|
Message-ID: <20200211171733.GN4271@mellanox.com> Date: Tue, 11 Feb 2020 13:17:33 -0400 From: Jason Gunthorpe <jgg@...lanox.com> To: Kees Cook <keescook@...omium.org> Cc: Ingo Molnar <mingo@...nel.org>, Hector Marco-Gisbert <hecmargi@....es>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>, Jann Horn <jannh@...gle.com>, Russell King <linux@...linux.org.uk>, x86@...nel.org, kernel-hardening@...ts.openwall.com, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH v3 0/7] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs On Mon, Feb 10, 2020 at 11:30:42AM -0800, Kees Cook wrote: > Hi, > > This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think > it incorporates the feedback from v2, and I've now added a selftest. This > series is for x86, arm, and arm64; I'd like it to go via -tip, though, > just to keep this change together with the selftest. To that end, I'd like > to collect Acks from the respective architecture maintainers. (Note that > most other architectures don't suffer from this problem. e.g. powerpc's > behavior appears to already be correct. MIPS may need adjusting but the > history of CPU features and toolchain behavior is very unclear to me.) > > Repeating the commit log from later in the series: > > > The READ_IMPLIES_EXEC work-around was designed for old toolchains that > lacked the ELF PT_GNU_STACK marking under the assumption that toolchains > that couldn't specify executable permission flags for the stack may not > know how to do it correctly for any memory region. > > This logic is sensible for having ancient binaries coexist in a system > with possibly NX memory, but was implemented in a way that equated having > a PT_GNU_STACK marked executable as being as "broken" as lacking the > PT_GNU_STACK marking entirely. Things like unmarked assembly and stack > trampolines may cause PT_GNU_STACK to need an executable bit, but they > do not imply all mappings must be executable. > > This confusion has led to situations where modern programs with explicitly > marked executable stack are forced into the READ_IMPLIES_EXEC state when > no such thing is needed. (And leads to unexpected failures when mmap()ing > regions of device driver memory that wish to disallow VM_EXEC[1].) > > In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann > Horn noted that glibc thread stacks have always been marked RWX (until > 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And > musl doesn't support executable stacks at all[3]. As such, no breakage > for multithreaded applications is expected from this change. > > [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com > [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 > [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx I'm happy to see this, I think it will help the situation. While I'm not well versed in all the historical details, the general approach makes sense to me and I've looked through the patches. I would like to follow this up with a patch to again block VM_EXEC from the RDMA related mmap of BAR paths.. Reviewed-by: Jason Gunthorpe <jgg@...lanox.com> Jason
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.