|
Message-Id: <20200225051307.6401-1-keescook@chromium.org> Date: Mon, 24 Feb 2020 21:13:01 -0800 From: Kees Cook <keescook@...omium.org> To: Borislav Petkov <bp@...en8.de> Cc: Kees Cook <keescook@...omium.org>, Hector Marco-Gisbert <hecmargi@....es>, Jason Gunthorpe <jgg@...pe.ca>, Catalin Marinas <catalin.marinas@....com>, Russell King <linux@...linux.org.uk>, Will Deacon <will@...nel.org>, Jann Horn <jannh@...gle.com>, x86@...nel.org, linux-arm-kernel@...ts.infradead.org, kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org Subject: [PATCH v4 0/6] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs Hi, This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think it incorporates the feedback from v2 (there are no code changes between v3 and v4; I've just added Reviews/Acks and directed at Boris, as it seems Ingo is busy). The selftest from v3 has been remove from v4, as I will land it separately via Shuah's selftest tree. This series is for x86, arm, and arm64; I'd like it to go via -tip, though, just to keep this change together with the selftest. To that end, I'd like to collect Acks from the respective architecture maintainers. (Note that most other architectures don't suffer from this problem. e.g. powerpc's behavior appears to already be correct. MIPS may need adjusting but the history of CPU features and toolchain behavior is very unclear to me.) Repeating the commit log from later in the series: The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx -Kees v4: - split selftest into separate series to go via Shuah's tree - add Reviews/Acks v3: https://lore.kernel.org/lkml/20200210193049.64362-1-keescook@chromium.org v2: https://lore.kernel.org/lkml/20190424203408.GA11386@beast/ v1: https://lore.kernel.org/lkml/20190423181210.GA2443@beast/ Kees Cook (6): x86/elf: Add table to document READ_IMPLIES_EXEC x86/elf: Split READ_IMPLIES_EXEC from executable GNU_STACK x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces arm32/64, elf: Add tables to document READ_IMPLIES_EXEC arm32/64, elf: Split READ_IMPLIES_EXEC from executable GNU_STACK arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces arch/arm/kernel/elf.c | 27 +++++++++++++++++++++++---- arch/arm64/include/asm/elf.h | 23 ++++++++++++++++++++++- arch/x86/include/asm/elf.h | 22 +++++++++++++++++++++- fs/compat_binfmt_elf.c | 5 +++++ 4 files changed, 71 insertions(+), 6 deletions(-) -- 2.20.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.