Unexporting kallsyms_lookup_name()

One of the basic rules of kernel-module development is that modules can only access symbols (functions and data structures) that have been explicitly exported. Even then, many symbols are restricted so that only modules with a GPL-compatible license can access them. It turns out, though, that there is a readily available workaround that makes it easy for a module to access any symbol it wants. That workaround seems likely to be removed soon despite some possible inconvenience for some out-of-tree users; the reason why that is happening turns out to be relatively interesting.

The backdoor in question is kallsyms_lookup_name(), which will return the address associated with any symbol in the kernel's symbol table. Modular code that wants to access a symbol ordinarily denied to it can use kallsyms_lookup_name() to get the address of its target, then dereference it in the usual ways. This function itself is exported with the GPL-only restriction, which theoretically limits its use to free software. But if a proprietary module somewhere were to falsely claim a free license to get at GPL-only symbols, it would not be the first time.

Will Deacon has posted a patch series that removes the export for kallsyms_lookup_name() (and kallsyms_on_each_symbol(), which is also open to abuse). There were some immediate positive responses; few developers are favorably inclined toward module authors trying to get around the export system, after all. There were, however, a couple of concerns expressed.

One of those is that there is, it seems, a class of out-of-tree users of kallsyms_lookup_name() that is generally considered to be legitimate: live-patching systems for the kernel. Irritatingly, kernel bugs often stubbornly refuse to restrict themselves to exported functions, so a live patch must be able to locate (and patch out) any function in the kernel; kallsyms_lookup_name() is a convenient way to do that. After some discussion Joe Lawrence let it be known that the kpatch system has all of its needed infrastructure in the mainline kernel, and so has no further need for kallsyms_lookup_name(). The Ksplice system, though, evidently still uses it. As Miroslav Benes observed, though: "no one cares about ksplice in upstream now". So it would appear that live patching will not be an obstacle to the merging of this patch.

A different sort of concern was raised by Masami Hiramatsu, who noted that there are a number of other ways to find the address associated with a kernel symbol. User space could place some kprobes to extract that information, or a kernel module could, if time and CPU use is not a concern, use snprintf() with the "%pF" format (which prints the function associated with a given address) to search for the address of interest. He worried that the change would make life harder for casual developers while not really getting in the way of anybody who is determined to abuse the module mechanism.

In response, Deacon posted an interesting message about what is driving this particular change. Kernel developers are happy to make changes just to make life difficult for developers they see as abusing the system, but that is not quite what is happening here. Instead, it is addressing a support issue at Google.

Back in 2018, LWN reported on work being done to bring the Android kernel closer to the mainline. One of the steps in that direction is moving the kernel itself into the Android generic system image (GSI), an Android build that must boot and run on a device for that device to be considered compliant with the Android requirements. Putting the kernel into the GSI means that hardware vendors can no longer modify it; they will be limited to what they can do by adding kernel modules to the GSI.

Restricting vendors to supplying kernel modules greatly limits the kind of changes they can make; there will be no more Android devices that replace the CPU scheduler with some vendor's special version, for example. But that only holds if modules are restricted to the exported-symbol interface; if they start to reach into arbitrary parts of the kernel, all bets are off. Deacon doesn't say so, but it seems clear that some vendors are, at a minimum, thinking about doing exactly that. The business-friendly explanation for removing this capability is: "Monitoring and managing the ABI surface is not feasible if it effectively includes all data and functions via kallsyms_lookup_name()".

After seeing this explanation, Hiramatsu agreed that the patch makes sense and offered a Reviewed-by tag. So this concern, too, seems unlikely to prevent this patch set from being merged.

It's worth repeating that discouraging module developers from bypassing the export mechanism is generally seen as more than sufficient motivation to merge a change like this. But it is also interesting to see a large company supporting that kind of change as well. By more closely tying the Android kernel to the mainline, Google would appear to be better aligning its own interests with the long-term interests of the development community — on this point, at least. That, hopefully, will lead to better kernels on our devices that also happen to be a lot closer to mainline kernels.

Index entries for this article
Kernel	Modules/Exported symbols

---

to post comments

Unexporting kallsyms_lookup_name()

Posted Feb 29, 2020 20:21 UTC (Sat) by ncm (guest, #165) [Link] (9 responses)

I see this as part of Google's upcoming effort to move vendors off Linux to their proprietary Fuchsia kernel.

(A certain alternative pronunciation of its name perhaps telegraphs its purpose.)

We may be heartened by the previously demonstrated inability of large organizations to create a viable new kernel from scratch--OS/360 excepted.

Unexporting kallsyms_lookup_name()

Posted Feb 29, 2020 21:12 UTC (Sat) by mfuzzey (subscriber, #57966) [Link]

I don't see how preventing symbol access restriction bypasses would help them do that.

Maybe Google does want to move Android to Fuchsia but they don't need to change anything in Linux to do that.

Unexporting kallsyms_lookup_name()

Posted Feb 29, 2020 22:00 UTC (Sat) by Lionel_Debroux (subscriber, #30014) [Link]

Even though it is often rendered moot by the fact most people use distro kernels, making it (slightly) harder to find the addresses of non-exported symbols is probably (slightly) raising the cost of producing, and testing, exploits reliable across a range of kernel versions, configs and patches from vendors. This is unlikely to be a bad thing, especially with most kernels lacking powerful anti-exploitation features.

Unexporting kallsyms_lookup_name()

Posted Mar 1, 2020 17:58 UTC (Sun) by NYKevin (subscriber, #129325) [Link] (5 responses)

Fuchsia is open source.

Unexporting kallsyms_lookup_name()

Posted Mar 1, 2020 18:17 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

> Fuchsia is open source.

Upstream is at the moment. Given that it is permissive licensed and mobile vendors like to slap on a ton of patches for differentiation, how it will be distributed in practice is murky and the outlook isn't great given the track record even with current Android

fuchsia license looks like BSD 3-clause

Posted Mar 1, 2020 20:39 UTC (Sun) by stephen.pollei (subscriber, #125364) [Link] (2 responses)

The fuchsia license looks a lot like the 3-Clause BSD License. For some reason, reminds me of BSD - The Dark Horse of Open Source.

fuchsia license looks like BSD 3-clause

Posted Mar 3, 2020 12:16 UTC (Tue) by dunlapg (guest, #57764) [Link] (1 responses)

I miss Groklaw. *sniff*

fuchsia license looks like BSD 3-clause

Posted Mar 5, 2020 23:22 UTC (Thu) by Wol (subscriber, #4433) [Link]

I think a lot of us do ... :-(

Sadly,
Wol

Unexporting kallsyms_lookup_name()

Posted Jun 22, 2021 17:45 UTC (Tue) by scientes (guest, #83068) [Link]

I have worked with packaging chromium for Debian before, and I also know that every time the v8 developers at Google do a refactor they do a Fuscia on IBM's work to port to POWER. If you are anti-social a "Do What The Fuck You Want License" is certainly not a promise not to fuck their users, especially when the users are NOT using an open source build.

Unexporting kallsyms_lookup_name()

Posted Mar 9, 2020 14:57 UTC (Mon) by scientes (guest, #83068) [Link]

> effort to move vendors off Linux to their proprietary Fuck You kernel.

FTFY

Unexporting kallsyms_lookup_name()

Posted Mar 2, 2020 11:26 UTC (Mon) by Sesse (subscriber, #53779) [Link] (1 responses)

What is the current status of kpatch, really? I see there's all sorts of patches coming in for years now, but do we have all of the pieces of the puzzle? Can I install a reasonably mainstream distro (or even upstream kernels…?), run a command and get it live-patched up to date? (I remember being able to do that with ksplice before they got sold to Oracle, and it was pretty amazing.)

Unexporting kallsyms_lookup_name()

Posted Mar 3, 2020 2:52 UTC (Tue) by pabs (subscriber, #43278) [Link]

I have not used it myself, but Oracle (for Oracle Linux, RHEL, Ubuntu, Fedora), RedHat, SUSE, Canonical (Ubuntu) and Gentoo all support it AFAICT. For the first four companies it is a paid service but Oracle has a gratis trial period. AFAICT the first four don't publish their tooling surrounding kpatch itself, but Gentoo does. I expect you could repurpose Gentoo's tooling to do patches for mainline kernels.

https://wiki.gentoo.org/wiki/Elivepatch

There is also another one (KernelCare I think) that IIRC has its own non-mainline patching mechanism.

Unexporting kallsyms_lookup_name()

Posted Dec 2, 2020 18:44 UTC (Wed) by zizzu (guest, #143434) [Link]

I faced this problem and used the kprobe solution like this https://github.com/zizzu0/LinuxKernelModules/blob/main/Fi...

Unexporting kallsyms_lookup_name()

Posted Sep 2, 2021 18:33 UTC (Thu) by VojtaK (guest, #154079) [Link]

Well, this is nice, however it cost me two days of not sleeping when installing opencl with AMD Vega 10 card to the new Bullseye instalation of Debian.

First I downloaded a fresh new package amdgpu-pro-21.10-1247438-ubuntu-20.04 from AMD. Well its not for Debian, but Debian is brand new so I was thinking I could run it there. Not really easy!

First they decided to support ubuntu-20.04 with kernel 5.8 and Debian 11 is shipped with 5.10. When my attempts to build their amdgpu module failed multiple times, I decided to downgrade and compile 5.9x, 5.8x kernels on my own.

I also would like to mention that 5.7x kernel was the last one, where "mmap_sem" was not called "mmap_lock" in mm_types.h https://lore.kernel.org/linux-mm/20200422001422.232330-11...

So I had to change inside amdgpu-dkms_5.9.20.104-1247438_all.deb find . -type f | xargs sed -i "s/mmap_sem/mmap_lock/g"

And to be able to retain the distribution kernel I also needed to add BUILD_EXCLUSIVE_KERNEL="^(5\.[0-9]\.)" to usr/src/amdgpu-5.9.20.104-1247438/dkms.conf

Well everything installed, module compiled, but it was not working. In my dmesg there was cryptic message
kernel BUG at /var/lib/dkms/amdgpu/5.9.20.104-1247438/build/amd/amdkcl/kcl_common.c:44!

Let's have a look to that source
void amdkcl_symbol_init(void)
{
#ifndef HAVE_KALLSYMS_LOOKUP_NAME
struct kprobe kp;
int r;

memset(&kp, 0, sizeof(kp));
kp.symbol_name = "kallsyms_lookup_name";
r = register_kprobe(&kp);
if (!r) {
_kcl_kallsyms_lookup_name = (void *)kp.addr;
unregister_kprobe(&kp);
} else {
pr_err("fail to get kallsyms_lookup_name, abort...\n");
BUG();
}
#else
_kcl_kallsyms_lookup_name = kallsyms_lookup_name;
#endif
}

This is a code from AMD! Exploiting another way to get to that function. Maybe you shall remove it altogether because the only thing you achieved that a big player who bundles his closed source firmware into the kernel use this exploit and I spent a 48 hours of my work figuring out that it does not work in my use case producing that BUG!

So finally I am forced either to downgrade to <3.7 kernel or to add EXPORT_SYMBOL_GPL(kallsyms_lookup_name); to kallsyms.c and hope that they parse well that macro to define HAVE_KALLSYMS_LOOKUP_NAME to have it running in 3.9 kernel. Because in 3.10 its broken also from another reason.