From patchwork Fri Aug 4 18:31:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Salyzyn X-Patchwork-Id: 9881935 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BEFBC602B8 for ; Fri, 4 Aug 2017 18:32:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AED7228954 for ; Fri, 4 Aug 2017 18:32:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A3524289BC; Fri, 4 Aug 2017 18:32:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D9B5528954 for ; Fri, 4 Aug 2017 18:32:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=RDETCAlDHRzG5qqeUIX9fGia97MuxmW2gT2CIA9XJgc=; b=sfw 2qOEUWzEAAgBKC5NtDHxneyzgiBzuazEbr7+CPI+IXBTz0s+D3ABIlLjDLEaavGdpzh/ChunaXWeR j3ampfmkXoKzrCrE4U82BpI/fqXN64BI+sI1KphYRpzUZ+dHGBS0U7x+NqQcdziA+PZLNhkbLm2kg bSRpqG4UPD9bVMHbL18qywbE0lsL1fqDY1AiGInsIRIdnaCqjUScB7jMegZWQXKQs2qxu8a9+4mqb F75daRYT5y6/BEajbj+nAKD64xqqTeiivszjCtiw3gjQh72IXbAAxaknE+kWb0MW2sUyPiyv/+DlR p0lDqOd8irC7g1loS9gqoP6u2OLk1vg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1ddhOb-0007qB-3X; Fri, 04 Aug 2017 18:32:25 +0000 Received: from mail-pg0-x235.google.com ([2607:f8b0:400e:c05::235]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1ddhOW-0007cn-Jh for linux-arm-kernel@lists.infradead.org; Fri, 04 Aug 2017 18:32:22 +0000 Received: by mail-pg0-x235.google.com with SMTP id v77so11007990pgb.3 for ; Fri, 04 Aug 2017 11:32:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=zveze9ohTsH2akfSD5AfXP2i0C8m9ojCiI4wPRJrRSg=; b=mr3edePYzVMk/agmHU/iLvnE7jp1wmBdfqB3nhK/5Gtm7w1DH7D1r3Bw0HyZgD0m3p Euzhar6E0MeuOq/qnsowJYmIg8s7ez2uXJZ7d+79bK5RaQ1Wlpbeo3SZ7fa+ntimnW/C X8uXl+ftJ+QIO6s0GLYgLnN4cU7ejSHZx/tP1Wlc4ytBLe3Un9ZoggdYzbYKVvsOiwEg MMCmWXnsn96lu0zCJ2beaZXr9ACpPsUyLtuzgHiUSaFSrhNTquau4Bs+dUZvdOi8Vp0W a5/zQt3oZ8YDuQIZghJOc07xDs97DfTSjVCaZVSleHFxQRHf0WOb9+IE9NowBjeUs5nM pfzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zveze9ohTsH2akfSD5AfXP2i0C8m9ojCiI4wPRJrRSg=; b=q2QVC6pe89rK0tXQzSwyj8RuH7hruZPoVvbfi8Dmu79MknjBPORbjm+zmMjeAqtHaY CLxodjKs7zIIwGIZYAJEOaBq43v9H0yWXwzZOUxF4YIeF7vkrQbA42eFghZ7oACprNkv 5WUmbYmVBcFCs5Xt8aCWghXajapo4oFBcwln5M0t85MESte3Ueq/duXp9kCwOIRJOQgZ JMEhNRXxzzlv3bYW1rAzZWMOp3dSzlc2Km0tWX9H2rpPy0Gn20wCPhI3yMyufJxt1hLf QiEPmdsG85W0vrEzibaWZwKlWkgNsHYHTnjpNhI2IOJV+tuwWyNQUOk0sM7Qutzi5O3q jxpQ== X-Gm-Message-State: AIVw110WCePsIT6/H4vscDnnTHvDZfQxZGVkFYwMBZI8Dx4sn6GjX4Ut h0KqL277Z0q163aC X-Received: by 10.98.196.136 with SMTP id h8mr3451386pfk.295.1501871519440; Fri, 04 Aug 2017 11:31:59 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([100.98.120.17]) by smtp.gmail.com with ESMTPSA id r8sm4219173pfl.34.2017.08.04.11.31.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Aug 2017 11:31:58 -0700 (PDT) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Subject: [PATCH 2/2] arm64: compat: Add CONFIG_KUSER_HELPERS Date: Fri, 4 Aug 2017 11:31:40 -0700 Message-Id: <20170804183151.78804-1-salyzyn@android.com> X-Mailer: git-send-email 2.14.0.rc1.383.gd1ce394fe2-goog X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170804_113220_715743_820514AB X-CRM114-Status: GOOD ( 23.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Jisheng Zhang , Kees Cook , Ard Biesheuvel , Catalin Marinas , AKASHI Takahiro , Kevin Brodsky , Will Deacon , Mark Salyzyn , riggle@google.com, Michal Marek , James Morse , John Stultz , Laura Abbott , linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Kevin Brodsky Make it possible to disable the kuser helpers by adding a KUSER_HELPERS config option (enabled by default). When disabled, all kuser helpers-related code is removed from the kernel and no mapping is done at the fixed high address (0xffff0000); any attempt to use a kuser helper from a 32-bit process will result in a segfault. Signed-off-by: Kevin Brodsky Signed-off-by: Mark Salyzyn --- arch/arm64/Kconfig | 29 ++++++++++++++++++ arch/arm64/kernel/Makefile | 3 +- arch/arm64/kernel/kuser32.S | 48 ++--------------------------- arch/arm64/kernel/sigreturn32.S | 67 +++++++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/vdso.c | 6 ++++ 5 files changed, 107 insertions(+), 46 deletions(-) create mode 100644 arch/arm64/kernel/sigreturn32.S diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index dfd908630631..902ad4b5b3d3 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1100,6 +1100,35 @@ config COMPAT If you want to execute 32-bit userspace applications, say Y. +config KUSER_HELPERS + bool "Enable the kuser helpers page in 32-bit processes" + depends on COMPAT + default y + help + Warning: disabling this option may break 32-bit applications. + + Provide kuser helpers in a special purpose fixed-address page. The + kernel provides helper code to userspace in read-only form at a fixed + location to allow userspace to be independent of the CPU type fitted + to the system. This permits 32-bit binaries to be run on ARMv4 through + to ARMv8 without modification. + + See Documentation/arm/kernel_user_helpers.txt for details. + + However, the fixed-address nature of these helpers can be used by ROP + (return-orientated programming) authors when creating exploits. + + If all of the 32-bit binaries and libraries that run on your platform + are built specifically for your platform, and make no use of these + helpers, then you can turn this option off to hinder such exploits. + However, in that case, if a binary or library relying on those helpers + is run, it will receive a SIGSEGV signal, which will terminate the + program. Typically, binaries compiled for ARMv7 or later do not use + the kuser helpers. + + Say N here only if you are absolutely certain that you do not need + these helpers; otherwise, the safe option is to say Y. + config SYSVIPC_COMPAT def_bool y depends on COMPAT && SYSVIPC diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index f2b4e816b6de..314b9abda0a0 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -27,8 +27,9 @@ OBJCOPYFLAGS := --prefix-symbols=__efistub_ $(obj)/%.stub.o: $(obj)/%.o FORCE $(call if_changed,objcopy) -arm64-obj-$(CONFIG_COMPAT) += sys32.o kuser32.o signal32.o \ +arm64-obj-$(CONFIG_COMPAT) += sys32.o sigreturn32.o signal32.o \ sys_compat.o entry32.o +arm64-obj-$(CONFIG_KUSER_HELPERS) += kuser32.o arm64-obj-$(CONFIG_FUNCTION_TRACER) += ftrace.o entry-ftrace.o arm64-obj-$(CONFIG_MODULES) += arm64ksyms.o module.o arm64-obj-$(CONFIG_ARM64_MODULE_PLTS) += module-plts.o diff --git a/arch/arm64/kernel/kuser32.S b/arch/arm64/kernel/kuser32.S index 997e6b27ff6a..d15b5c2935b3 100644 --- a/arch/arm64/kernel/kuser32.S +++ b/arch/arm64/kernel/kuser32.S @@ -20,16 +20,13 @@ * * AArch32 user helpers. * - * Each segment is 32-byte aligned and will be moved to the top of the high - * vector page. New segments (if ever needed) must be added in front of - * existing ones. This mechanism should be used only for things that are - * really small and justified, and not be abused freely. + * These helpers are provided for compatibility with AArch32 binaries that + * still need them. They are installed at a fixed address by + * aarch32_setup_additional_pages(). * * See Documentation/arm/kernel_user_helpers.txt for formal definitions. */ -#include - .align 5 .globl __kuser_helper_start __kuser_helper_start: @@ -77,42 +74,3 @@ __kuser_helper_version: // 0xffff0ffc .word ((__kuser_helper_end - __kuser_helper_start) >> 5) .globl __kuser_helper_end __kuser_helper_end: - -/* - * AArch32 sigreturn code - * - * For ARM syscalls, the syscall number has to be loaded into r7. - * We do not support an OABI userspace. - * - * For Thumb syscalls, we also pass the syscall number via r7. We therefore - * need two 16-bit instructions. - */ - .globl __aarch32_sigret_code_start -__aarch32_sigret_code_start: - - /* - * ARM Code - */ - .byte __NR_compat_sigreturn, 0x70, 0xa0, 0xe3 // mov r7, #__NR_compat_sigreturn - .byte __NR_compat_sigreturn, 0x00, 0x00, 0xef // svc #__NR_compat_sigreturn - - /* - * Thumb code - */ - .byte __NR_compat_sigreturn, 0x27 // svc #__NR_compat_sigreturn - .byte __NR_compat_sigreturn, 0xdf // mov r7, #__NR_compat_sigreturn - - /* - * ARM code - */ - .byte __NR_compat_rt_sigreturn, 0x70, 0xa0, 0xe3 // mov r7, #__NR_compat_rt_sigreturn - .byte __NR_compat_rt_sigreturn, 0x00, 0x00, 0xef // svc #__NR_compat_rt_sigreturn - - /* - * Thumb code - */ - .byte __NR_compat_rt_sigreturn, 0x27 // svc #__NR_compat_rt_sigreturn - .byte __NR_compat_rt_sigreturn, 0xdf // mov r7, #__NR_compat_rt_sigreturn - - .globl __aarch32_sigret_code_end -__aarch32_sigret_code_end: diff --git a/arch/arm64/kernel/sigreturn32.S b/arch/arm64/kernel/sigreturn32.S new file mode 100644 index 000000000000..6ecda4d84cd5 --- /dev/null +++ b/arch/arm64/kernel/sigreturn32.S @@ -0,0 +1,67 @@ +/* + * sigreturn trampolines for AArch32. + * + * Copyright (C) 2005-2011 Nicolas Pitre + * Copyright (C) 2012 ARM Ltd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * + * AArch32 sigreturn code + * + * For ARM syscalls, the syscall number has to be loaded into r7. + * We do not support an OABI userspace. + * + * For Thumb syscalls, we also pass the syscall number via r7. We therefore + * need two 16-bit instructions. + */ + +#include + + .globl __aarch32_sigret_code_start +__aarch32_sigret_code_start: + + /* + * ARM Code + */ + // mov r7, #__NR_compat_sigreturn + .byte __NR_compat_sigreturn, 0x70, 0xa0, 0xe3 + // svc #__NR_compat_sigreturn + .byte __NR_compat_sigreturn, 0x00, 0x00, 0xef + + /* + * Thumb code + */ + // svc #__NR_compat_sigreturn + .byte __NR_compat_sigreturn, 0x27 + // mov r7, #__NR_compat_sigreturn + .byte __NR_compat_sigreturn, 0xdf + + /* + * ARM code + */ + // mov r7, #__NR_compat_rt_sigreturn + .byte __NR_compat_rt_sigreturn, 0x70, 0xa0, 0xe3 + // svc #__NR_compat_rt_sigreturn + .byte __NR_compat_rt_sigreturn, 0x00, 0x00, 0xef + + /* + * Thumb code + */ + // svc #__NR_compat_rt_sigreturn + .byte __NR_compat_rt_sigreturn, 0x27 + // mov r7, #__NR_compat_rt_sigreturn + .byte __NR_compat_rt_sigreturn, 0xdf + + .globl __aarch32_sigret_code_end +__aarch32_sigret_code_end: diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c index 456420b1f3f1..416183f9ae70 100644 --- a/arch/arm64/kernel/vdso.c +++ b/arch/arm64/kernel/vdso.c @@ -108,6 +108,8 @@ static int sigreturn_setup(struct mm_struct *mm) return PTR_ERR_OR_ZERO(ret); } +#ifdef CONFIG_KUSER_HELPERS + /* kuser helpers page */ static struct page *kuser_helpers_page __ro_after_init; static const struct vm_special_mapping kuser_helpers_spec = { @@ -151,6 +153,8 @@ static int kuser_helpers_setup(struct mm_struct *mm) return PTR_ERR_OR_ZERO(ret); } +#endif /* CONFIG_KUSER_HELPERS */ + int aarch32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) { struct mm_struct *mm = current->mm; @@ -163,7 +167,9 @@ int aarch32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) if (ret) goto out; +#ifdef CONFIG_KUSER_HELPERS ret = kuser_helpers_setup(mm); +#endif out: up_write(&mm->mmap_sem);