Instead of creating dynrela sections, have create-diff-object create
intermediate sections .kpatch.relocations and .kpatch.symbols which can
then be used to build (depending on kernel version) either dynrela sections
or klp rela/klp arch sections + klp symbols in a later phase of kpatch-build.
Have lookup_open() also parse Module.symvers and add the resulting symbols
and their objnames to the lookup table. This code was essentially
cherry-picked from Josh Poimboeuf's lookup code found here:
8cdca59c88
That patch was modified to fix a bug in obj_read() (calling elf_end()
without strdup'ing the symbol name strings, which was causing null
dereferences) and to fix up the module name after reading it from
Module.symvers (replacing '-' with '_' and stripping the path prefixes).
Also, add lookup_exported_symbol_objname(), which looks up the objname of
an exported symbol by making use of the objname information obtained from
Module.symvers.
If there exist multiple sections with the same name (which can happen when
using the --unique option with ld, which will be used to keep multiple
(per-object) .parainstructions and .altinstructions sections separate),
find_section_by_name() will only return the first section name match, which
leads to incorrect base section assignments for rela sections. Fix this by
using the sh_info field of the rela section to find its base section
instead, which contains the index of the section to which the relocation
applies.
Make sure sym->sec is not NULL before checking for its rela section
(sym->sec->rela). This fixes a case where an object may have STT_FUNC
symbols whose the sections (sym->sec) were not selected for inclusion (or
are located in another object) and hence these symbols do not have sym->sec
set. This corner case only recently popped up after reusing kpatch_elf_open()
on objects that have been outputted by create-diff-object (and these
objects only contain the necessary sections needed for the patch module).
This will also automatically exclude livepatch symbols from the check,
because they do not have sections associated with them (i.e., sym->sec is
NULL). We do not have to check for fentry calls for klp (SHN_LIVEPATCH)
symbols, because [1] they do not have sections associated with them, [2]
they are not the target functions to be patched, and [3] they are
technically just placeholder symbols for symbol resolution in livepatch.
Move functions kpatch_reindex_elements() and kpatch_rebuild_rela_section_data()
from create-diff-object.c to kpatch-elf.c. These functions will be used
to rebuild kpatch elf data in create-klp-module and create-kpatch-module,
i.e. during the second "phase" of kpatch-build.
If kpatch-test processes a single .patch file, it will skip creating a
COMBINED.patch.
Do the same on the testing side (instead of complaining that it "can't
find kpatch-COMBINED.ko, skipping.")
If kpatch-test looks for *.patch or *.test globs in a directory that
contains no such files, it will try to handle a single file named
"*.patch" or "*.test".
Set the global nullglob option to avoid this problem. At the same time,
stop and whine to the user if no .patch files were found.
commit eb55adc52d ("use livepatch 4.5 features in Ubuntu Xenial
kernel") will trigger following build failure, while building stock
kernel on Ubuntu:
make[2]: Entering directory '/root/.kpatch/obj'
CC [M] /root/.kpatch/tmp/patch/patch-hook.o
In file included from
/root/.kpatch/tmp/patch/livepatch-patch-hook.c:28:0,
from /root/.kpatch/tmp/patch/patch-hook.c:21:
/root/.kpatch/tmp/patch/livepatch-patch-hook.c: In functionpatch_ini:
/root/linux-4.8.15/include/generated/utsrelease.h:2:32: error: too many
decimal points in number
#define UTS_UBUNTU_RELEASE_ABI 4.8.15
^
/root/.kpatch/tmp/patch/livepatch-patch-hook.c:252:7: note: in expansion
of macro UTS_UBUNTU_RELEASE_ABI
UTS_UBUNTU_RELEASE_ABI >= 7 ) \
^
Stock kernel version string might differ from the ubuntu kernel
versioning format. This patch sets UBUNTU_KERNEL flag, when kpatch
module is being build for ubuntu distro kernel and check for this
flag before echoing UTS_UBUNTU_RELEASE_ABI tag.
Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Cc: Chris J Arges <christopherarges@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Upstream commit 2992ef29ae01 ("livepatch/module: make TAINT_LIVEPATCH
module-specific") v4.9+ modified the kernel to add the TAINT_LIVEPATCH
flag on module load. To support this feature, add the "livepatch"
module info in the {k,live}patch modules and drop the add_taint() in the
core module.
Fixes sparse complaints:
create-diff-object.c:2302:24: warning: Using plain integer as NULL pointer
create-diff-object.c:2303:11: warning: Using plain integer as NULL pointer
create-diff-object.c:2334:59: warning: Using plain integer as NULL pointer
create-diff-object.c:2347:43: warning: Using plain integer as NULL pointer
Livepatch modules can be supported with minimal changes to the kpatch
script. Adjust for appropriate sysfs paths, core-patching code (in
kernel for livepatch, kpatch.ko for kpatch), and checksum verification
(only verify the checksum if it exists).
Fixes#479.
When passing '-d' to kpatch-build, it prints out some useful information
and keeps the related files around in ~/.kpatch/tmp. However, it also
passes '-d' to create-diff-object, which spits out way too much
information, drowning out all the other useful messages printed by
kpatch-build.
In my experience, the create-diff-object debug info is overkill for
debugging most issues, so disable it. The flag can still be used when
running create-diff-object manually.
GCC with KASAN instrumentation creates section ".rodata" with some static strings (i.e. some of them go to ".rodata.str1.1" for release build).
This change makes possible to build patch and check if it fixes issue found with KASAN, such as CVE-2016-9555.
Instead of building *.patch, allow the user to specify patch files on
the command line. For example:
kpatch-test --quick centos-7/cmdline-string.patch centos-7/data-new.patch
Update the top-level Makefile as well, so it can be similarly invoked:
PATCHES="centos-7/cmdline-string.patch centos-7/data-new.patch" make quick
If no patches are specified on the kpatch-test command line, then fall
back to the previous behavior of *.patch.
NOTE: If patches *are* specified, then only the .test files
corresponding to those patches will be executed. Provided patch paths
will also override any --directory value.
Move the integration tests Makefile up a directory level so that it can
be shared. Update the kpatch-test script to accept a patch-directory
argument and the multiple.test cases to handle this new arrangement.
Prepare for updating the integration tests and move into a standard path
(this should be easier for future automation).
The patch directory name(s) should be in the form ${ID}-${VERSION_ID}/
as defined by the target's /etc/os-release.
Fixes smatch warning:
kmod/core/core.c:64:1: warning: symbol 'kpmod_list' was not declared. Should it be static?
Fixes sparse warnings:
kmod/core/core.c:680 kpatch_write_relocations() warn: inconsistent indenting
kmod/core/core.c:750 kpatch_write_relocations() warn: inconsistent indenting
The error paths in kpatch_shadow_alloc do not free an allocated
kpatch_shadow structure (and it's not added to the kpatch_shadow_hash).
Handle the kfree in the various error return paths.
Fixes the smatch warning:
kmod/core/shadow.c:97 kpatch_shadow_alloc() warn: possible memory leak of 'shadow'
If a kpatch load fails due to an activeness safety check, try again, up
to 5 times.
Unfortunately, insmod doesn't return the error code reported by the
kernel. So we have to parse its error output instead.
The kpatch script's functions don't use local variables, which makes it
bug prone and hard to understand. It would be nice to convert the whole
file, but I'll just start with converting load_module() for now.
This also removes the unused 2nd argument to insmod, which is leftover
from commit 8e8de4718d ("kpatch: deprecate the replace command").
Some features were backported into the 4.4 kernel which change the fields
of the livepatch structures. Ensure we can work with either v4.5 or greater,
or Ubuntu 4.4.0-7 or greater.
The UTS_UBUNTU_RELEASE_ABI symbol is in utsrelease.h as installed by
linux-headers-`uname -r`. However when building a module with kpatch-build
utsrelease.h gets regenerated and doesn't include the ABI variable. This
patch just adds the additional define based on the input ARCHVERSION.
