set_memory_*() needs __must_check and atomicity #7
Labels
[ARCH] arm32
Needed on the 32-bit ARM architecture (ARCH=arm)
[ARCH] arm64
Needed on the 64-bit ARM architecture (ARCH=arm64)
[ARCH] powerpc64
Needed on the 64-bit POWER architecture
[ARCH] x86_32
Needed on the 32-bit x86 architecture (ARCH=i386)
[ARCH] x86_64
Needed on the 64-bit x86 architecture (ARCH=x86)
Comments
kees
added
[ARCH] arm32
|
Hi @kees Please let me know. Thanks a lot, |
I think Tianlin Li is working on it, so please coordinate with them: |
|
Hi @kees Thanks, |
|
The failure modes for each caller likely need to be examined and dealt with individually (e.g. what does it mean if something has failed?). Once those are done, then the __must_check attributes can be added. |
|
Hi @kees, For example, set_memory_*() is invoked by frob_rodata, and frob_rodata is called by module_disable_ro, and module_disable_ro is called by klp_init_object_loaded. However, both frob_rodata and module_disable_ro are returning void. One way is just printing warnings in frob_rodata() and return. But it may not be a good one. The other way is, we should check for the error from module_disable_ro and return failure there like: So could you please advise me the direction of this patch? I really appreciate it. Best regards, |
|
Right, this will require many patches to plumb the failures. It will be a large series of patches when it's all done, but the change can be done incrementally a subsystem at a time. You can be sending those fixes to maintainers in parallel, and at some point in the future when all of them are plumbed, the __must_check attribute can be added. Does that make sense? For example, you could do the module subsystem first and work out any issues there and then move on to other places. |
|
Yeah that makes sense. I will start with module subsystem. Thank you! |
|
ping @ruscur, how does this affect your current patches to wire up |
|
@tli16 Are you still working on this at all? |
|
Series proposed here for modules : https://patchwork.kernel.org/project/linux-modules/list/?state=*&series=812046 However, last patch had to be reverted because some ARM64 return -EINVAL when setting some memory to RO. |
|
After discussion with ARM64 architecture team a solution has been identified. New patch available at: https://patchwork.kernel.org/project/linux-modules/patch/21037bf38438a285f5dff9501668f1675bc45989.1708070781.git.christophe.leroy@csgroup.eu/ |
ColinIanKing
pushed a commit
to ColinIanKing/linux-next
that referenced
this issue
Feb 19, 2024
set_memory_ro(), set_memory_nx(), set_memory_x() and other helpers can fail and return an error. In that case the memory might not be protected as expected and the module loading has to be aborted to avoid security issues. Check return value of all calls to set_memory_XX() and handle error if any. Add a check to not call set_memory_XX() on NULL pointers as some architectures may not like it allthough numpages is always 0 in that case. This also avoid a useless call to set_vm_flush_reset_perms(). Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Tested-by: Marek Szyprowski <[email protected]> Reviewed-by: Kees Cook <[email protected]> Signed-off-by: Luis Chamberlain <[email protected]>
mpe
pushed a commit
to linuxppc/linux-ci
that referenced
this issue
Feb 24, 2024
set_memory_rox() can fail. In case it fails, free allocated memory and return NULL. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Signed-off-by: Michael Ellerman <[email protected]> Link: https://msgid.link/b4907cf4339bd086abc40430d91311436cb0c18e.1708078401.git.christophe.leroy@csgroup.eu
mpe
pushed a commit
to linuxppc/linux-ci
that referenced
this issue
Feb 24, 2024
mark_rodata_ro() and mark_initmem_nx() use functions that can fail like set_memory_nx() and set_memory_ro(), leading to a not protected kernel. In case of failure, panic. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Signed-off-by: Michael Ellerman <[email protected]> Link: https://msgid.link/836f75710daef12dfea55f8fb6055d7fdaf716e3.1708078577.git.christophe.leroy@csgroup.eu
mpe
pushed a commit
to linuxppc/linux-ci
that referenced
this issue
Feb 24, 2024
…ages() set_memory_p() and set_memory_np() can fail. As mentioned in linux/mm.h: /* * To support DEBUG_PAGEALLOC architecture must ensure that * __kernel_map_pages() never fails */ So panic in case set_memory_p() or set_memory_np() fail in __kernel_map_pages(). Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Signed-off-by: Michael Ellerman <[email protected]> Link: https://msgid.link/20ef75884aa6a636e8298736f3d1056b0793d3d9.1708078640.git.christophe.leroy@csgroup.eu
kernel-patches-daemon-bpf-rc bot
pushed a commit
to kernel-patches/bpf-rc
that referenced
this issue
Mar 1, 2024
…_ro() set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]>
kernel-patches-daemon-bpf-rc bot
pushed a commit
to kernel-patches/bpf-rc
that referenced
this issue
Mar 1, 2024
…ry_lock_ro() set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part
kernel-patches-daemon-bpf bot
pushed a commit
to kernel-patches/bpf
that referenced
this issue
Mar 1, 2024
…_ro() set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
to kernel-patches/bpf
that referenced
this issue
Mar 1, 2024
…ry_lock_ro() set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part
kernel-patches-daemon-bpf bot
pushed a commit
to kernel-patches/bpf
that referenced
this issue
Mar 3, 2024
…_ro() set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]>
Dangku
pushed a commit
to Dangku/sunxi-linux
that referenced
this issue
Aug 7, 2024
…_ro() [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: August <[email protected]>
Dangku
pushed a commit
to Dangku/sunxi-linux
that referenced
this issue
Aug 7, 2024
…ry_lock_ro() [ Upstream commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 ] set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: August <[email protected]>
oraclelinuxkernel
pushed a commit
to oracle/linux-uek
that referenced
this issue
Aug 9, 2024
…_ro() [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> (cherry picked from commit a359696856ca9409fb97655c5a8ef0f549cb6e03) Signed-off-by: Vijayendra Suman <[email protected]>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this issue
Aug 12, 2024
…_ro() BugLink: https://bugs.launchpad.net/bugs/2073765 [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Roxana Nicolescu <[email protected]>
flobz
pushed a commit
to flobz/linux-fslc
that referenced
this issue
Aug 23, 2024
…_ro() [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
flobz
pushed a commit
to flobz/linux-fslc
that referenced
this issue
Aug 23, 2024
…_ro() [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
xt0032rus
pushed a commit
to xt0032rus/kernel_xiaomi_sm8550
that referenced
this issue
Aug 30, 2024
…_ro() [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: xt0032rus <[email protected]>
JeevakaPrabu
pushed a commit
to projectceladon/linux-intel-lts2022
that referenced
this issue
Sep 2, 2024
…_ro() [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this issue
Sep 8, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Signed-off-by: Christophe Leroy <[email protected]>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this issue
Sep 8, 2024
After the following powerpc commits, all calls to set_memory_...() functions check returned value. - Commit 8f17bd2 ("powerpc: Handle error in mark_rodata_ro() and mark_initmem_nx()") - Commit f7f18e3 ("powerpc/kprobes: Handle error returned by set_memory_rox()") - Commit 009cf11 ("powerpc: Don't ignore errors from set_memory_{n}p() in __kernel_map_pages()") - Commit 9cbacb8 ("powerpc: Don't ignore errors from set_memory_{n}p() in __kernel_map_pages()") - Commit 78cb094 ("powerpc: Handle error in mark_rodata_ro() and mark_initmem_nx()") All calls in core parts of the kernel also always check returned value, can be looked at with following query: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` It is now possible to flag those functions with __must_check to make sure no new unchecked call it added. Link: KSPP#7 Signed-off-by: Christophe Leroy <[email protected]>
ioworker0
pushed a commit
to ioworker0/linux
that referenced
this issue
Sep 9, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Link: https://lkml.kernel.org/r/6a89ffc69666de84721216947c6b6c7dcca39d7d.1725723347.git.christophe.leroy@csgroup.eu Signed-off-by: Christophe Leroy <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
ioworker0
pushed a commit
to ioworker0/linux
that referenced
this issue
Sep 10, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Link: https://lkml.kernel.org/r/6a89ffc69666de84721216947c6b6c7dcca39d7d.1725723347.git.christophe.leroy@csgroup.eu Signed-off-by: Christophe Leroy <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
ioworker0
pushed a commit
to ioworker0/linux
that referenced
this issue
Sep 10, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Link: https://lkml.kernel.org/r/6a89ffc69666de84721216947c6b6c7dcca39d7d.1725723347.git.christophe.leroy@csgroup.eu Signed-off-by: Christophe Leroy <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
pragow0k
pushed a commit
to pragow0k/linux-flex-imx
that referenced
this issue
Sep 11, 2024
…_ro() [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
wanghao75
pushed a commit
to openeuler-mirror/kernel
that referenced
this issue
Sep 12, 2024
…_ro() mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM CVE: CVE-2024-42068 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d2cc63eca0c993c99d18893214abf8f85d566d8 -------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Fixes: 85782e0 ("bpf: undo prog rejection on read-only lock failure") Signed-off-by: Tengda Wu <[email protected]>
wanghao75
pushed a commit
to openeuler-mirror/kernel
that referenced
this issue
Sep 12, 2024
…_ro() mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM CVE: CVE-2024-42068 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d2cc63eca0c993c99d18893214abf8f85d566d8 -------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Fixes: 85782e0 ("bpf: undo prog rejection on read-only lock failure") Signed-off-by: Tengda Wu <[email protected]>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this issue
Sep 13, 2024
…_ro() BugLink: https://bugs.launchpad.net/bugs/2076435 [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Roxana Nicolescu <[email protected]>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this issue
Sep 13, 2024
…ry_lock_ro() BugLink: https://bugs.launchpad.net/bugs/2076435 [ Upstream commit e60adf5 ] set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> [portias: Check return and bail when bpf_jit_binary_lock_ro() returns an error in arm64/net/bpf_jit_comp.c] Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Roxana Nicolescu <[email protected]>
ioworker0
pushed a commit
to ioworker0/linux
that referenced
this issue
Sep 16, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Link: https://lkml.kernel.org/r/6a89ffc69666de84721216947c6b6c7dcca39d7d.1725723347.git.christophe.leroy@csgroup.eu Signed-off-by: Christophe Leroy <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
ioworker0
pushed a commit
to ioworker0/linux
that referenced
this issue
Sep 17, 2024
Following query shows that architectures that don't provide asm/set_memory.h don't use set_memory_...() functions. $ git grep set_memory_ alpha arc csky hexagon loongarch m68k microblaze mips nios2 openrisc parisc sh sparc um xtensa Following query shows that all core users of set_memory_...() functions always take returned value into account: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` set_memory_...() functions can fail, leaving the memory attributes unchanged. Make sure all callers check the returned code. Link: KSPP#7 Link: https://lkml.kernel.org/r/6a89ffc69666de84721216947c6b6c7dcca39d7d.1725723347.git.christophe.leroy@csgroup.eu Signed-off-by: Christophe Leroy <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this issue
Sep 27, 2024
…_ro() BugLink: https://bugs.launchpad.net/bugs/2076435 [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Roxana Nicolescu <[email protected]>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this issue
Sep 27, 2024
…ry_lock_ro() BugLink: https://bugs.launchpad.net/bugs/2076435 [ Upstream commit e60adf5 ] set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> [portias: Check return and bail when bpf_jit_binary_lock_ro() returns an error in arm64/net/bpf_jit_comp.c] Signed-off-by: Portia Stephens <[email protected]> Signed-off-by: Roxana Nicolescu <[email protected]>
wanghao75
pushed a commit
to openeuler-mirror/kernel
that referenced
this issue
Oct 9, 2024
…ry_lock_ro() stable inclusion from stable-v6.6.37 commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOD CVE: CVE-2024-42067 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e60adf513275c3a38e5cb67f7fd12387e43a3ff5 -------------------------------- [ Upstream commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 ] set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Conflicts: arch/arm64/net/bpf_jit_comp.c arch/powerpc/net/bpf_jit_comp.c arch/sw_64/net/bpf_jit_comp.c [Check return values of bpf_jit_binary_lock_ro() to avoid return values uncheck waring] Signed-off-by: Yuan Can <[email protected]>
wanghao75
pushed a commit
to openeuler-mirror/kernel
that referenced
this issue
Oct 15, 2024
…ry_lock_ro() mainline inclusion from mainline-v6.10-rc1 commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOD CVE: CVE-2024-42067 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e60adf513275 -------------------------------- set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Conflicts: include/linux/filter.h arch/sparc/net/bpf_jit_comp_64.c arch/loongarch/net/bpf_jit.c arch/parisc/net/bpf_jit_core.c arch/arm/net/bpf_jit_32.c arch/mips/net/bpf_jit_comp.c arch/arm64/net/bpf_jit_comp.c arch/riscv/net/bpf_jit_core.c arch/x86/net/bpf_jit_comp.c [some context conflict and unintroduced files on 5.10] Signed-off-by: Yuan Can <[email protected]>
wanghao75
pushed a commit
to openeuler-mirror/kernel
that referenced
this issue
Oct 15, 2024
…ry_lock_ro() mainline inclusion from mainline-v6.10-rc1 commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOD CVE: CVE-2024-42067 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e60adf513275 -------------------------------- set_memory_rox() can fail, leaving memory unprotected. Check return and bail out when bpf_jit_binary_lock_ro() returns an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Reviewed-by: Puranjay Mohan <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> # s390x Acked-by: Tiezhu Yang <[email protected]> # LoongArch Reviewed-by: Johan Almbladh <[email protected]> # MIPS Part Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Conflicts: include/linux/filter.h arch/sparc/net/bpf_jit_comp_64.c arch/loongarch/net/bpf_jit.c arch/parisc/net/bpf_jit_core.c arch/arm/net/bpf_jit_32.c arch/mips/net/bpf_jit_comp.c arch/arm64/net/bpf_jit_comp.c arch/x86/net/bpf_jit_comp.c [some context conflict and unintroduced files on 5.10] Signed-off-by: Yuan Can <[email protected]>
OpenHarmonySCM-noreply
pushed a commit
to openharmony/kernel_linux_5.10
that referenced
this issue
Oct 29, 2024
…_ro() mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix issue: NA CVE: CVE-2024-42068 Signed-off-by: yaowenrui <[email protected]> --------------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: yaowenrui <[email protected]>
OpenHarmonySCM-noreply
pushed a commit
to openharmony/kernel_linux_5.10
that referenced
this issue
Oct 29, 2024
…_ro() mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix issue: NA CVE: CVE-2024-42068 Signed-off-by: yaowenrui <[email protected]> --------------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: yaowenrui <[email protected]>
OpenHarmonySCM-noreply
pushed a commit
to openharmony/kernel_linux_5.10
that referenced
this issue
Oct 29, 2024
…_ro() mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix issue: NA CVE: CVE-2024-42068 Signed-off-by: yaowenrui <[email protected]> --------------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: yaowenrui <[email protected]>
mpe
pushed a commit
to linuxppc/linux-ci
that referenced
this issue
Nov 8, 2024
After the following powerpc commits, all calls to set_memory_...() functions check returned value. - Commit 8f17bd2 ("powerpc: Handle error in mark_rodata_ro() and mark_initmem_nx()") - Commit f7f18e3 ("powerpc/kprobes: Handle error returned by set_memory_rox()") - Commit 009cf11 ("powerpc: Don't ignore errors from set_memory_{n}p() in __kernel_map_pages()") - Commit 9cbacb8 ("powerpc: Don't ignore errors from set_memory_{n}p() in __kernel_map_pages()") - Commit 78cb094 ("powerpc: Handle error in mark_rodata_ro() and mark_initmem_nx()") All calls in core parts of the kernel also always check returned value, can be looked at with following query: $ git grep -w -e set_memory_ro -e set_memory_rw -e set_memory_x -e set_memory_nx -e set_memory_rox `find . -maxdepth 1 -type d | grep -v arch | grep /` It is now possible to flag those functions with __must_check to make sure no new unchecked call it added. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Signed-off-by: Michael Ellerman <[email protected]> Link: https://patch.msgid.link/775dae48064a661554802ed24ed5bdffe1784724.1725723351.git.christophe.leroy@csgroup.eu
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/linux-mvista
that referenced
this issue
Nov 9, 2024
…_ro() Source: https://git.kernel.org/ MR: 157676 Type: Security Fix Disposition: Backport from v5.15.161-280-ga359696856ca ChangeID: a359696856ca9409fb97655c5a8ef0f549cb6e03 Description: [ Upstream commit 7d2cc63 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: KSPP/linux#7 Signed-off-by: Christophe Leroy <[email protected]> Cc: [email protected] <[email protected]> Reviewed-by: Kees Cook <[email protected]> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: E V Ravi <[email protected]> Signed-off-by: Corey Minyard <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now several architectures allow their
set_memory_*()family of functions to fail, but callers may not be checking the return values. We need to fix the callers and add the__must_checkattribute. They also may not provide any level of atomicity, in the sense that the memory protections may be left incomplete on failure.Some additional details:
https://lore.kernel.org/netdev/[email protected]/
This issue likely has a few steps on effects architectures:
set_memory_*()helpers check the return value.set_memory_*()helpers so that new uses do not ignore the return value.(This issue depends on an architecture actually having implemented
CONFIG_ARCH_HAS_STRICT_KERNEL_RWX.)The text was updated successfully, but these errors were encountered: