search

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
554 stars 55 forks source link

5.8.6 patch - undefined reference to `deny_new_usb' #48

Closed karesmakro closed 3 years ago

karesmakro commented 3 years ago

I have a compile error on the new 5.8.6 patch set.

ld: kernel/sysctl.o:(.data+0x20e8): undefined reference to `deny_new_usb'
make[3]: *** [Makefile:1139: vmlinux] Fehler 1
make[2]: *** [debian/rules:6: build] Fehler 2
dpkg-buildpackage: Fehler: Unterprozess debian/rules build lieferte Exitstatus 2
make[1]: *** [scripts/Makefile.package:77: deb-pkg] Fehler 2
make: *** [Makefile:1495: deb-pkg] Fehler 2
Izorkin commented 3 years ago

Same error:

  LD [M]  drivers/iio/pressure/st_pressure.o
  GEN     .version
  CHK     include/generated/compile.h
  LD      vmlinux.o
  MODPOST vmlinux.symvers
WARNING: modpost: modpost: Found 4257 writable function pointers.
To see full details build your kernel with:
'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'
  MODINFO modules.builtin.modinfo
  GEN     modules.builtin
  LD      .tmp_vmlinux.kallsyms1
/nix/store/zp4vhfn31ky68xy0s6mssxh4c90z9v9a-binutils-2.31.1/bin/ld: kernel/sysctl.o:(.data+0x2610): undefined reference to `deny_new_usb'
make[1]: *** [/build/linux-5.8.6/Makefile:1139: vmlinux] Error 1
make: *** [../Makefile:185: __sub-make] Error 2
builder for '/nix/store/2wzi40np5hs528k7kvm8daj5rf4lckm3-linux-5.8.6.drv' failed with exit code 2
anthraxx commented 3 years ago

Can you show me the Kconfig. Looks like it needs to export the symbols again, assumed the subsystem is always present built in.

Izorkin commented 3 years ago

This configuration file? KConfig_5_8_6.txt

anthraxx commented 3 years ago

you could for now apply this patch to use the definition as pre 5.8. I may temporarily switch it back in the tree to the applied patch. The correct way would be to register in a hook to additional sysctl via register_sysctl_table but that should go through more testing, so for now use the old way:

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 8053fb2bc212..afb909f071f1 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5040,9 +5040,6 @@ static int descriptors_changed(struct usb_device *udev,
    return changed;
 }

-/* sysctl */
-int deny_new_usb __read_mostly = 0;
-
 static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
        u16 portchange)
 {
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 355e4b0f1570..8c5326c6f0e8 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -115,6 +115,11 @@

 #if defined(CONFIG_SYSCTL)

+#if IS_ENABLED(CONFIG_USB)
+int deny_new_usb __read_mostly = 0;
+EXPORT_SYMBOL(deny_new_usb);
+#endif
+
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
 static int sixty __read_only = 60;
Izorkin commented 3 years ago

Thanks, with this patch working.

anthraxx commented 3 years ago

thanks for additional confirmation. released in 5.8.7.a The usb sysctl load/unload mechanics for modules will be incorporated later after careful testing therefor closing this issue.