Re: [PATCH v2] module: Harden STRICT_MODULE_RWX

From: Jessica Yu
Date: Thu Aug 13 2020 - 09:04:33 EST


+++ Ard Biesheuvel [13/08/20 10:36 +0200]:
On Wed, 12 Aug 2020 at 22:00, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:

On Wed, Aug 12, 2020 at 06:37:57PM +0200, Ard Biesheuvel wrote:
> I know there is little we can do at this point, apart from ignoring
> the permissions - perhaps we should just defer the w^x check until
> after calling module_frob_arch_sections()?

My earlier suggestion was to ignore it for 0-sized sections.

Only they are 1 byte sections in this case.

We override the sh_type and sh_flags explicitly for these sections at
module load time, so deferring the check seems like a reasonable
alternative to me.

So module_enforce_rwx_sections() is already called after
module_frob_arch_sections() - which really baffled me at first, since
sh_type and sh_flags should have been set already in
module_frob_arch_sections().

I added some debug prints to see which section the module code was
tripping on, and it was .text.ftrace_trampoline. See this snippet from
arm64's module_frob_arch_sections():

else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) &&
!strcmp(secstrings + sechdrs[i].sh_name,
".text.ftrace_trampoline"))
tramp = sechdrs + i;

Since Mauro's config doesn't have CONFIG_DYNAMIC_FTRACE enabled, tramp
is never set here and the if (tramp) check at the end of the function
fails, so its section flags are never set, so they remain WAX and fail
the rwx check.