From nobody Fri Nov 29 02:54:56 2024 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3588518C933 for ; Wed, 25 Sep 2024 15:02:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727276539; cv=none; b=rilu9lWhAAKXx4S+dlRRgIzDUkptBxhWbLX30U0yR7wX+HzvaLXk+ct4LvR2JE+3a4fJpKV+km8Vayysjo/Q8xIEFSad2qoMLi/PXwrok9aTsXF1rS1/sVKNilc2Yk3ZCJMfq6kCBdrLUW9fbhok/aGbJxc/V71/IvRyJ2wintQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727276539; c=relaxed/simple; bh=UKT9SQcfQYmFYYWRpiFhP5glZL5JX0TJEX6TTbNQ3aU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qblysZJ3f17D3qu6McxDP6JBP0jpIxH9KI/um1dly8Il5hhzhWpeIbX2EC+GKdbzrIopo7DX3BjpIlSlYO/J0ELPGb7Y8XexrOsMqW/wNlAbtXzjL1a4izT7s+6jaB3gukltUxZftHHeRAzqL5PW3Ohmc4G6MlGUPZjcBd9DA2k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=qkQ5tXmz; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--ardb.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qkQ5tXmz" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6de0b23f4c5so13720337b3.1 for ; Wed, 25 Sep 2024 08:02:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1727276536; x=1727881336; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=mwy8kTVjZ/08dn4MFhxsJ/CPkFSWb32MIOuFSl+DFsU=; b=qkQ5tXmzAYQIg6PgEygsuVkL1h0sO488dkeiRXYe2buZSMlodM0XND7O6FqDx4j1+6 csYCUf27co0WlgabTvJwDpqMd48V2w9Aok5h1wyV6FsdRFJN0HPuHCUuKfPvF6OvWXZg p+ymE/zAMzfW8t8PNQ3TcsOz4BsXZg2K236iUuDl6wANXGoLhRZ/clO+OtT4BDWdAxRh TRsd8sAaaI96lP9vEVLnMVlLJjcSks+HlR0YfLw3I11eJhkqjvvpY+vQ5X4WyPhqw/iS FIVWX/9ttsSBMuT9K1UYdGO7OFSl2UpDCFKSe0j3FfgXeuqHM/gtKnyLAmvVfxV9nNJO JqCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727276536; x=1727881336; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mwy8kTVjZ/08dn4MFhxsJ/CPkFSWb32MIOuFSl+DFsU=; b=qIvDHi3Ic7gRwW3hmsXTgzGBlbaDI9eX7E2Sh8W7JsOMd6FB1stNZrzAgsxBf5Ih2i aTEmvzVuhOyMMsrAWe3JUkJ4j7ZIB7ee6C6ZD9gRhMtRL1btl4Q/XeTbxBFQjvx7aAu7 kmWOqVyETtWB5RLq3/XBVLUh9vnZ9CvfdY4FcVMVkJzUhfQDCy+bCWkMbG+N111AsKJl y8UblkNomPJqZsrjPBT6AJ4TJUO1NxJgwAYlW/UqW1DHkZEiJpOcdopa7NcDbCCpYS0l d2q3IQ6z4p6qM5ba+kcZxDRVUxVDUXLbt1pPJ0NlMmzGdx3/fdhgl6tjzgZYdTJTbqUC ENtQ== X-Gm-Message-State: AOJu0Ywh0V9Bbu8tHIp/ZxHNbRQ4wVk7TCAo4i0QAup6CXXGmLBMBhad ETx6bkj4QYXwuU48hg9KhRgL4JS4ctTwDj9KvrT29+35HTCI6Qhya2QL+4+1/nPqdgS5SEAD+3q sumoQLljcsD62oku+KRtj9XTJGx+on5StZsB03J3ybB1EWdh7EM+sKyx1TweLkwdF3Wj86DZGuy BlulILIJIoqfQpOPZc/rMqe7DvCSdIZQ== X-Google-Smtp-Source: AGHT+IEEpXdESu+AVZ5xAH4ocoULrkWfhbmfoqTWPQarKhwafrufRJLTuhlZhXvWoZ56ZcFdzDjPCpOs X-Received: from palermo.c.googlers.com ([fda3:e722:ac3:cc00:7b:198d:ac11:8138]) (user=ardb job=sendgmr) by 2002:a05:690c:6a0d:b0:6da:3596:21b8 with SMTP id 00721157ae682-6e2089c8234mr1848507b3.4.1727276535155; Wed, 25 Sep 2024 08:02:15 -0700 (PDT) Date: Wed, 25 Sep 2024 17:01:10 +0200 In-Reply-To: <20240925150059.3955569-30-ardb+git@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240925150059.3955569-30-ardb+git@google.com> X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=4217; i=ardb@kernel.org; h=from:subject; bh=umOxUEgpm+XSdzq7sqW2wzWT3DKWlT715fLzy00ZrIc=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIe2L6q4zMe0fH8zn/6yon+W25vvljx/znOb8fBedfXMvk 4PJy+hrHaUsDGIcDLJiiiwCs/++23l6olSt8yxZmDmsTCBDGLg4BWAiC5MZGX675CxMX+/71dxB RTLX6OaHWScZikUU3t9k3TfnWIl7YijDP8vjN+r/hng3npecsefHgZqi2WFz5zPUNTIeVXy24tT y6awA X-Mailer: git-send-email 2.46.0.792.g87dc391469-goog Message-ID: <20240925150059.3955569-40-ardb+git@google.com> Subject: [RFC PATCH 10/28] x86/xen: Avoid relocatable quantities in Xen ELF notes From: Ard Biesheuvel To: linux-kernel@vger.kernel.org Cc: Ard Biesheuvel , x86@kernel.org, "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Uros Bizjak , Dennis Zhou , Tejun Heo , Christoph Lameter , Mathieu Desnoyers , Paolo Bonzini , Vitaly Kuznetsov , Juergen Gross , Boris Ostrovsky , Greg Kroah-Hartman , Arnd Bergmann , Masahiro Yamada , Kees Cook , Nathan Chancellor , Keith Packard , Justin Stitt , Josh Poimboeuf , Arnaldo Carvalho de Melo , Namhyung Kim , Jiri Olsa , Ian Rogers , Adrian Hunter , Kan Liang , linux-doc@vger.kernel.org, linux-pm@vger.kernel.org, kvm@vger.kernel.org, xen-devel@lists.xenproject.org, linux-efi@vger.kernel.org, linux-arch@vger.kernel.org, linux-sparse@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-perf-users@vger.kernel.org, rust-for-linux@vger.kernel.org, llvm@lists.linux.dev Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ard Biesheuvel Xen puts virtual and physical addresses into ELF notes that are treated by the linker as relocatable by default. Doing so is not only pointless, given that the ELF notes are only intended for consumption by Xen before the kernel boots. It is also a KASLR leak, given that the kernel's ELF notes are exposed via the world readable /sys/kernel/notes. So emit these constants in a way that prevents the linker from marking them as relocatable. This involves place-relative relocations (which subtract their own virtual address from the symbol value) and linker provided absolute symbols that add the address of the place to the desired value. Signed-off-by: Ard Biesheuvel --- arch/x86/kernel/vmlinux.lds.S | 13 +++++++++++++ arch/x86/platform/pvh/head.S | 6 +++--- arch/x86/tools/relocs.c | 1 + arch/x86/xen/xen-head.S | 6 ++++-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 00f82db7b3e1..52b8db931d0f 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -111,6 +111,19 @@ PHDRS { SECTIONS { . =3D __START_KERNEL; + +#ifdef CONFIG_XEN_PV +xen_elfnote_entry_offset =3D + ABSOLUTE(xen_elfnote_entry) + ABSOLUTE(startup_xen); +xen_elfnote_hypercall_page_offset =3D + ABSOLUTE(xen_elfnote_hypercall_page) + ABSOLUTE(hypercall_page); +#endif + +#ifdef CONFIG_PVH +xen_elfnote_phys32_entry_offset =3D + ABSOLUTE(xen_elfnote_phys32_entry) + ABSOLUTE(pvh_start_xen - LOAD_OFFSET= ); +#endif + #ifdef CONFIG_X86_32 phys_startup_32 =3D ABSOLUTE(startup_32 - LOAD_OFFSET); #else diff --git a/arch/x86/platform/pvh/head.S b/arch/x86/platform/pvh/head.S index 11245ecdc08d..adbf57e83e4e 100644 --- a/arch/x86/platform/pvh/head.S +++ b/arch/x86/platform/pvh/head.S @@ -50,7 +50,7 @@ #define PVH_CS_SEL (PVH_GDT_ENTRY_CS * 8) #define PVH_DS_SEL (PVH_GDT_ENTRY_DS * 8) =20 -SYM_CODE_START_LOCAL(pvh_start_xen) +SYM_CODE_START(pvh_start_xen) UNWIND_HINT_END_OF_STACK cld =20 @@ -165,5 +165,5 @@ SYM_DATA_START_LOCAL(early_stack) .fill BOOT_STACK_SIZE, 1, 0 SYM_DATA_END_LABEL(early_stack, SYM_L_LOCAL, early_stack_end) =20 - ELFNOTE(Xen, XEN_ELFNOTE_PHYS32_ENTRY, - _ASM_PTR (pvh_start_xen - __START_KERNEL_map)) + ELFNOTE(Xen, XEN_ELFNOTE_PHYS32_ENTRY, .global xen_elfnote_phys32_entry; + xen_elfnote_phys32_entry: _ASM_PTR xen_elfnote_phys32_entry_offset - .) diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c index 942c029a5067..22c2d3f07a57 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -57,6 +57,7 @@ static const char * const sym_regex_kernel[S_NSYMTYPES] = =3D { [S_ABS] =3D "^(xen_irq_disable_direct_reloc$|" "xen_save_fl_direct_reloc$|" + "xen_elfnote_.+_offset$|" "VDSO|" "__kcfi_typeid_|" "__crc_)", diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S index faadac7c29e6..4d246a48a85f 100644 --- a/arch/x86/xen/xen-head.S +++ b/arch/x86/xen/xen-head.S @@ -88,7 +88,8 @@ SYM_CODE_END(xen_cpu_bringup_again) ELFNOTE(Xen, XEN_ELFNOTE_VIRT_BASE, _ASM_PTR __START_KERNEL_map) /* Map the p2m table to a 512GB-aligned user address. */ ELFNOTE(Xen, XEN_ELFNOTE_INIT_P2M, .quad (PUD_SIZE * PTRS_PER_PUD)) - ELFNOTE(Xen, XEN_ELFNOTE_ENTRY, _ASM_PTR startup_xen) + ELFNOTE(Xen, XEN_ELFNOTE_ENTRY, .globl xen_elfnote_entry; + xen_elfnote_entry: _ASM_PTR xen_elfnote_entry_offset - .) ELFNOTE(Xen, XEN_ELFNOTE_FEATURES, .ascii "!writable_page_tables") ELFNOTE(Xen, XEN_ELFNOTE_PAE_MODE, .asciz "yes") ELFNOTE(Xen, XEN_ELFNOTE_L1_MFN_VALID, @@ -109,7 +110,8 @@ SYM_CODE_END(xen_cpu_bringup_again) #else # define FEATURES_DOM0 0 #endif - ELFNOTE(Xen, XEN_ELFNOTE_HYPERCALL_PAGE, _ASM_PTR hypercall_page) + ELFNOTE(Xen, XEN_ELFNOTE_HYPERCALL_PAGE, .globl xen_elfnote_hypercall_pag= e; + xen_elfnote_hypercall_page: _ASM_PTR xen_elfnote_hypercall_page_offset -= .) ELFNOTE(Xen, XEN_ELFNOTE_SUPPORTED_FEATURES, .long FEATURES_PV | FEATURES_PVH | FEATURES_DOM0) ELFNOTE(Xen, XEN_ELFNOTE_LOADER, .asciz "generic") --=20 2.46.0.792.g87dc391469-goog