linux/kernel/module/strict_rwx.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Module strict rwx
 *
 * Copyright (C) 2015 Rusty Russell
 */

#include <linux/module.h>
#include <linux/mm.h>
#include <linux/vmalloc.h>
#include <linux/set_memory.h>
#include "internal.h"

/*
 * LKM RO/NX protection: protect module's text/ro-data
 * from modification and any data from execution.
 *
 * General layout of module is:
 *          [text] [read-only-data] [ro-after-init] [writable data]
 * text_size -----^                ^               ^               ^
 * ro_size ------------------------|               |               |
 * ro_after_init_size -----------------------------|               |
 * size -----------------------------------------------------------|
 *
 * These values are always page-aligned (as is base) when
 * CONFIG_STRICT_MODULE_RWX is set.
 */

/*
 * Since some arches are moving towards PAGE_KERNEL module allocations instead
 * of PAGE_KERNEL_EXEC, keep frob_text() and module_enable_x() independent of
 * CONFIG_STRICT_MODULE_RWX because they are needed regardless of whether we
 * are strict.
 */
static void frob_text(const struct module_layout *layout,
		      int (*set_memory)(unsigned long start, int num_pages))
{
	set_memory((unsigned long)layout->base,
		   PAGE_ALIGN(layout->text_size) >> PAGE_SHIFT);
}

static void frob_rodata(const struct module_layout *layout,
		 int (*set_memory)(unsigned long start, int num_pages))
{
	set_memory((unsigned long)layout->base + layout->text_size,
		   (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
}

static void frob_ro_after_init(const struct module_layout *layout,
			int (*set_memory)(unsigned long start, int num_pages))
{
	set_memory((unsigned long)layout->base + layout->ro_size,
		   (layout->ro_after_init_size - layout->ro_size) >> PAGE_SHIFT);
}

static void frob_writable_data(const struct module_layout *layout,
			int (*set_memory)(unsigned long start, int num_pages))
{
	set_memory((unsigned long)layout->base + layout->ro_after_init_size,
		   (layout->size - layout->ro_after_init_size) >> PAGE_SHIFT);
}

static bool layout_check_misalignment(const struct module_layout *layout)
{
	return WARN_ON(!PAGE_ALIGNED(layout->base)) ||
	       WARN_ON(!PAGE_ALIGNED(layout->text_size)) ||
	       WARN_ON(!PAGE_ALIGNED(layout->ro_size)) ||
	       WARN_ON(!PAGE_ALIGNED(layout->ro_after_init_size)) ||
	       WARN_ON(!PAGE_ALIGNED(layout->size));
}

bool module_check_misalignment(const struct module *mod)
{
	if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
		return false;

	return layout_check_misalignment(&mod->core_layout) ||
	       layout_check_misalignment(&mod->data_layout) ||
	       layout_check_misalignment(&mod->init_layout);
}

void module_enable_x(const struct module *mod)
{
	if (!PAGE_ALIGNED(mod->core_layout.base) ||
	    !PAGE_ALIGNED(mod->init_layout.base))
		return;

	frob_text(&mod->core_layout, set_memory_x);
	frob_text(&mod->init_layout, set_memory_x);
}

void module_enable_ro(const struct module *mod, bool after_init)
{
	if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
		return;
#ifdef CONFIG_STRICT_MODULE_RWX
	if (!rodata_enabled)
		return;
#endif

	set_vm_flush_reset_perms(mod->core_layout.base);
	set_vm_flush_reset_perms(mod->init_layout.base);
	frob_text(&mod->core_layout, set_memory_ro);

	frob_rodata(&mod->data_layout, set_memory_ro);
	frob_text(&mod->init_layout, set_memory_ro);
	frob_rodata(&mod->init_layout, set_memory_ro);

	if (after_init)
		frob_ro_after_init(&mod->data_layout, set_memory_ro);
}

void module_enable_nx(const struct module *mod)
{
	if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
		return;

	frob_rodata(&mod->data_layout, set_memory_nx);
	frob_ro_after_init(&mod->data_layout, set_memory_nx);
	frob_writable_data(&mod->data_layout, set_memory_nx);
	frob_rodata(&mod->init_layout, set_memory_nx);
	frob_writable_data(&mod->init_layout, set_memory_nx);
}

int module_enforce_rwx_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
				char *secstrings, struct module *mod)
{
	const unsigned long shf_wx = SHF_WRITE | SHF_EXECINSTR;
	int i;

	if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))
		return 0;

	for (i = 0; i < hdr->e_shnum; i++) {
		if ((sechdrs[i].sh_flags & shf_wx) == shf_wx) {
			pr_err("%s: section %s (index %d) has invalid WRITE|EXEC flags\n",
			       mod->name, secstrings + sechdrs[i].sh_name, i);
			return -ENOEXEC;
		}
	}

	return 0;
}
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`// SPDX-License-Identifier: GPL-2.0-or-later`
			`/*`
			`* Module strict rwx`
			`*`
			`* Copyright (C) 2015 Rusty Russell`
			`*/`

			`#include <linux/module.h>`
			`#include <linux/mm.h>`
			`#include <linux/vmalloc.h>`
			`#include <linux/set_memory.h>`
			`#include "internal.h"`

module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`/*`
			`* LKM RO/NX protection: protect module's text/ro-data`
			`* from modification and any data from execution.`
			`*`
			`* General layout of module is:`
			`* [text] [read-only-data] [ro-after-init] [writable data]`
			`* text_size -----^ ^ ^ ^`
			`* ro_size ------------------------\| \| \|`
			`* ro_after_init_size -----------------------------\| \|`
			`* size -----------------------------------------------------------\|`
			`*`
			`* These values are always page-aligned (as is base) when`
			`* CONFIG_STRICT_MODULE_RWX is set.`
			`*/`

			`/*`
			`* Since some arches are moving towards PAGE_KERNEL module allocations instead`
			`* of PAGE_KERNEL_EXEC, keep frob_text() and module_enable_x() independent of`
			`* CONFIG_STRICT_MODULE_RWX because they are needed regardless of whether we`
			`* are strict.`
			`*/`
			`static void frob_text(const struct module_layout *layout,`
			`int (*set_memory)(unsigned long start, int num_pages))`
			`{`
			`set_memory((unsigned long)layout->base,`
			`PAGE_ALIGN(layout->text_size) >> PAGE_SHIFT);`
			`}`

module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`static void frob_rodata(const struct module_layout *layout,`
			`int (*set_memory)(unsigned long start, int num_pages))`
			`{`
			`set_memory((unsigned long)layout->base + layout->text_size,`
			`(layout->ro_size - layout->text_size) >> PAGE_SHIFT);`
			`}`

			`static void frob_ro_after_init(const struct module_layout *layout,`
			`int (*set_memory)(unsigned long start, int num_pages))`
			`{`
			`set_memory((unsigned long)layout->base + layout->ro_size,`
			`(layout->ro_after_init_size - layout->ro_size) >> PAGE_SHIFT);`
			`}`

			`static void frob_writable_data(const struct module_layout *layout,`
			`int (*set_memory)(unsigned long start, int num_pages))`
			`{`
			`set_memory((unsigned long)layout->base + layout->ro_after_init_size,`
			`(layout->size - layout->ro_after_init_size) >> PAGE_SHIFT);`
			`}`

module: Rework layout alignment to avoid BUG_ON()s Perform layout alignment verification up front and WARN_ON() and fail module loading instead of crashing the machine. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:01:00 +01:00			`static bool layout_check_misalignment(const struct module_layout *layout)`
			`{`
			`return WARN_ON(!PAGE_ALIGNED(layout->base)) \|\|`
			`WARN_ON(!PAGE_ALIGNED(layout->text_size)) \|\|`
			`WARN_ON(!PAGE_ALIGNED(layout->ro_size)) \|\|`
			`WARN_ON(!PAGE_ALIGNED(layout->ro_after_init_size)) \|\|`
			`WARN_ON(!PAGE_ALIGNED(layout->size));`
			`}`

			`bool module_check_misalignment(const struct module *mod)`
			`{`
			`if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))`
			`return false;`

			`return layout_check_misalignment(&mod->core_layout) \|\|`
module: Add CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC Add CONFIG_ARCH_WANTS_MODULES_DATA_IN_VMALLOC to allow architectures to request having modules data in vmalloc area instead of module area. This is required on powerpc book3s/32 in order to set data non executable, because it is not possible to set executability on page basis, this is done per 256 Mbytes segments. The module area has exec right, vmalloc area has noexec. This can also be useful on other powerpc/32 in order to maximize the chance of code being close enough to kernel core to avoid branch trampolines. Cc: Jason Wessel <jason.wessel@windriver.com> Acked-by: Daniel Thompson <daniel.thompson@linaro.org> Cc: Douglas Anderson <dianders@chromium.org> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> [mcgrof: rebased in light of kernel/module/kdb.c move] Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 13:02:14 +01:00			`layout_check_misalignment(&mod->data_layout) \|\|`
module: Rework layout alignment to avoid BUG_ON()s Perform layout alignment verification up front and WARN_ON() and fail module loading instead of crashing the machine. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:01:00 +01:00			`layout_check_misalignment(&mod->init_layout);`
			`}`

module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`void module_enable_x(const struct module *mod)`
			`{`
			`if (!PAGE_ALIGNED(mod->core_layout.base) \|\|`
			`!PAGE_ALIGNED(mod->init_layout.base))`
			`return;`

			`frob_text(&mod->core_layout, set_memory_x);`
			`frob_text(&mod->init_layout, set_memory_x);`
			`}`

module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`void module_enable_ro(const struct module *mod, bool after_init)`
			`{`
module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))`
			`return;`
			`#ifdef CONFIG_STRICT_MODULE_RWX`
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`if (!rodata_enabled)`
			`return;`
module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`#endif`
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00
			`set_vm_flush_reset_perms(mod->core_layout.base);`
			`set_vm_flush_reset_perms(mod->init_layout.base);`
			`frob_text(&mod->core_layout, set_memory_ro);`

module: Introduce data_layout In order to allow separation of data from text, add another layout, called data_layout. For architectures requesting separation of text and data, only text will go in core_layout and data will go in data_layout. For architectures which keep text and data together, make data_layout an alias of core_layout, that way data_layout can be used for all data manipulations, regardless of whether data is in core_layout or data_layout. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 13:02:13 +01:00			`frob_rodata(&mod->data_layout, set_memory_ro);`
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`frob_text(&mod->init_layout, set_memory_ro);`
			`frob_rodata(&mod->init_layout, set_memory_ro);`

			`if (after_init)`
module: Introduce data_layout In order to allow separation of data from text, add another layout, called data_layout. For architectures requesting separation of text and data, only text will go in core_layout and data will go in data_layout. For architectures which keep text and data together, make data_layout an alias of core_layout, that way data_layout can be used for all data manipulations, regardless of whether data is in core_layout or data_layout. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 13:02:13 +01:00			`frob_ro_after_init(&mod->data_layout, set_memory_ro);`
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`}`

			`void module_enable_nx(const struct module *mod)`
			`{`
module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))`
			`return;`

module: Introduce data_layout In order to allow separation of data from text, add another layout, called data_layout. For architectures requesting separation of text and data, only text will go in core_layout and data will go in data_layout. For architectures which keep text and data together, make data_layout an alias of core_layout, that way data_layout can be used for all data manipulations, regardless of whether data is in core_layout or data_layout. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 13:02:13 +01:00			`frob_rodata(&mod->data_layout, set_memory_nx);`
			`frob_ro_after_init(&mod->data_layout, set_memory_nx);`
			`frob_writable_data(&mod->data_layout, set_memory_nx);`
module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`frob_rodata(&mod->init_layout, set_memory_nx);`
			`frob_writable_data(&mod->init_layout, set_memory_nx);`
			`}`

			`int module_enforce_rwx_sections(Elf_Ehdr hdr, Elf_Shdr sechdrs,`
			`char secstrings, struct module mod)`
			`{`
			`const unsigned long shf_wx = SHF_WRITE \| SHF_EXECINSTR;`
			`int i;`

module: Move module_enable_x() and frob_text() in strict_rwx.c Move module_enable_x() together with module_enable_nx() and module_enable_ro(). Those three functions are going together, they are all used to set up the correct page flags on the different sections. As module_enable_x() is used independently of CONFIG_STRICT_MODULE_RWX, build strict_rwx.c all the time and use IS_ENABLED(CONFIG_STRICT_MODULE_RWX) when relevant. Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-02-23 10:00:59 +01:00			`if (!IS_ENABLED(CONFIG_STRICT_MODULE_RWX))`
			`return 0;`

module: Move strict rwx support to a separate file No functional change. This patch migrates code that makes module text and rodata memory read-only and non-text memory non-executable from core module code into kernel/module/strict_rwx.c. Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> 2022-03-22 14:03:36 +00:00			`for (i = 0; i < hdr->e_shnum; i++) {`
			`if ((sechdrs[i].sh_flags & shf_wx) == shf_wx) {`
			`pr_err("%s: section %s (index %d) has invalid WRITE\|EXEC flags\n",`
			`mod->name, secstrings + sechdrs[i].sh_name, i);`
			`return -ENOEXEC;`
			`}`
			`}`

			`return 0;`
			`}`