add-export.sh broken as static export check is enforced in newer kernel.

Question

add-export.sh broken as static export check is enforced in newer kernel.

Closed this issue 10 days ago · 11 comments

torvalds/linux@6d62b1c
torvalds/linux@31cb50b

the scripts/add-exports.sh is causing compilation failure on newer kernels due to them check and fail on exported static symbol, I observed such failure starting from 6.8.10 and 6.9. I haven't tested other versions but this should have a wide impact.

I wrote a patch to see if I can fix it by removing this single check (It's dirty but the whole add-exports.sh thing is dirty already)

In the future we might need a more sophisticated patch directly on the kernel.

Example of such build failure:

Answer 1 · 2024-05-28T10:39:49.000Z

still trying to make it pass the build at least, looks like more than 2 checks need to be disabled

However that "57712 writable function pointers" warning is still very scary, I'm not really sure about the implication of simply disabling checks that error on scripts/add-exports.sh

Answer 2 · 2024-05-28T11:04:12.000Z

Disabling checks that cause error result in this

I'll keep looking into it

Answer 3 · 2024-05-28T11:40:42.000Z

Thank you for reporting this, @SorenEricMent! If you don't use the add exports script, does LKRG loading fail on your system? Somehow for typical distro kernels it just works anyway. What compiler/options are you building the kernel with?

Disabling checks that cause error result in this

The actual errors must be somewhere earlier, you need to scroll up to see it.

Also, instead of screenshots, please be posting copy-pasted text from the terminal, wrapped in triple backticks.

Answer 4 · 2024-05-28T11:46:08.000Z

I think we should modify our add exports script so that it removes the static keywords from those symbols. It doesn't actually need to export them, just removing static should be sufficient for LKRG. Adding exports felt less invasive (adding lines rather than finding and changing existing lines), but it looks like we need to reconsider.

If the script would no longer be adding exports, I guess we could also want to rename it.

Answer 5 · 2024-05-28T13:14:02.000Z

does LKRG loading fail on your system

Yes, LKRG fail on both linux-zen and linux-cachyos-hardened on both version 6.8.x and 6.9.x. Zen kernel is Arch Linux official, CachyOS kernel is from aur. The error message of insmod would be "no kernel buffer available", which leads me to an earlier issue mentioning scripts/add-exports.sh, which worked earlier. For the cachyos one, I've tried disabling O3

Answer 6 · 2024-05-28T13:33:51.000Z

The error message of insmod would be "no kernel buffer available"

Right. What is seen in dmesg? That should tell us the specific symbols LKRG could not find.

For the cachyos one, I've tried disabling O3

Did this help?

Answer 7 · 2024-05-30T08:55:07.000Z

This is the error generated by linux-zen 6.9.2
sudo dmesg | grep LKRG
[ 23.004944] LKRG: ALIVE: Loading LKRG
[ 23.018013] LKRG: FATAL: Can't find '__put_seccomp_filter'
[ 23.019123] LKRG: FATAL: Can't initialize exploit detection features
[ 23.020406] LKRG: DYING: Not loading LKRG (initialization failed)
[ 23.381953] LKRG: ALIVE: Loading LKRG
[ 23.497194] LKRG: FATAL: Can't find '__put_seccomp_filter'
[ 23.497970] LKRG: FATAL: Can't initialize exploit detection features
[ 23.498715] LKRG: DYING: Not loading LKRG (initialization failed)
[ 23.873933] LKRG: ALIVE: Loading LKRG
[ 24.089909] LKRG: FATAL: Can't find '__put_seccomp_filter'
[ 24.090643] LKRG: FATAL: Can't initialize exploit detection features
[ 24.091301] LKRG: DYING: Not loading LKRG (initialization failed)

I can't test on cachyos yet because of a dkms triggering a kernel BUG, I'll post it when I fix it

Did this help?

no

Answer 8 · 2024-06-01T16:07:27.000Z

I think we should modify our add exports script so that it removes the static keywords from those symbols.

@SorenEricMent Would you like to implement, test, and contribute this change?

[ 24.089909] LKRG: FATAL: Can't find '__put_seccomp_filter'

@Adam-pi3 We could make seccomp protection optional, disabled (with an ISSUE logged) when symbol lookup fails.

Answer 9 · 2024-06-18T18:46:17.000Z

Would you like to implement, test, and contribute this change?

I'll give it a shot!

Answer 10 · 2024-08-28T15:04:19.000Z

[ 24.089909] LKRG: FATAL: Can't find '__put_seccomp_filter'

We no longer use __put_seccomp_filter, so I've just removed its export from the script. If it was the only missing symbol for you @SorenEricMent you'll probably be able to use LKRG without the export script now.

However, we need to fix the export script to match upstream's new requirements anyhow, for systems where it's needed.

Answer 11 · 2024-09-19T16:15:41.000Z

Would you like to implement, test, and contribute this change?

I'll give it a shot!

Turns out this was already part of #291, thanks to @alexander-pick. I've just extracted the required subset of changes from there and pushed them. @SorenEricMent Can you please test our latest and confirm it works for you? Thank you!