Re: [PATCH 1/7] livepatch: Apply vmlinux-specific KLP relocations early
From: Miroslav Benes
Date: Wed Apr 15 2020 - 10:30:27 EST
On Tue, 14 Apr 2020, Josh Poimboeuf wrote:
> On Tue, Apr 14, 2020 at 01:01:09PM -0500, Josh Poimboeuf wrote:
> > On Tue, Apr 14, 2020 at 07:44:06PM +0200, Peter Zijlstra wrote:
> > > On Tue, Apr 14, 2020 at 11:28:37AM -0500, Josh Poimboeuf wrote:
> > > > KLP relocations are livepatch-specific relocations which are applied to
> > > > 1) vmlinux-specific KLP relocation sections
> > > >
> > > > .klp.rela.vmlinux.{sec}
> > > >
> > > > These are relocations (applied to the KLP module) which reference
> > > > unexported vmlinux symbols.
> > > >
> > > > 2) module-specific KLP relocation sections
> > > >
> > > > .klp.rela.{module}.{sec}:
> > > >
> > > > These are relocations (applied to the KLP module) which reference
> > > > unexported or exported module symbols.
> > >
> > > Is there something that disallows a module from being called 'vmlinux' ?
> > > If not, we might want to enforce this somewhere.
> >
> > I'm pretty sure we don't have a check for that anywhere, though the KLP
> > module would almost certainly fail during the module load when it
> > couldn't find the vmlinux.ko symbols it needed.
> >
> > It wouldn't hurt to add a check somewhere though. Maybe in
> > klp_module_coming() since the restriction only applies to
> > CONFIG_LIVEPATCH...
>
> From: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> Subject: [PATCH] livepatch: Disallow vmlinux.ko
>
> This is purely a theoretical issue, but if there were a module named
OT: "if there were"... subjunctive?
> vmlinux.ko, the livepatch relocation code wouldn't be able to
> distinguish between vmlinux-specific and vmlinux.o-specific KLP
> relocations.
>
> If CONFIG_LIVEPATCH is enabled, don't allow a module named vmlinux.ko.
Yup, there is no such check nowadays. I always struggle to find the right
balance between being overprotective and letting the user shoot themselves
in their foot if they want to. But it does not hurt, so ack to that.
Miroslav