tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

module: add in-kernel support for decompressing

Current scheme of having userspace decompress kernel modules before
loading them into the kernel runs afoul of LoadPin security policy, as
it loses link between the source of kernel module on the disk and binary
blob that is being loaded into the kernel. To solve this issue let's
implement decompression in kernel, so that we can pass a file descriptor
of compressed module file into finit_module() which will keep LoadPin
happy.

To let userspace know what compression/decompression scheme kernel
supports it will create /sys/module/compression attribute. kmod can read
this attribute and decide if it can pass compressed file to
finit_module(). New MODULE_INIT_COMPRESSED_DATA flag indicates that the
kernel should attempt to decompress the data read from file descriptor
prior to trying load the module.

To simplify things kernel will only implement single decompression
method matching compression method selected when generating modules.
This patch implements gzip and xz; more can be added later,

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>

authored by

Dmitry Torokhov and committed by
Luis Chamberlain b1ae6dc4 ef307fc2

+329 -11
+1
include/uapi/linux/module.h
··· 5 5 /* Flags for sys_finit_module: */ 6 6 #define MODULE_INIT_IGNORE_MODVERSIONS 1 7 7 #define MODULE_INIT_IGNORE_VERMAGIC 2 8 + #define MODULE_INIT_COMPRESSED_FILE 4 8 9 9 10 #endif /* _UAPI_LINUX_MODULE_H */
+13
init/Kconfig
··· 2274 2274 2275 2275 endchoice 2276 2276 2277 + config MODULE_DECOMPRESS 2278 + bool "Support in-kernel module decompression" 2279 + depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ 2280 + select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 2281 + select XZ_DEC if MODULE_COMPRESS_XZ 2282 + help 2283 + 2284 + Support for decompressing kernel modules by the kernel itself 2285 + instead of relying on userspace to perform this task. Useful when 2286 + load pinning security policy is enabled. 2287 + 2288 + If unsure, say N. 2289 + 2277 2290 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 2278 2291 bool "Allow loading of modules with missing namespace imports" 2279 2292 help
+1
kernel/Makefile
··· 67 67 endif 68 68 obj-$(CONFIG_UID16) += uid16.o 69 69 obj-$(CONFIG_MODULES) += module.o 70 + obj-$(CONFIG_MODULE_DECOMPRESS) += module_decompress.o 70 71 obj-$(CONFIG_MODULE_SIG) += module_signing.o 71 72 obj-$(CONFIG_MODULE_SIG_FORMAT) += module_signature.o 72 73 obj-$(CONFIG_KALLSYMS) += kallsyms.o
+19
kernel/module-internal.h
··· 23 23 #ifdef CONFIG_KALLSYMS 24 24 unsigned long mod_kallsyms_init_off; 25 25 #endif 26 + #ifdef CONFIG_MODULE_DECOMPRESS 27 + struct page **pages; 28 + unsigned int max_pages; 29 + unsigned int used_pages; 30 + #endif 26 31 struct { 27 32 unsigned int sym, str, mod, vers, info, pcpu; 28 33 } index; 29 34 }; 30 35 31 36 extern int mod_verify_sig(const void *mod, struct load_info *info); 37 + 38 + #ifdef CONFIG_MODULE_DECOMPRESS 39 + int module_decompress(struct load_info *info, const void *buf, size_t size); 40 + void module_decompress_cleanup(struct load_info *info); 41 + #else 42 + static inline int module_decompress(struct load_info *info, 43 + const void *buf, size_t size) 44 + { 45 + return -EOPNOTSUPP; 46 + } 47 + static inline void module_decompress_cleanup(struct load_info *info) 48 + { 49 + } 50 + #endif
+24 -11
kernel/module.c
··· 3173 3173 return err; 3174 3174 } 3175 3175 3176 - static void free_copy(struct load_info *info) 3176 + static void free_copy(struct load_info *info, int flags) 3177 3177 { 3178 - vfree(info->hdr); 3178 + if (flags & MODULE_INIT_COMPRESSED_FILE) 3179 + module_decompress_cleanup(info); 3180 + else 3181 + vfree(info->hdr); 3179 3182 } 3180 3183 3181 3184 static int rewrite_section_headers(struct load_info *info, int flags) ··· 4127 4124 } 4128 4125 4129 4126 /* Get rid of temporary copy. */ 4130 - free_copy(info); 4127 + free_copy(info, flags); 4131 4128 4132 4129 /* Done! */ 4133 4130 trace_module_load(mod); ··· 4176 4173 4177 4174 module_deallocate(mod, info); 4178 4175 free_copy: 4179 - free_copy(info); 4176 + free_copy(info, flags); 4180 4177 return err; 4181 4178 } 4182 4179 ··· 4203 4200 SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 4204 4201 { 4205 4202 struct load_info info = { }; 4206 - void *hdr = NULL; 4203 + void *buf = NULL; 4204 + int len; 4207 4205 int err; 4208 4206 4209 4207 err = may_init_module(); ··· 4214 4210 pr_debug("finit_module: fd=%d, uargs=%p, flags=%i\n", fd, uargs, flags); 4215 4211 4216 4212 if (flags & ~(MODULE_INIT_IGNORE_MODVERSIONS 4217 - |MODULE_INIT_IGNORE_VERMAGIC)) 4213 + |MODULE_INIT_IGNORE_VERMAGIC 4214 + |MODULE_INIT_COMPRESSED_FILE)) 4218 4215 return -EINVAL; 4219 4216 4220 - err = kernel_read_file_from_fd(fd, 0, &hdr, INT_MAX, NULL, 4217 + len = kernel_read_file_from_fd(fd, 0, &buf, INT_MAX, NULL, 4221 4218 READING_MODULE); 4222 - if (err < 0) 4223 - return err; 4224 - info.hdr = hdr; 4225 - info.len = err; 4219 + if (len < 0) 4220 + return len; 4221 + 4222 + if (flags & MODULE_INIT_COMPRESSED_FILE) { 4223 + err = module_decompress(&info, buf, len); 4224 + vfree(buf); /* compressed data is no longer needed */ 4225 + if (err) 4226 + return err; 4227 + } else { 4228 + info.hdr = buf; 4229 + info.len = len; 4230 + } 4226 4231 4227 4232 return load_module(&info, uargs, flags); 4228 4233 }
+271
kernel/module_decompress.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright 2021 Google LLC. 4 + */ 5 + 6 + #include <linux/init.h> 7 + #include <linux/highmem.h> 8 + #include <linux/kobject.h> 9 + #include <linux/mm.h> 10 + #include <linux/module.h> 11 + #include <linux/slab.h> 12 + #include <linux/sysfs.h> 13 + #include <linux/vmalloc.h> 14 + 15 + #include "module-internal.h" 16 + 17 + static int module_extend_max_pages(struct load_info *info, unsigned int extent) 18 + { 19 + struct page **new_pages; 20 + 21 + new_pages = kvmalloc_array(info->max_pages + extent, 22 + sizeof(info->pages), GFP_KERNEL); 23 + if (!new_pages) 24 + return -ENOMEM; 25 + 26 + memcpy(new_pages, info->pages, info->max_pages * sizeof(info->pages)); 27 + kvfree(info->pages); 28 + info->pages = new_pages; 29 + info->max_pages += extent; 30 + 31 + return 0; 32 + } 33 + 34 + static struct page *module_get_next_page(struct load_info *info) 35 + { 36 + struct page *page; 37 + int error; 38 + 39 + if (info->max_pages == info->used_pages) { 40 + error = module_extend_max_pages(info, info->used_pages); 41 + if (error) 42 + return ERR_PTR(error); 43 + } 44 + 45 + page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM); 46 + if (!page) 47 + return ERR_PTR(-ENOMEM); 48 + 49 + info->pages[info->used_pages++] = page; 50 + return page; 51 + } 52 + 53 + #ifdef CONFIG_MODULE_COMPRESS_GZIP 54 + #include <linux/zlib.h> 55 + #define MODULE_COMPRESSION gzip 56 + #define MODULE_DECOMPRESS_FN module_gzip_decompress 57 + 58 + /* 59 + * Calculate length of the header which consists of signature, header 60 + * flags, time stamp and operating system ID (10 bytes total), plus 61 + * an optional filename. 62 + */ 63 + static size_t module_gzip_header_len(const u8 *buf, size_t size) 64 + { 65 + const u8 signature[] = { 0x1f, 0x8b, 0x08 }; 66 + size_t len = 10; 67 + 68 + if (size < len || memcmp(buf, signature, sizeof(signature))) 69 + return 0; 70 + 71 + if (buf[3] & 0x08) { 72 + do { 73 + /* 74 + * If we can't find the end of the file name we must 75 + * be dealing with a corrupted file. 76 + */ 77 + if (len == size) 78 + return 0; 79 + } while (buf[len++] != '\0'); 80 + } 81 + 82 + return len; 83 + } 84 + 85 + static ssize_t module_gzip_decompress(struct load_info *info, 86 + const void *buf, size_t size) 87 + { 88 + struct z_stream_s s = { 0 }; 89 + size_t new_size = 0; 90 + size_t gzip_hdr_len; 91 + ssize_t retval; 92 + int rc; 93 + 94 + gzip_hdr_len = module_gzip_header_len(buf, size); 95 + if (!gzip_hdr_len) { 96 + pr_err("not a gzip compressed module\n"); 97 + return -EINVAL; 98 + } 99 + 100 + s.next_in = buf + gzip_hdr_len; 101 + s.avail_in = size - gzip_hdr_len; 102 + 103 + s.workspace = kmalloc(zlib_inflate_workspacesize(), GFP_KERNEL); 104 + if (!s.workspace) 105 + return -ENOMEM; 106 + 107 + rc = zlib_inflateInit2(&s, -MAX_WBITS); 108 + if (rc != Z_OK) { 109 + pr_err("failed to initialize decompresser: %d\n", rc); 110 + retval = -EINVAL; 111 + goto out; 112 + } 113 + 114 + do { 115 + struct page *page = module_get_next_page(info); 116 + if (!page) { 117 + retval = -ENOMEM; 118 + goto out_inflate_end; 119 + } 120 + 121 + s.next_out = kmap(page); 122 + s.avail_out = PAGE_SIZE; 123 + rc = zlib_inflate(&s, 0); 124 + kunmap(page); 125 + 126 + new_size += PAGE_SIZE - s.avail_out; 127 + } while (rc == Z_OK); 128 + 129 + if (rc != Z_STREAM_END) { 130 + pr_err("decompression failed with status %d\n", rc); 131 + retval = -EINVAL; 132 + goto out_inflate_end; 133 + } 134 + 135 + retval = new_size; 136 + 137 + out_inflate_end: 138 + zlib_inflateEnd(&s); 139 + out: 140 + kfree(s.workspace); 141 + return retval; 142 + } 143 + #elif CONFIG_MODULE_COMPRESS_XZ 144 + #include <linux/xz.h> 145 + #define MODULE_COMPRESSION xz 146 + #define MODULE_DECOMPRESS_FN module_xz_decompress 147 + 148 + static ssize_t module_xz_decompress(struct load_info *info, 149 + const void *buf, size_t size) 150 + { 151 + static const u8 signature[] = { 0xfd, '7', 'z', 'X', 'Z', 0 }; 152 + struct xz_dec *xz_dec; 153 + struct xz_buf xz_buf; 154 + enum xz_ret xz_ret; 155 + size_t new_size = 0; 156 + ssize_t retval; 157 + 158 + if (size < sizeof(signature) || 159 + memcmp(buf, signature, sizeof(signature))) { 160 + pr_err("not an xz compressed module\n"); 161 + return -EINVAL; 162 + } 163 + 164 + xz_dec = xz_dec_init(XZ_DYNALLOC, (u32)-1); 165 + if (!xz_dec) 166 + return -ENOMEM; 167 + 168 + xz_buf.in_size = size; 169 + xz_buf.in = buf; 170 + xz_buf.in_pos = 0; 171 + 172 + do { 173 + struct page *page = module_get_next_page(info); 174 + if (!page) { 175 + retval = -ENOMEM; 176 + goto out; 177 + } 178 + 179 + xz_buf.out = kmap(page); 180 + xz_buf.out_pos = 0; 181 + xz_buf.out_size = PAGE_SIZE; 182 + xz_ret = xz_dec_run(xz_dec, &xz_buf); 183 + kunmap(page); 184 + 185 + new_size += xz_buf.out_pos; 186 + } while (xz_buf.out_pos == PAGE_SIZE && xz_ret == XZ_OK); 187 + 188 + if (xz_ret != XZ_STREAM_END) { 189 + pr_err("decompression failed with status %d\n", xz_ret); 190 + retval = -EINVAL; 191 + goto out; 192 + } 193 + 194 + retval = new_size; 195 + 196 + out: 197 + xz_dec_end(xz_dec); 198 + return retval; 199 + } 200 + #else 201 + #error "Unexpected configuration for CONFIG_MODULE_DECOMPRESS" 202 + #endif 203 + 204 + int module_decompress(struct load_info *info, const void *buf, size_t size) 205 + { 206 + unsigned int n_pages; 207 + ssize_t data_size; 208 + int error; 209 + 210 + /* 211 + * Start with number of pages twice as big as needed for 212 + * compressed data. 213 + */ 214 + n_pages = DIV_ROUND_UP(size, PAGE_SIZE) * 2; 215 + error = module_extend_max_pages(info, n_pages); 216 + 217 + data_size = MODULE_DECOMPRESS_FN(info, buf, size); 218 + if (data_size < 0) { 219 + error = data_size; 220 + goto err; 221 + } 222 + 223 + info->hdr = vmap(info->pages, info->used_pages, VM_MAP, PAGE_KERNEL); 224 + if (!info->hdr) { 225 + error = -ENOMEM; 226 + goto err; 227 + } 228 + 229 + info->len = data_size; 230 + return 0; 231 + 232 + err: 233 + module_decompress_cleanup(info); 234 + return error; 235 + } 236 + 237 + void module_decompress_cleanup(struct load_info *info) 238 + { 239 + int i; 240 + 241 + if (info->hdr) 242 + vunmap(info->hdr); 243 + 244 + for (i = 0; i < info->used_pages; i++) 245 + __free_page(info->pages[i]); 246 + 247 + kvfree(info->pages); 248 + 249 + info->pages = NULL; 250 + info->max_pages = info->used_pages = 0; 251 + } 252 + 253 + static ssize_t compression_show(struct kobject *kobj, 254 + struct kobj_attribute *attr, char *buf) 255 + { 256 + return sysfs_emit(buf, "%s\n", __stringify(MODULE_COMPRESSION)); 257 + } 258 + static struct kobj_attribute module_compression_attr = __ATTR_RO(compression); 259 + 260 + static int __init module_decompress_sysfs_init(void) 261 + { 262 + int error; 263 + 264 + error = sysfs_create_file(&module_kset->kobj, 265 + &module_compression_attr.attr); 266 + if (error) 267 + pr_warn("Failed to create 'compression' attribute"); 268 + 269 + return 0; 270 + } 271 + late_initcall(module_decompress_sysfs_init);