeah! Also, maybe we can alternatively make elf_check_module_arch() a separate check entirely so that the powerpc implementation doesn't have to include that extra elf_check_arch() call. Something like this maybe? diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h index 9e09d11ffe5b..2f9ebd593b4f 100644 --- a/include/linux/moduleloader.h +++ b/include/linux/moduleloader.h @@ -39,6 +39,9 @@ bool module_init_section(const char *name); */ bool module_exit_section(const char *name); +/* Arch may override to do additional checking of ELF header architecture */ +int elf_check_module_arch(Elf_Ehdr *hdr); + /* * Apply the given relocation to the (simplified) ELF. Return -error * or 0. diff --git a/kernel/module.c b/kernel/module.c index fdd6047728df..9963a979ed54 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2923,6 +2923,11 @@ static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) return 0; } +int __weak elf_check_module_arch(Elf_Ehdr *hdr) +{ + return 1; +} + /* * Sanity checks against invalid binaries, wrong arch, weird elf version. * @@ -2941,6 +2946,7 @@ static int elf_validity_check(struct load_info *info) if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0 || info->hdr->e_type != ET_REL || !elf_check_arch(info->hdr) + || !elf_check_module_arch(info->hdr) || info->hdr->e_shentsize != sizeof(Elf_Shdr)) return -ENOEXEC;
On Tue, Jun 15, 2021 at 02:17:40PM +0200, Jessica Yu wrote: > +int __weak elf_check_module_arch(Elf_Ehdr *hdr) > +{ > + return 1; > +} But is this a good idea? It isn't useful to be able to attempt to load a module not compiled for your architecture, and it increases the attack surface tremendously. These checks are one of the few things that can *not* be weak symbols, imo. Segher
+++ Segher Boessenkool [15/06/21 07:50 -0500]: >On Tue, Jun 15, 2021 at 02:17:40PM +0200, Jessica Yu wrote: >> +int __weak elf_check_module_arch(Elf_Ehdr *hdr) >> +{ >> + return 1; >> +} > >But is this a good idea? It isn't useful to be able to attempt to load >a module not compiled for your architecture, and it increases the attack >surface tremendously. These checks are one of the few things that can >*not* be weak symbols, imo. Hm, could you please elaborate a bit more? This patchset is adding extra Elf header checks specifically for powerpc, and the module loader usually provides arch-specific hooks via weak symbols. We are just providing an new hook here, which should act as a no-op if it isn't used. So if an architecture wants to provide extra header checks, it can do so by overriding the new weak symbol. Otherwise, the weak function acts as a noop. We also already have the existing elf_check_arch() check for each arch and that is *not* a weak symbol.
On Tue, Jun 15, 2021 at 03:41:00PM +0200, Jessica Yu wrote: > +++ Segher Boessenkool [15/06/21 07:50 -0500]: > >On Tue, Jun 15, 2021 at 02:17:40PM +0200, Jessica Yu wrote: > >>+int __weak elf_check_module_arch(Elf_Ehdr *hdr) > >>+{ > >>+ return 1; > >>+} > > > >But is this a good idea? It isn't useful to be able to attempt to load > >a module not compiled for your architecture, and it increases the attack > >surface tremendously. These checks are one of the few things that can > >*not* be weak symbols, imo. > > Hm, could you please elaborate a bit more? This patchset is adding > extra Elf header checks specifically for powerpc, and the module > loader usually provides arch-specific hooks via weak symbols. We are > just providing an new hook here, which should act as a no-op if it > isn't used. > > So if an architecture wants to provide extra header checks, it can do > so by overriding the new weak symbol. Otherwise, the weak function acts as > a noop. We also already have the existing elf_check_arch() check for each > arch and that is *not* a weak symbol. The way I read your patch the default elf_check_module_arch does not call elf_check_arch? Is that clearly called elsewhere and I'm just dumb again? Sorry for the distraction in that case :-/ Segher
Excerpts from Jessica Yu's message of June 15, 2021 10:17 pm: > +++ Nicholas Piggin [15/06/21 12:05 +1000]: >>Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >>> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>>The elf_check_arch() function is used to test usermode binaries, but >>>>kernel modules may have more specific requirements. powerpc would like >>>>to test for ABI version compatibility. >>>> >>>>Add an arch-overridable function elf_check_module_arch() that defaults >>>>to elf_check_arch() and use it in elf_validity_check(). >>>> >>>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>>[np: split patch, added changelog] >>>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>>--- >>>> include/linux/moduleloader.h | 5 +++++ >>>> kernel/module.c | 2 +- >>>> 2 files changed, 6 insertions(+), 1 deletion(-) >>>> >>>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>>index 9e09d11ffe5b..fdc042a84562 100644 >>>>--- a/include/linux/moduleloader.h >>>>+++ b/include/linux/moduleloader.h >>>>@@ -13,6 +13,11 @@ >>>> * must be implemented by each architecture. >>>> */ >>>> >>>>+// Allow arch to optionally do additional checking of module ELF header >>>>+#ifndef elf_check_module_arch >>>>+#define elf_check_module_arch elf_check_arch >>>>+#endif >>> >>> Hi Nicholas, >>> >>> Why not make elf_check_module_arch() consistent with the other >>> arch-specific functions? Please see module_frob_arch_sections(), >>> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >>> all __weak functions that are overridable by arches. We can maybe make >>> elf_check_module_arch() a weak symbol, available for arches to >>> override if they want to perform additional elf checks. Then we don't >>> have to have this one-off #define. >> >> >>Like this? I like it. Good idea. > > Yeah! Also, maybe we can alternatively make elf_check_module_arch() a > separate check entirely so that the powerpc implementation doesn't > have to include that extra elf_check_arch() call. Something like this maybe? Yeah we can do that. Would you be okay if it goes via powerpc tree? If yes, then we should get your Ack (or SOB because it seems to be entirely your patch now :D) Thanks, Nick > > diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h > index 9e09d11ffe5b..2f9ebd593b4f 100644 > --- a/include/linux/moduleloader.h > +++ b/include/linux/moduleloader.h > @@ -39,6 +39,9 @@ bool module_init_section(const char *name); > */ > bool module_exit_section(const char *name); > > +/* Arch may override to do additional checking of ELF header architecture */ > +int elf_check_module_arch(Elf_Ehdr *hdr); > + > /* > * Apply the given relocation to the (simplified) ELF. Return -error > * or 0. > diff --git a/kernel/module.c b/kernel/module.c > index fdd6047728df..9963a979ed54 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2923,6 +2923,11 @@ static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) > return 0; > } > > +int __weak elf_check_module_arch(Elf_Ehdr *hdr) > +{ > + return 1; > +} > + > /* > * Sanity checks against invalid binaries, wrong arch, weird elf version. > * > @@ -2941,6 +2946,7 @@ static int elf_validity_check(struct load_info *info) > if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0 > || info->hdr->e_type != ET_REL > || !elf_check_arch(info->hdr) > + || !elf_check_module_arch(info->hdr) > || info->hdr->e_shentsize != sizeof(Elf_Shdr)) > return -ENOEXEC; > > >
Jessica Yu <jeyu@kernel.org> writes: > +++ Nicholas Piggin [15/06/21 12:05 +1000]: >>Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >>> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>>The elf_check_arch() function is used to test usermode binaries, but >>>>kernel modules may have more specific requirements. powerpc would like >>>>to test for ABI version compatibility. >>>> >>>>Add an arch-overridable function elf_check_module_arch() that defaults >>>>to elf_check_arch() and use it in elf_validity_check(). >>>> >>>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>>[np: split patch, added changelog] >>>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>>--- >>>> include/linux/moduleloader.h | 5 +++++ >>>> kernel/module.c | 2 +- >>>> 2 files changed, 6 insertions(+), 1 deletion(-) >>>> >>>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>>index 9e09d11ffe5b..fdc042a84562 100644 >>>>--- a/include/linux/moduleloader.h >>>>+++ b/include/linux/moduleloader.h >>>>@@ -13,6 +13,11 @@ >>>> * must be implemented by each architecture. >>>> */ >>>> >>>>+// Allow arch to optionally do additional checking of module ELF header >>>>+#ifndef elf_check_module_arch >>>>+#define elf_check_module_arch elf_check_arch >>>>+#endif >>> >>> Hi Nicholas, >>> >>> Why not make elf_check_module_arch() consistent with the other >>> arch-specific functions? Please see module_frob_arch_sections(), >>> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >>> all __weak functions that are overridable by arches. We can maybe make >>> elf_check_module_arch() a weak symbol, available for arches to >>> override if they want to perform additional elf checks. Then we don't >>> have to have this one-off #define. >>Like this? I like it. Good idea. > > Yeah! Also, maybe we can alternatively make elf_check_module_arch() a > separate check entirely so that the powerpc implementation doesn't > have to include that extra elf_check_arch() call. Something like this maybe? My thinking for making elf_check_module_arch() the only hook was that conceivably you might not want/need to call elf_check_arch() from elf_check_module_arch(). So having a single module specific hook allows arch code to decide how to implement the check, which may or may not involve calling elf_check_arch(), but that becomes an arch implementation detail. It's also one arch hook instead of two (although elf_check_arch() already exists). But I don't feel that strongly either way, whatever you prefer. cheers
Segher Boessenkool <segher@kernel.crashing.org> writes: > On Tue, Jun 15, 2021 at 03:41:00PM +0200, Jessica Yu wrote: >> +++ Segher Boessenkool [15/06/21 07:50 -0500]: >> >On Tue, Jun 15, 2021 at 02:17:40PM +0200, Jessica Yu wrote: >> >>+int __weak elf_check_module_arch(Elf_Ehdr *hdr) >> >>+{ >> >>+ return 1; >> >>+} >> > >> >But is this a good idea? It isn't useful to be able to attempt to load >> >a module not compiled for your architecture, and it increases the attack >> >surface tremendously. These checks are one of the few things that can >> >*not* be weak symbols, imo. >> >> Hm, could you please elaborate a bit more? This patchset is adding >> extra Elf header checks specifically for powerpc, and the module >> loader usually provides arch-specific hooks via weak symbols. We are >> just providing an new hook here, which should act as a no-op if it >> isn't used. >> >> So if an architecture wants to provide extra header checks, it can do >> so by overriding the new weak symbol. Otherwise, the weak function acts as >> a noop. We also already have the existing elf_check_arch() check for each >> arch and that is *not* a weak symbol. > > The way I read your patch the default elf_check_module_arch does not > call elf_check_arch? Is that clearly called elsewhere and I'm just > dumb again? Sorry for the distraction in that case :-/ Yeah elf_check_arch() is already called from elf_validity_check(), and that call would remain. cheers
+++ Nicholas Piggin [16/06/21 11:18 +1000]: >Excerpts from Jessica Yu's message of June 15, 2021 10:17 pm: >> +++ Nicholas Piggin [15/06/21 12:05 +1000]: >>>Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >>>> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>>>The elf_check_arch() function is used to test usermode binaries, but >>>>>kernel modules may have more specific requirements. powerpc would like >>>>>to test for ABI version compatibility. >>>>> >>>>>Add an arch-overridable function elf_check_module_arch() that defaults >>>>>to elf_check_arch() and use it in elf_validity_check(). >>>>> >>>>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>>>[np: split patch, added changelog] >>>>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>>>--- >>>>> include/linux/moduleloader.h | 5 +++++ >>>>> kernel/module.c | 2 +- >>>>> 2 files changed, 6 insertions(+), 1 deletion(-) >>>>> >>>>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>>>index 9e09d11ffe5b..fdc042a84562 100644 >>>>>--- a/include/linux/moduleloader.h >>>>>+++ b/include/linux/moduleloader.h >>>>>@@ -13,6 +13,11 @@ >>>>> * must be implemented by each architecture. >>>>> */ >>>>> >>>>>+// Allow arch to optionally do additional checking of module ELF header >>>>>+#ifndef elf_check_module_arch >>>>>+#define elf_check_module_arch elf_check_arch >>>>>+#endif >>>> >>>> Hi Nicholas, >>>> >>>> Why not make elf_check_module_arch() consistent with the other >>>> arch-specific functions? Please see module_frob_arch_sections(), >>>> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >>>> all __weak functions that are overridable by arches. We can maybe make >>>> elf_check_module_arch() a weak symbol, available for arches to >>>> override if they want to perform additional elf checks. Then we don't >>>> have to have this one-off #define. >>> >>> >>>Like this? I like it. Good idea. >> >> Yeah! Also, maybe we can alternatively make elf_check_module_arch() a >> separate check entirely so that the powerpc implementation doesn't >> have to include that extra elf_check_arch() call. Something like this maybe? > >Yeah we can do that. Would you be okay if it goes via powerpc tree? If >yes, then we should get your Ack (or SOB because it seems to be entirely >your patch now :D) This can go through the powerpc tree. Will you do another respin of this patch? And yes, feel free to take my SOB for this one - Signed-off-by: Jessica Yu <jeyu@kernel.org> Thanks! Jessica
+++ Michael Ellerman [16/06/21 12:37 +1000]: >Jessica Yu <jeyu@kernel.org> writes: >> +++ Nicholas Piggin [15/06/21 12:05 +1000]: >>>Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >>>> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>>>The elf_check_arch() function is used to test usermode binaries, but >>>>>kernel modules may have more specific requirements. powerpc would like >>>>>to test for ABI version compatibility. >>>>> >>>>>Add an arch-overridable function elf_check_module_arch() that defaults >>>>>to elf_check_arch() and use it in elf_validity_check(). >>>>> >>>>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>>>[np: split patch, added changelog] >>>>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>>>--- >>>>> include/linux/moduleloader.h | 5 +++++ >>>>> kernel/module.c | 2 +- >>>>> 2 files changed, 6 insertions(+), 1 deletion(-) >>>>> >>>>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>>>index 9e09d11ffe5b..fdc042a84562 100644 >>>>>--- a/include/linux/moduleloader.h >>>>>+++ b/include/linux/moduleloader.h >>>>>@@ -13,6 +13,11 @@ >>>>> * must be implemented by each architecture. >>>>> */ >>>>> >>>>>+// Allow arch to optionally do additional checking of module ELF header >>>>>+#ifndef elf_check_module_arch >>>>>+#define elf_check_module_arch elf_check_arch >>>>>+#endif >>>> >>>> Hi Nicholas, >>>> >>>> Why not make elf_check_module_arch() consistent with the other >>>> arch-specific functions? Please see module_frob_arch_sections(), >>>> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >>>> all __weak functions that are overridable by arches. We can maybe make >>>> elf_check_module_arch() a weak symbol, available for arches to >>>> override if they want to perform additional elf checks. Then we don't >>>> have to have this one-off #define. > >>>Like this? I like it. Good idea. >> >> Yeah! Also, maybe we can alternatively make elf_check_module_arch() a >> separate check entirely so that the powerpc implementation doesn't >> have to include that extra elf_check_arch() call. Something like this maybe? > >My thinking for making elf_check_module_arch() the only hook was that >conceivably you might not want/need to call elf_check_arch() from >elf_check_module_arch(). > >So having a single module specific hook allows arch code to decide >how to implement the check, which may or may not involve calling >elf_check_arch(), but that becomes an arch implementation detail. Thanks for the feedback! Yeah, that's fair too. Well, I ended up doing it this way mostly to create less churn/change of behavior, since in its current state elf_check_arch() is already being called for each arch. Additionally I wanted to save the powerpc implementation of elf_check_module_arch() an extra elf_check_arch() call. In any case I have a slight preference for having a second hook to allow arches add any extra checks in addition to elf_check_arch(). Thanks!
Excerpts from Jessica Yu's message of June 16, 2021 10:54 pm: > +++ Nicholas Piggin [16/06/21 11:18 +1000]: >>Excerpts from Jessica Yu's message of June 15, 2021 10:17 pm: >>> +++ Nicholas Piggin [15/06/21 12:05 +1000]: >>>>Excerpts from Jessica Yu's message of June 14, 2021 10:06 pm: >>>>> +++ Nicholas Piggin [11/06/21 19:39 +1000]: >>>>>>The elf_check_arch() function is used to test usermode binaries, but >>>>>>kernel modules may have more specific requirements. powerpc would like >>>>>>to test for ABI version compatibility. >>>>>> >>>>>>Add an arch-overridable function elf_check_module_arch() that defaults >>>>>>to elf_check_arch() and use it in elf_validity_check(). >>>>>> >>>>>>Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >>>>>>[np: split patch, added changelog] >>>>>>Signed-off-by: Nicholas Piggin <npiggin@gmail.com> >>>>>>--- >>>>>> include/linux/moduleloader.h | 5 +++++ >>>>>> kernel/module.c | 2 +- >>>>>> 2 files changed, 6 insertions(+), 1 deletion(-) >>>>>> >>>>>>diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h >>>>>>index 9e09d11ffe5b..fdc042a84562 100644 >>>>>>--- a/include/linux/moduleloader.h >>>>>>+++ b/include/linux/moduleloader.h >>>>>>@@ -13,6 +13,11 @@ >>>>>> * must be implemented by each architecture. >>>>>> */ >>>>>> >>>>>>+// Allow arch to optionally do additional checking of module ELF header >>>>>>+#ifndef elf_check_module_arch >>>>>>+#define elf_check_module_arch elf_check_arch >>>>>>+#endif >>>>> >>>>> Hi Nicholas, >>>>> >>>>> Why not make elf_check_module_arch() consistent with the other >>>>> arch-specific functions? Please see module_frob_arch_sections(), >>>>> module_{init,exit}_section(), etc in moduleloader.h. That is, they are >>>>> all __weak functions that are overridable by arches. We can maybe make >>>>> elf_check_module_arch() a weak symbol, available for arches to >>>>> override if they want to perform additional elf checks. Then we don't >>>>> have to have this one-off #define. >>>> >>>> >>>>Like this? I like it. Good idea. >>> >>> Yeah! Also, maybe we can alternatively make elf_check_module_arch() a >>> separate check entirely so that the powerpc implementation doesn't >>> have to include that extra elf_check_arch() call. Something like this maybe? >> >>Yeah we can do that. Would you be okay if it goes via powerpc tree? If >>yes, then we should get your Ack (or SOB because it seems to be entirely >>your patch now :D) > > This can go through the powerpc tree. Will you do another respin > of this patch? And yes, feel free to take my SOB for this one - > > Signed-off-by: Jessica Yu <jeyu@kernel.org> You're maintainer so let's go with your preference. We can always adjust the arch hooks later if a need comes up. And yes I'll re post with you cc'ed. Thanks, Nick
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h index 9e09d11ffe5b..fdc042a84562 100644 --- a/include/linux/moduleloader.h +++ b/include/linux/moduleloader.h @@ -13,6 +13,11 @@ * must be implemented by each architecture. */ +// Allow arch to optionally do additional checking of module ELF header +#ifndef elf_check_module_arch +#define elf_check_module_arch elf_check_arch +#endif + /* Adjust arch-specific sections. Return 0 on success. */ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs, diff --git a/kernel/module.c b/kernel/module.c index 7e78dfabca97..7c3f9b7478dc 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2946,7 +2946,7 @@ static int elf_validity_check(struct load_info *info) if (memcmp(info->hdr->e_ident, ELFMAG, SELFMAG) != 0 || info->hdr->e_type != ET_REL - || !elf_check_arch(info->hdr) + || !elf_check_module_arch(info->hdr) || info->hdr->e_shentsize != sizeof(Elf_Shdr)) return -ENOEXEC;