diff mbox series

lkdtm: support llvm-objcopy

Message ID 20190513222109.110020-1-ndesaulniers@google.com
State Accepted
Commit e9e08a07385e08f1a7f85c5d1e345c21c9564963
Headers show
Series lkdtm: support llvm-objcopy | expand

Commit Message

Nick Desaulniers May 13, 2019, 10:21 p.m. UTC 
With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:
llvm-objcopy: error: --set-section-flags=.text conflicts with
--rename-section=.text=.rodata

Rather than support setting flags then renaming sections vs renaming
then setting flags, it's simpler to just change both at the same time
via --rename-section.

This can be verified with:
$ readelf -S drivers/misc/lkdtm/rodata_objcopy.o
...
Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
...
  [ 1] .rodata           PROGBITS         0000000000000000  00000040
       0000000000000004  0000000000000000   A       0     0     4
...

Which shows in the Flags field that .text is now renamed .rodata, the
append flag A is set, and the section is not flagged as writeable W.

Link: https://github.com/ClangBuiltLinux/linux/issues/448
Reported-by: Nathan Chancellor <nathanchance@gmail.com>
Suggested-by: Jordan Rupprect <rupprecht@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

---
 drivers/misc/lkdtm/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

-- 
2.21.0.1020.gf2820cf01a-goog

Comments

Nick Desaulniers May 13, 2019, 10:26 p.m. UTC | #1 
On Mon, May 13, 2019 at 3:21 PM Nick Desaulniers
<ndesaulniers@google.com> wrote:
>

> With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> llvm-objcopy: error: --set-section-flags=.text conflicts with

> --rename-section=.text=.rodata

>

> Rather than support setting flags then renaming sections vs renaming

> then setting flags, it's simpler to just change both at the same time

> via --rename-section.

>

> This can be verified with:

> $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> ...

> Section Headers:

>   [Nr] Name              Type             Address           Offset

>        Size              EntSize          Flags  Link  Info  Align

> ...

>   [ 1] .rodata           PROGBITS         0000000000000000  00000040

>        0000000000000004  0000000000000000   A       0     0     4

> ...

>

> Which shows in the Flags field that .text is now renamed .rodata, the

> append flag A is set, and the section is not flagged as writeable W.


Probably should've been:
Which shows that .text is now renamed .rodata, the
append flag A is set, and the section is not flagged as writeable W.

-- 
Thanks,
~Nick Desaulniers
Kees Cook May 13, 2019, 11:04 p.m. UTC | #2 
On Mon, May 13, 2019 at 03:21:09PM -0700, Nick Desaulniers wrote:
> With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> llvm-objcopy: error: --set-section-flags=.text conflicts with

> --rename-section=.text=.rodata

> 

> Rather than support setting flags then renaming sections vs renaming

> then setting flags, it's simpler to just change both at the same time

> via --rename-section.

> 

> This can be verified with:

> $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> ...

> Section Headers:

>   [Nr] Name              Type             Address           Offset

>        Size              EntSize          Flags  Link  Info  Align

> ...

>   [ 1] .rodata           PROGBITS         0000000000000000  00000040

>        0000000000000004  0000000000000000   A       0     0     4

> ...

> 

> Which shows in the Flags field that .text is now renamed .rodata, the

> append flag A is set, and the section is not flagged as writeable W.

> 

> Link: https://github.com/ClangBuiltLinux/linux/issues/448

> Reported-by: Nathan Chancellor <nathanchance@gmail.com>

> Suggested-by: Jordan Rupprect <rupprecht@google.com>

> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>


Thanks! This looks good. Greg, can you please take this for drivers/misc?

Acked-by: Kees Cook <keescook@chromium.org>


-Kees

> ---

>  drivers/misc/lkdtm/Makefile | 3 +--

>  1 file changed, 1 insertion(+), 2 deletions(-)

> 

> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> index 951c984de61a..89dee2a9d88c 100644

> --- a/drivers/misc/lkdtm/Makefile

> +++ b/drivers/misc/lkdtm/Makefile

> @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o	:= n

>  

>  OBJCOPYFLAGS :=

>  OBJCOPYFLAGS_rodata_objcopy.o	:= \

> -			--set-section-flags .text=alloc,readonly \

> -			--rename-section .text=.rodata

> +			--rename-section .text=.rodata,alloc,readonly

>  targets += rodata.o rodata_objcopy.o

>  $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

>  	$(call if_changed,objcopy)

> -- 

> 2.21.0.1020.gf2820cf01a-goog

> 


-- 
Kees Cook
Nathan Chancellor May 13, 2019, 11:29 p.m. UTC | #3 
On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:
> With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> llvm-objcopy: error: --set-section-flags=.text conflicts with

> --rename-section=.text=.rodata

> 

> Rather than support setting flags then renaming sections vs renaming

> then setting flags, it's simpler to just change both at the same time

> via --rename-section.

> 

> This can be verified with:

> $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> ...

> Section Headers:

>   [Nr] Name              Type             Address           Offset

>        Size              EntSize          Flags  Link  Info  Align

> ...

>   [ 1] .rodata           PROGBITS         0000000000000000  00000040

>        0000000000000004  0000000000000000   A       0     0     4

> ...

> 

> Which shows in the Flags field that .text is now renamed .rodata, the

> append flag A is set, and the section is not flagged as writeable W.

> 

> Link: https://github.com/ClangBuiltLinux/linux/issues/448

> Reported-by: Nathan Chancellor <nathanchance@gmail.com>


This should be natechancellor@gmail.com (although I think I do own that
email, just haven't been into it for 10+ years...)

> Suggested-by: Jordan Rupprect <rupprecht@google.com>

> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

> ---

>  drivers/misc/lkdtm/Makefile | 3 +--

>  1 file changed, 1 insertion(+), 2 deletions(-)

> 

> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> index 951c984de61a..89dee2a9d88c 100644

> --- a/drivers/misc/lkdtm/Makefile

> +++ b/drivers/misc/lkdtm/Makefile

> @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o	:= n

>  

>  OBJCOPYFLAGS :=

>  OBJCOPYFLAGS_rodata_objcopy.o	:= \

> -			--set-section-flags .text=alloc,readonly \

> -			--rename-section .text=.rodata

> +			--rename-section .text=.rodata,alloc,readonly

>  targets += rodata.o rodata_objcopy.o

>  $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

>  	$(call if_changed,objcopy)

> -- 

> 2.21.0.1020.gf2820cf01a-goog

> 


I ran this script to see if there was any change for GNU objcopy and it
looks like .rodata's type gets changed, is this intentional? Otherwise,
this works for llvm-objcopy like you show.

-----------

1c1
< There are 11 section headers, starting at offset 0x240:
---
> There are 11 section headers, starting at offset 0x230:

8c8
<   [ 1] .rodata           PROGBITS         0000000000000000  00000040
---
>   [ 1] .rodata           NOBITS           0000000000000000  00000040

10c10

-----------

#!/bin/bash

TMP1=$(mktemp)
TMP2=$(mktemp)

git checkout next-20190513

make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/
readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP1}

curl -LSs https://lore.kernel.org/lkml/20190513222109.110020-1-ndesaulniers@google.com/raw | git am -3

make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/
readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP2}

diff ${TMP1} ${TMP2}
Jordan Rupprecht May 13, 2019, 11:38 p.m. UTC | #4 
Nathan: is your version of llvm-objcopy later than r359639 (April 30)?


From: Nathan Chancellor <natechancellor@gmail.com>

Date: Mon, May 13, 2019 at 4:29 PM
To: Nick Desaulniers
Cc: <keescook@chromium.org>, <clang-built-linux@googlegroups.com>,
Nathan Chancellor, Jordan Rupprect, Arnd Bergmann, Greg Kroah-Hartman,
<linux-kernel@vger.kernel.org>

> On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > --rename-section=.text=.rodata

> >

> > Rather than support setting flags then renaming sections vs renaming

> > then setting flags, it's simpler to just change both at the same time

> > via --rename-section.

> >

> > This can be verified with:

> > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> > ...

> > Section Headers:

> >   [Nr] Name              Type             Address           Offset

> >        Size              EntSize          Flags  Link  Info  Align

> > ...

> >   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> >        0000000000000004  0000000000000000   A       0     0     4

> > ...

> >

> > Which shows in the Flags field that .text is now renamed .rodata, the

> > append flag A is set, and the section is not flagged as writeable W.

> >

> > Link: https://github.com/ClangBuiltLinux/linux/issues/448

> > Reported-by: Nathan Chancellor <nathanchance@gmail.com>

>

> This should be natechancellor@gmail.com (although I think I do own that

> email, just haven't been into it for 10+ years...)

>

> > Suggested-by: Jordan Rupprect <rupprecht@google.com>

> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

> > ---

> >  drivers/misc/lkdtm/Makefile | 3 +--

> >  1 file changed, 1 insertion(+), 2 deletions(-)

> >

> > diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> > index 951c984de61a..89dee2a9d88c 100644

> > --- a/drivers/misc/lkdtm/Makefile

> > +++ b/drivers/misc/lkdtm/Makefile

> > @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o    := n

> >

> >  OBJCOPYFLAGS :=

> >  OBJCOPYFLAGS_rodata_objcopy.o        := \

> > -                     --set-section-flags .text=alloc,readonly \

> > -                     --rename-section .text=.rodata

> > +                     --rename-section .text=.rodata,alloc,readonly

> >  targets += rodata.o rodata_objcopy.o

> >  $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

> >       $(call if_changed,objcopy)

> > --

> > 2.21.0.1020.gf2820cf01a-goog

> >

>

> I ran this script to see if there was any change for GNU objcopy and it

> looks like .rodata's type gets changed, is this intentional? Otherwise,

> this works for llvm-objcopy like you show.

>

> -----------

>

> 1c1

> < There are 11 section headers, starting at offset 0x240:

> ---

> > There are 11 section headers, starting at offset 0x230:

> 8c8

> <   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> ---

> >   [ 1] .rodata           NOBITS           0000000000000000  00000040

> 10c10

>

> -----------

>

> #!/bin/bash

>

> TMP1=$(mktemp)

> TMP2=$(mktemp)

>

> git checkout next-20190513

>

> make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP1}

>

> curl -LSs https://lore.kernel.org/lkml/20190513222109.110020-1-ndesaulniers@google.com/raw | git am -3

>

> make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP2}

>

> diff ${TMP1} ${TMP2}
Nathan Chancellor May 13, 2019, 11:47 p.m. UTC | #5 
On Mon, May 13, 2019 at 04:38:54PM -0700, Jordan Rupprecht wrote:
> Nathan: is your version of llvm-objcopy later than r359639 (April 30)?

> 

> 

> From: Nathan Chancellor <natechancellor@gmail.com>

> Date: Mon, May 13, 2019 at 4:29 PM

> To: Nick Desaulniers

> Cc: <keescook@chromium.org>, <clang-built-linux@googlegroups.com>,

> Nathan Chancellor, Jordan Rupprect, Arnd Bergmann, Greg Kroah-Hartman,

> <linux-kernel@vger.kernel.org>

> 

> > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > > --rename-section=.text=.rodata

> > >

> > > Rather than support setting flags then renaming sections vs renaming

> > > then setting flags, it's simpler to just change both at the same time

> > > via --rename-section.

> > >

> > > This can be verified with:

> > > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> > > ...

> > > Section Headers:

> > >   [Nr] Name              Type             Address           Offset

> > >        Size              EntSize          Flags  Link  Info  Align

> > > ...

> > >   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > >        0000000000000004  0000000000000000   A       0     0     4

> > > ...

> > >

> > > Which shows in the Flags field that .text is now renamed .rodata, the

> > > append flag A is set, and the section is not flagged as writeable W.

> > >

> > > Link: https://github.com/ClangBuiltLinux/linux/issues/448

> > > Reported-by: Nathan Chancellor <nathanchance@gmail.com>

> >

> > This should be natechancellor@gmail.com (although I think I do own that

> > email, just haven't been into it for 10+ years...)

> >

> > > Suggested-by: Jordan Rupprect <rupprecht@google.com>

> > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

> > > ---

> > >  drivers/misc/lkdtm/Makefile | 3 +--

> > >  1 file changed, 1 insertion(+), 2 deletions(-)

> > >

> > > diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> > > index 951c984de61a..89dee2a9d88c 100644

> > > --- a/drivers/misc/lkdtm/Makefile

> > > +++ b/drivers/misc/lkdtm/Makefile

> > > @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o    := n

> > >

> > >  OBJCOPYFLAGS :=

> > >  OBJCOPYFLAGS_rodata_objcopy.o        := \

> > > -                     --set-section-flags .text=alloc,readonly \

> > > -                     --rename-section .text=.rodata

> > > +                     --rename-section .text=.rodata,alloc,readonly

> > >  targets += rodata.o rodata_objcopy.o

> > >  $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

> > >       $(call if_changed,objcopy)

> > > --

> > > 2.21.0.1020.gf2820cf01a-goog

> > >

> >

> > I ran this script to see if there was any change for GNU objcopy and it

> > looks like .rodata's type gets changed, is this intentional? Otherwise,

> > this works for llvm-objcopy like you show.

> >

> > -----------

> >

> > 1c1

> > < There are 11 section headers, starting at offset 0x240:

> > ---

> > > There are 11 section headers, starting at offset 0x230:

> > 8c8

> > <   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > ---

> > >   [ 1] .rodata           NOBITS           0000000000000000  00000040

> > 10c10

> >

> > -----------

> >

> > #!/bin/bash

> >

> > TMP1=$(mktemp)

> > TMP2=$(mktemp)

> >

> > git checkout next-20190513

> >

> > make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> > readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP1}

> >

> > curl -LSs https://lore.kernel.org/lkml/20190513222109.110020-1-ndesaulniers@google.com/raw | git am -3

> >

> > make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> > readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP2}

> >

> > diff ${TMP1} ${TMP2}


Hi Jordan,

Yes but that output was purely with GNU objcopy (checking section
headers before and after this patch). This is the section header
for llvm-objcopy after this patch:

  [ 1] .rodata           PROGBITS         0000000000000000  00000040
         0000000000000004  0000000000000000   A       0     0     4

Cheers,
Nathan
Nick Desaulniers May 13, 2019, 11:50 p.m. UTC | #6 
On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor
<natechancellor@gmail.com> wrote:
>

> On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > --rename-section=.text=.rodata

> >

> > Rather than support setting flags then renaming sections vs renaming

> > then setting flags, it's simpler to just change both at the same time

> > via --rename-section.

> >

> > This can be verified with:

> > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> > ...

> > Section Headers:

> >   [Nr] Name              Type             Address           Offset

> >        Size              EntSize          Flags  Link  Info  Align

> > ...

> >   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> >        0000000000000004  0000000000000000   A       0     0     4

> > ...

> >

> > Which shows in the Flags field that .text is now renamed .rodata, the

> > append flag A is set, and the section is not flagged as writeable W.

> >

> > Link: https://github.com/ClangBuiltLinux/linux/issues/448

> > Reported-by: Nathan Chancellor <nathanchance@gmail.com>

>

> This should be natechancellor@gmail.com (although I think I do own that

> email, just haven't been into it for 10+ years...)


Sorry, I should have looked it up.  I'll just fix this, my earlier
mistake, and collect Kee's reviewed by tag in a v2 sent directly to
GKH.

>

> > Suggested-by: Jordan Rupprect <rupprecht@google.com>

> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

> > ---

> >  drivers/misc/lkdtm/Makefile | 3 +--

> >  1 file changed, 1 insertion(+), 2 deletions(-)

> >

> > diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> > index 951c984de61a..89dee2a9d88c 100644

> > --- a/drivers/misc/lkdtm/Makefile

> > +++ b/drivers/misc/lkdtm/Makefile

> > @@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o    := n

> >

> >  OBJCOPYFLAGS :=

> >  OBJCOPYFLAGS_rodata_objcopy.o        := \

> > -                     --set-section-flags .text=alloc,readonly \

> > -                     --rename-section .text=.rodata

> > +                     --rename-section .text=.rodata,alloc,readonly

> >  targets += rodata.o rodata_objcopy.o

> >  $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

> >       $(call if_changed,objcopy)

> > --

> > 2.21.0.1020.gf2820cf01a-goog

> >

>

> I ran this script to see if there was any change for GNU objcopy and it

> looks like .rodata's type gets changed, is this intentional? Otherwise,

> this works for llvm-objcopy like you show.

>

> -----------

>

> 1c1

> < There are 11 section headers, starting at offset 0x240:

> ---

> > There are 11 section headers, starting at offset 0x230:

> 8c8

> <   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> ---

> >   [ 1] .rodata           NOBITS           0000000000000000  00000040

> 10c10


Interesting find.  the .rodata of vmlinux itself is marked PROGBITS,
so its curious that GNU binutils changes the "Type" after the rename.
I doubt the code in question relies on NOBITS for this section.  Kees,
can you clarify?  Jordan, do you know what the differences are between
PROGBITS vs NOBITS?
https://people.redhat.com/mpolacek/src/devconf2012.pdf seems to
suggest NOBITS zero initializes data but I'm not sure that's what this
code wants.

>

> -----------

>

> #!/bin/bash

>

> TMP1=$(mktemp)

> TMP2=$(mktemp)

>

> git checkout next-20190513

>

> make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP1}

>

> curl -LSs https://lore.kernel.org/lkml/20190513222109.110020-1-ndesaulniers@google.com/raw | git am -3

>

> make -j$(nproc) ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- O=out mrproper allyesconfig drivers/misc/lkdtm/

> readelf -S out/drivers/misc/lkdtm/rodata_objcopy.o > ${TMP2}

>

> diff ${TMP1} ${TMP2}




-- 
Thanks,
~Nick Desaulniers
Kees Cook May 14, 2019, 6:10 p.m. UTC | #7 
On Mon, May 13, 2019 at 04:50:05PM -0700, Nick Desaulniers wrote:
> On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor

> <natechancellor@gmail.com> wrote:

> >

> > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > > --rename-section=.text=.rodata

> > >

> > > Rather than support setting flags then renaming sections vs renaming

> > > then setting flags, it's simpler to just change both at the same time

> > > via --rename-section.

> > >

> > > This can be verified with:

> > > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> > > ...

> > > Section Headers:

> > >   [Nr] Name              Type             Address           Offset

> > >        Size              EntSize          Flags  Link  Info  Align

> > > ...

> > >   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > >        0000000000000004  0000000000000000   A       0     0     4

> > > ...

> > >

> > > Which shows in the Flags field that .text is now renamed .rodata, the

> > > append flag A is set, and the section is not flagged as writeable W.

> > >

> > > Link: https://github.com/ClangBuiltLinux/linux/issues/448

> > > Reported-by: Nathan Chancellor <nathanchance@gmail.com>

> >

> > This should be natechancellor@gmail.com (although I think I do own that

> > email, just haven't been into it for 10+ years...)

> 

> Sorry, I should have looked it up.  I'll just fix this, my earlier

> mistake, and collect Kees's reviewed by tag in a v2 sent directly to

> GKH.


Sounds good.

> > I ran this script to see if there was any change for GNU objcopy and it

> > looks like .rodata's type gets changed, is this intentional? Otherwise,

> > this works for llvm-objcopy like you show.

> >

> > -----------

> >

> > 1c1

> > < There are 11 section headers, starting at offset 0x240:

> > ---

> > > There are 11 section headers, starting at offset 0x230:

> > 8c8

> > <   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > ---

> > >   [ 1] .rodata           NOBITS           0000000000000000  00000040

> > 10c10


Oh, very good catch; thank you!

> 

> Interesting find.  the .rodata of vmlinux itself is marked PROGBITS,

> so its curious that GNU binutils changes the "Type" after the rename.

> I doubt the code in question relies on NOBITS for this section.  Kees,

> can you clarify?  Jordan, do you know what the differences are between

> PROGBITS vs NOBITS?

> https://people.redhat.com/mpolacek/src/devconf2012.pdf seems to

> suggest NOBITS zero initializes data but I'm not sure that's what this

> code wants.


Yes, the linker treats this as a zeroed section. My testing only checked that the NX protection check kicked, but in looking at the memory, the failure mode wouldn't have returned, because it got zeroed instead of seeing a "ret":

Before the patch (with a two-byte target dump added):

	lkdtm: attempting bad execution at ffffffff986db2b0
	lkdtm: f3 c3

After the patch:

	lkdtm: attempting bad execution at ffffffff986db2b0
	lkdtm: 00 00

So, yes, this breaks the fall-back case and should not be used. It seems
that objcopy BFD breaks the PROGBITS in this case, but llvm-objcopy
does not...

$ objcopy --set-section-flags .text=alloc,readonly --rename-section .text=.rodata rodata.o rodata_objcopy.o
$ readelf -S rodata_objcopy.o | grep -A1 \.rodata
  [ 1] .rodata           PROGBITS         0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16

$ objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy.o
$ readelf -S rodata_objcopy.o | grep -A1 \.rodata
  [ 1] .rodata           NOBITS           0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16

$ llvm-objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy-llvm.o
$ readelf -S rodata_objcopy-llvm.o | grep -A1 \.rodata
  [ 1] .rodata           PROGBITS         0000000000000000  00000040
       0000000000000002  0000000000000000   A       0     0     16


llvm-objcopy doesn't like doing both arguments at the same time,
and BFD gets it wrong when using the appended flags. How about just a
two-stage copy, like this?

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index 951c984de61a..715832c844c8 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -14,9 +14,12 @@ KASAN_SANITIZE_stackleak.o	:= n
 KCOV_INSTRUMENT_rodata.o	:= n
 
 OBJCOPYFLAGS :=
+OBJCOPYFLAGS_rodata_flags.o	:= \
+			--set-section-flags .text=alloc,readonly
 OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--set-section-flags .text=alloc,readonly \
 			--rename-section .text=.rodata
-targets += rodata.o rodata_objcopy.o
-$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
+targets += rodata.o rodata_flags.o rodata_objcopy.o
+$(obj)/rodata_flags.o: $(obj)/rodata.o FORCE
+	$(call if_changed,objcopy)
+$(obj)/rodata_objcopy.o: $(obj)/rodata_flags.o FORCE
 	$(call if_changed,objcopy)


-- 
Kees Cook
Nick Desaulniers May 14, 2019, 8:24 p.m. UTC | #8 
On Tue, May 14, 2019 at 11:11 AM Kees Cook <keescook@chromium.org> wrote:
>

> On Mon, May 13, 2019 at 04:50:05PM -0700, Nick Desaulniers wrote:

> > On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor

> > <natechancellor@gmail.com> wrote:

> > >

> > > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > > > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > > > --rename-section=.text=.rodata

> > > >

> > > > Rather than support setting flags then renaming sections vs renaming

> > > > then setting flags, it's simpler to just change both at the same time

> > > > via --rename-section.

> > > >

> > > > This can be verified with:

> > > > $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o

> > > > ...

> > > > Section Headers:

> > > >   [Nr] Name              Type             Address           Offset

> > > >        Size              EntSize          Flags  Link  Info  Align

> > > > ...

> > > >   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > > >        0000000000000004  0000000000000000   A       0     0     4

> > > > ...

> > > >

> > > > Which shows in the Flags field that .text is now renamed .rodata, the

> > > > append flag A is set, and the section is not flagged as writeable W.

> > > >

> > > > Link: https://github.com/ClangBuiltLinux/linux/issues/448

> > > > Reported-by: Nathan Chancellor <nathanchance@gmail.com>

> > >

> > > This should be natechancellor@gmail.com (although I think I do own that

> > > email, just haven't been into it for 10+ years...)

> >

> > Sorry, I should have looked it up.  I'll just fix this, my earlier

> > mistake, and collect Kees's reviewed by tag in a v2 sent directly to

> > GKH.

>

> Sounds good.

>

> > > I ran this script to see if there was any change for GNU objcopy and it

> > > looks like .rodata's type gets changed, is this intentional? Otherwise,

> > > this works for llvm-objcopy like you show.

> > >

> > > -----------

> > >

> > > 1c1

> > > < There are 11 section headers, starting at offset 0x240:

> > > ---

> > > > There are 11 section headers, starting at offset 0x230:

> > > 8c8

> > > <   [ 1] .rodata           PROGBITS         0000000000000000  00000040

> > > ---

> > > >   [ 1] .rodata           NOBITS           0000000000000000  00000040

> > > 10c10

>

> Oh, very good catch; thank you!

>

> >

> > Interesting find.  the .rodata of vmlinux itself is marked PROGBITS,

> > so its curious that GNU binutils changes the "Type" after the rename.

> > I doubt the code in question relies on NOBITS for this section.  Kees,

> > can you clarify?  Jordan, do you know what the differences are between

> > PROGBITS vs NOBITS?

> > https://people.redhat.com/mpolacek/src/devconf2012.pdf seems to

> > suggest NOBITS zero initializes data but I'm not sure that's what this

> > code wants.

>

> Yes, the linker treats this as a zeroed section. My testing only checked that the NX protection check kicked, but in looking at the memory, the failure mode wouldn't have returned, because it got zeroed instead of seeing a "ret":

>

> Before the patch (with a two-byte target dump added):

>

>         lkdtm: attempting bad execution at ffffffff986db2b0

>         lkdtm: f3 c3

>

> After the patch:

>

>         lkdtm: attempting bad execution at ffffffff986db2b0

>         lkdtm: 00 00

>

> So, yes, this breaks the fall-back case and should not be used. It seems

> that objcopy BFD breaks the PROGBITS in this case, but llvm-objcopy

> does not...


I'm not sure I want to call it a bug in the initial implementation.  I've filed:
https://sourceware.org/bugzilla/show_bug.cgi?id=24554 for
clarification.  Jordan, I hope you can participate in any discussion
there?

>

> $ objcopy --set-section-flags .text=alloc,readonly --rename-section .text=.rodata rodata.o rodata_objcopy.o

> $ readelf -S rodata_objcopy.o | grep -A1 \.rodata

>   [ 1] .rodata           PROGBITS         0000000000000000  00000040

>        0000000000000002  0000000000000000   A       0     0     16

>

> $ objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy.o

> $ readelf -S rodata_objcopy.o | grep -A1 \.rodata

>   [ 1] .rodata           NOBITS           0000000000000000  00000040

>        0000000000000002  0000000000000000   A       0     0     16

>

> $ llvm-objcopy --rename-section .text=.rodata,alloc,readonly rodata.o rodata_objcopy-llvm.o

> $ readelf -S rodata_objcopy-llvm.o | grep -A1 \.rodata

>   [ 1] .rodata           PROGBITS         0000000000000000  00000040

>        0000000000000002  0000000000000000   A       0     0     16

>

>

> llvm-objcopy doesn't like doing both arguments at the same time,

> and BFD gets it wrong when using the appended flags. How about just a

> two-stage copy, like this?


Yeah, I think this should work.  What you wrote above + the link the
bug I just filed would go well in a commit message, along with:
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>


>

> diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile

> index 951c984de61a..715832c844c8 100644

> --- a/drivers/misc/lkdtm/Makefile

> +++ b/drivers/misc/lkdtm/Makefile

> @@ -14,9 +14,12 @@ KASAN_SANITIZE_stackleak.o   := n

>  KCOV_INSTRUMENT_rodata.o       := n

>

>  OBJCOPYFLAGS :=

> +OBJCOPYFLAGS_rodata_flags.o    := \

> +                       --set-section-flags .text=alloc,readonly

>  OBJCOPYFLAGS_rodata_objcopy.o  := \

> -                       --set-section-flags .text=alloc,readonly \

>                         --rename-section .text=.rodata

> -targets += rodata.o rodata_objcopy.o

> -$(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE

> +targets += rodata.o rodata_flags.o rodata_objcopy.o

> +$(obj)/rodata_flags.o: $(obj)/rodata.o FORCE

> +       $(call if_changed,objcopy)

> +$(obj)/rodata_objcopy.o: $(obj)/rodata_flags.o FORCE

>         $(call if_changed,objcopy)

>

>

> --

> Kees Cook

>

> --

> You received this message because you are subscribed to the Google Groups "Clang Built Linux" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com.

> To post to this group, send email to clang-built-linux@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/201905141041.C38DA1B305%40keescook.

> For more options, visit https://groups.google.com/d/optout.




-- 
Thanks,
~Nick Desaulniers
Kees Cook May 15, 2019, 4:42 p.m. UTC | #9 
On Tue, May 14, 2019 at 01:24:37PM -0700, Nick Desaulniers wrote:
> On Tue, May 14, 2019 at 11:11 AM Kees Cook <keescook@chromium.org> wrote:

> >

> > On Mon, May 13, 2019 at 04:50:05PM -0700, Nick Desaulniers wrote:

> > > On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor

> > > <natechancellor@gmail.com> wrote:

> > > >

> > > > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > > > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > > > > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > > > > --rename-section=.text=.rodata

> > > > >

> > > > > Rather than support setting flags then renaming sections vs renaming

> > > > > then setting flags, it's simpler to just change both at the same time

> > > > > via --rename-section.

> 

> I'm not sure I want to call it a bug in the initial implementation.  I've filed:

> https://sourceware.org/bugzilla/show_bug.cgi?id=24554 for

> clarification.  Jordan, I hope you can participate in any discussion

> there?


Based on the hint from Alan Modra, it seems PROGBITS/NOBITS can be
controlled with the presence/absence of the "load" section flag. This
appears to work for both BFD and LLVM:

$ objcopy --rename-section .text=.rodata,alloc,readonly,load rodata.o rodata_objcopy.o
$ readelf -WS rodata_objcopy.o | grep \.rodata
 [ 1] .rodata    PROGBITS     0000000000000000 000040 000002 00   A  0   0 16

$ llvm-objcopy --rename-section .text=.rodata,alloc,readonly,load rodata.o rodata_objcopy.o
$ readelf -WS rodata_objcopy.o | grep \.rodata
 [ 1] .rodata    PROGBITS     0000000000000000 000040 000002 00   A  0   0 16

So, that's an easy change that could be folded into the original version
of this patch (no need for my two-phase work-around).

-- 
Kees Cook
Nick Desaulniers May 15, 2019, 5:37 p.m. UTC | #10 
On Wed, May 15, 2019 at 9:43 AM Kees Cook <keescook@chromium.org> wrote:
>

> On Tue, May 14, 2019 at 01:24:37PM -0700, Nick Desaulniers wrote:

> > On Tue, May 14, 2019 at 11:11 AM Kees Cook <keescook@chromium.org> wrote:

> > >

> > > On Mon, May 13, 2019 at 04:50:05PM -0700, Nick Desaulniers wrote:

> > > > On Mon, May 13, 2019 at 4:29 PM Nathan Chancellor

> > > > <natechancellor@gmail.com> wrote:

> > > > >

> > > > > On Mon, May 13, 2019 at 03:21:09PM -0700, 'Nick Desaulniers' via Clang Built Linux wrote:

> > > > > > With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:

> > > > > > llvm-objcopy: error: --set-section-flags=.text conflicts with

> > > > > > --rename-section=.text=.rodata

> > > > > >

> > > > > > Rather than support setting flags then renaming sections vs renaming

> > > > > > then setting flags, it's simpler to just change both at the same time

> > > > > > via --rename-section.

> >

> > I'm not sure I want to call it a bug in the initial implementation.  I've filed:

> > https://sourceware.org/bugzilla/show_bug.cgi?id=24554 for

> > clarification.  Jordan, I hope you can participate in any discussion

> > there?

>

> Based on the hint from Alan Modra, it seems PROGBITS/NOBITS can be

> controlled with the presence/absence of the "load" section flag. This

> appears to work for both BFD and LLVM:

>

> $ objcopy --rename-section .text=.rodata,alloc,readonly,load rodata.o rodata_objcopy.o

> $ readelf -WS rodata_objcopy.o | grep \.rodata

>  [ 1] .rodata    PROGBITS     0000000000000000 000040 000002 00   A  0   0 16

>

> $ llvm-objcopy --rename-section .text=.rodata,alloc,readonly,load rodata.o rodata_objcopy.o

> $ readelf -WS rodata_objcopy.o | grep \.rodata

>  [ 1] .rodata    PROGBITS     0000000000000000 000040 000002 00   A  0   0 16

>

> So, that's an easy change that could be folded into the original version

> of this patch (no need for my two-phase work-around).


Ah, yes that's better.  I'll fold that into a v2 and resend shortly.
I'm going to carry your Ack from earlier, please let me know offlist
if that's not appropriate.
-- 
Thanks,
~Nick Desaulniers
diff mbox series

Patch

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index 951c984de61a..89dee2a9d88c 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -15,8 +15,7 @@  KCOV_INSTRUMENT_rodata.o	:= n
 
 OBJCOPYFLAGS :=
 OBJCOPYFLAGS_rodata_objcopy.o	:= \
-			--set-section-flags .text=alloc,readonly \
-			--rename-section .text=.rodata
+			--rename-section .text=.rodata,alloc,readonly
 targets += rodata.o rodata_objcopy.o
 $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
 	$(call if_changed,objcopy)