xref: /linux/arch/x86/kernel/module.c (revision ae22a94997b8a03dcb3c922857c203246711f9d4)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*  Kernel module help for x86.
3     Copyright (C) 2001 Rusty Russell.
4 
5 */
6 
7 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8 
9 #include <linux/moduleloader.h>
10 #include <linux/elf.h>
11 #include <linux/vmalloc.h>
12 #include <linux/fs.h>
13 #include <linux/string.h>
14 #include <linux/kernel.h>
15 #include <linux/kasan.h>
16 #include <linux/bug.h>
17 #include <linux/mm.h>
18 #include <linux/gfp.h>
19 #include <linux/jump_label.h>
20 #include <linux/random.h>
21 #include <linux/memory.h>
22 
23 #include <asm/text-patching.h>
24 #include <asm/page.h>
25 #include <asm/setup.h>
26 #include <asm/unwind.h>
27 
28 #if 0
29 #define DEBUGP(fmt, ...)				\
30 	printk(KERN_DEBUG fmt, ##__VA_ARGS__)
31 #else
32 #define DEBUGP(fmt, ...)				\
33 do {							\
34 	if (0)						\
35 		printk(KERN_DEBUG fmt, ##__VA_ARGS__);	\
36 } while (0)
37 #endif
38 
39 #ifdef CONFIG_RANDOMIZE_BASE
40 static unsigned long module_load_offset;
41 
42 /* Mutex protects the module_load_offset. */
43 static DEFINE_MUTEX(module_kaslr_mutex);
44 
45 static unsigned long int get_module_load_offset(void)
46 {
47 	if (kaslr_enabled()) {
48 		mutex_lock(&module_kaslr_mutex);
49 		/*
50 		 * Calculate the module_load_offset the first time this
51 		 * code is called. Once calculated it stays the same until
52 		 * reboot.
53 		 */
54 		if (module_load_offset == 0)
55 			module_load_offset =
56 				get_random_u32_inclusive(1, 1024) * PAGE_SIZE;
57 		mutex_unlock(&module_kaslr_mutex);
58 	}
59 	return module_load_offset;
60 }
61 #else
62 static unsigned long int get_module_load_offset(void)
63 {
64 	return 0;
65 }
66 #endif
67 
68 void *module_alloc(unsigned long size)
69 {
70 	gfp_t gfp_mask = GFP_KERNEL;
71 	void *p;
72 
73 	if (PAGE_ALIGN(size) > MODULES_LEN)
74 		return NULL;
75 
76 	p = __vmalloc_node_range(size, MODULE_ALIGN,
77 				 MODULES_VADDR + get_module_load_offset(),
78 				 MODULES_END, gfp_mask, PAGE_KERNEL,
79 				 VM_FLUSH_RESET_PERMS | VM_DEFER_KMEMLEAK,
80 				 NUMA_NO_NODE, __builtin_return_address(0));
81 
82 	if (p && (kasan_alloc_module_shadow(p, size, gfp_mask) < 0)) {
83 		vfree(p);
84 		return NULL;
85 	}
86 
87 	return p;
88 }
89 
90 #ifdef CONFIG_X86_32
91 int apply_relocate(Elf32_Shdr *sechdrs,
92 		   const char *strtab,
93 		   unsigned int symindex,
94 		   unsigned int relsec,
95 		   struct module *me)
96 {
97 	unsigned int i;
98 	Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
99 	Elf32_Sym *sym;
100 	uint32_t *location;
101 
102 	DEBUGP("Applying relocate section %u to %u\n",
103 	       relsec, sechdrs[relsec].sh_info);
104 	for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
105 		/* This is where to make the change */
106 		location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
107 			+ rel[i].r_offset;
108 		/* This is the symbol it is referring to.  Note that all
109 		   undefined symbols have been resolved.  */
110 		sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
111 			+ ELF32_R_SYM(rel[i].r_info);
112 
113 		switch (ELF32_R_TYPE(rel[i].r_info)) {
114 		case R_386_32:
115 			/* We add the value into the location given */
116 			*location += sym->st_value;
117 			break;
118 		case R_386_PC32:
119 		case R_386_PLT32:
120 			/* Add the value, subtract its position */
121 			*location += sym->st_value - (uint32_t)location;
122 			break;
123 		default:
124 			pr_err("%s: Unknown relocation: %u\n",
125 			       me->name, ELF32_R_TYPE(rel[i].r_info));
126 			return -ENOEXEC;
127 		}
128 	}
129 	return 0;
130 }
131 #else /*X86_64*/
132 static int __write_relocate_add(Elf64_Shdr *sechdrs,
133 		   const char *strtab,
134 		   unsigned int symindex,
135 		   unsigned int relsec,
136 		   struct module *me,
137 		   void *(*write)(void *dest, const void *src, size_t len),
138 		   bool apply)
139 {
140 	unsigned int i;
141 	Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
142 	Elf64_Sym *sym;
143 	void *loc;
144 	u64 val;
145 	u64 zero = 0ULL;
146 
147 	DEBUGP("%s relocate section %u to %u\n",
148 	       apply ? "Applying" : "Clearing",
149 	       relsec, sechdrs[relsec].sh_info);
150 	for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
151 		size_t size;
152 
153 		/* This is where to make the change */
154 		loc = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
155 			+ rel[i].r_offset;
156 
157 		/* This is the symbol it is referring to.  Note that all
158 		   undefined symbols have been resolved.  */
159 		sym = (Elf64_Sym *)sechdrs[symindex].sh_addr
160 			+ ELF64_R_SYM(rel[i].r_info);
161 
162 		DEBUGP("type %d st_value %Lx r_addend %Lx loc %Lx\n",
163 		       (int)ELF64_R_TYPE(rel[i].r_info),
164 		       sym->st_value, rel[i].r_addend, (u64)loc);
165 
166 		val = sym->st_value + rel[i].r_addend;
167 
168 		switch (ELF64_R_TYPE(rel[i].r_info)) {
169 		case R_X86_64_NONE:
170 			continue;  /* nothing to write */
171 		case R_X86_64_64:
172 			size = 8;
173 			break;
174 		case R_X86_64_32:
175 			if (val != *(u32 *)&val)
176 				goto overflow;
177 			size = 4;
178 			break;
179 		case R_X86_64_32S:
180 			if ((s64)val != *(s32 *)&val)
181 				goto overflow;
182 			size = 4;
183 			break;
184 		case R_X86_64_PC32:
185 		case R_X86_64_PLT32:
186 			val -= (u64)loc;
187 			size = 4;
188 			break;
189 		case R_X86_64_PC64:
190 			val -= (u64)loc;
191 			size = 8;
192 			break;
193 		default:
194 			pr_err("%s: Unknown rela relocation: %llu\n",
195 			       me->name, ELF64_R_TYPE(rel[i].r_info));
196 			return -ENOEXEC;
197 		}
198 
199 		if (apply) {
200 			if (memcmp(loc, &zero, size)) {
201 				pr_err("x86/modules: Invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n",
202 				       (int)ELF64_R_TYPE(rel[i].r_info), loc, val);
203 				return -ENOEXEC;
204 			}
205 			write(loc, &val, size);
206 		} else {
207 			if (memcmp(loc, &val, size)) {
208 				pr_warn("x86/modules: Invalid relocation target, existing value does not match expected value for type %d, loc %p, val %Lx\n",
209 					(int)ELF64_R_TYPE(rel[i].r_info), loc, val);
210 				return -ENOEXEC;
211 			}
212 			write(loc, &zero, size);
213 		}
214 	}
215 	return 0;
216 
217 overflow:
218 	pr_err("overflow in relocation type %d val %Lx\n",
219 	       (int)ELF64_R_TYPE(rel[i].r_info), val);
220 	pr_err("`%s' likely not compiled with -mcmodel=kernel\n",
221 	       me->name);
222 	return -ENOEXEC;
223 }
224 
225 static int write_relocate_add(Elf64_Shdr *sechdrs,
226 			      const char *strtab,
227 			      unsigned int symindex,
228 			      unsigned int relsec,
229 			      struct module *me,
230 			      bool apply)
231 {
232 	int ret;
233 	bool early = me->state == MODULE_STATE_UNFORMED;
234 	void *(*write)(void *, const void *, size_t) = memcpy;
235 
236 	if (!early) {
237 		write = text_poke;
238 		mutex_lock(&text_mutex);
239 	}
240 
241 	ret = __write_relocate_add(sechdrs, strtab, symindex, relsec, me,
242 				   write, apply);
243 
244 	if (!early) {
245 		text_poke_sync();
246 		mutex_unlock(&text_mutex);
247 	}
248 
249 	return ret;
250 }
251 
252 int apply_relocate_add(Elf64_Shdr *sechdrs,
253 		   const char *strtab,
254 		   unsigned int symindex,
255 		   unsigned int relsec,
256 		   struct module *me)
257 {
258 	return write_relocate_add(sechdrs, strtab, symindex, relsec, me, true);
259 }
260 
261 #ifdef CONFIG_LIVEPATCH
262 void clear_relocate_add(Elf64_Shdr *sechdrs,
263 			const char *strtab,
264 			unsigned int symindex,
265 			unsigned int relsec,
266 			struct module *me)
267 {
268 	write_relocate_add(sechdrs, strtab, symindex, relsec, me, false);
269 }
270 #endif
271 
272 #endif
273 
274 int module_finalize(const Elf_Ehdr *hdr,
275 		    const Elf_Shdr *sechdrs,
276 		    struct module *me)
277 {
278 	const Elf_Shdr *s, *alt = NULL, *locks = NULL,
279 		*orc = NULL, *orc_ip = NULL,
280 		*retpolines = NULL, *returns = NULL, *ibt_endbr = NULL,
281 		*calls = NULL, *cfi = NULL;
282 	char *secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset;
283 
284 	for (s = sechdrs; s < sechdrs + hdr->e_shnum; s++) {
285 		if (!strcmp(".altinstructions", secstrings + s->sh_name))
286 			alt = s;
287 		if (!strcmp(".smp_locks", secstrings + s->sh_name))
288 			locks = s;
289 		if (!strcmp(".orc_unwind", secstrings + s->sh_name))
290 			orc = s;
291 		if (!strcmp(".orc_unwind_ip", secstrings + s->sh_name))
292 			orc_ip = s;
293 		if (!strcmp(".retpoline_sites", secstrings + s->sh_name))
294 			retpolines = s;
295 		if (!strcmp(".return_sites", secstrings + s->sh_name))
296 			returns = s;
297 		if (!strcmp(".call_sites", secstrings + s->sh_name))
298 			calls = s;
299 		if (!strcmp(".cfi_sites", secstrings + s->sh_name))
300 			cfi = s;
301 		if (!strcmp(".ibt_endbr_seal", secstrings + s->sh_name))
302 			ibt_endbr = s;
303 	}
304 
305 	if (retpolines || cfi) {
306 		void *rseg = NULL, *cseg = NULL;
307 		unsigned int rsize = 0, csize = 0;
308 
309 		if (retpolines) {
310 			rseg = (void *)retpolines->sh_addr;
311 			rsize = retpolines->sh_size;
312 		}
313 
314 		if (cfi) {
315 			cseg = (void *)cfi->sh_addr;
316 			csize = cfi->sh_size;
317 		}
318 
319 		apply_fineibt(rseg, rseg + rsize, cseg, cseg + csize);
320 	}
321 	if (retpolines) {
322 		void *rseg = (void *)retpolines->sh_addr;
323 		apply_retpolines(rseg, rseg + retpolines->sh_size);
324 	}
325 	if (returns) {
326 		void *rseg = (void *)returns->sh_addr;
327 		apply_returns(rseg, rseg + returns->sh_size);
328 	}
329 	if (alt) {
330 		/* patch .altinstructions */
331 		void *aseg = (void *)alt->sh_addr;
332 		apply_alternatives(aseg, aseg + alt->sh_size);
333 	}
334 	if (calls || alt) {
335 		struct callthunk_sites cs = {};
336 
337 		if (calls) {
338 			cs.call_start = (void *)calls->sh_addr;
339 			cs.call_end = (void *)calls->sh_addr + calls->sh_size;
340 		}
341 
342 		if (alt) {
343 			cs.alt_start = (void *)alt->sh_addr;
344 			cs.alt_end = (void *)alt->sh_addr + alt->sh_size;
345 		}
346 
347 		callthunks_patch_module_calls(&cs, me);
348 	}
349 	if (ibt_endbr) {
350 		void *iseg = (void *)ibt_endbr->sh_addr;
351 		apply_seal_endbr(iseg, iseg + ibt_endbr->sh_size);
352 	}
353 	if (locks) {
354 		void *lseg = (void *)locks->sh_addr;
355 		void *text = me->mem[MOD_TEXT].base;
356 		void *text_end = text + me->mem[MOD_TEXT].size;
357 		alternatives_smp_module_add(me, me->name,
358 					    lseg, lseg + locks->sh_size,
359 					    text, text_end);
360 	}
361 
362 	if (orc && orc_ip)
363 		unwind_module_init(me, (void *)orc_ip->sh_addr, orc_ip->sh_size,
364 				   (void *)orc->sh_addr, orc->sh_size);
365 
366 	return 0;
367 }
368 
369 void module_arch_cleanup(struct module *mod)
370 {
371 	alternatives_smp_module_del(mod);
372 }
373