From patchwork Tue Apr 23 18:12:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10913631 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1F1FE922 for ; Tue, 23 Apr 2019 18:12:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10E3D2894B for ; Tue, 23 Apr 2019 18:12:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0519028956; Tue, 23 Apr 2019 18:12:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id E25BA2894B for ; Tue, 23 Apr 2019 18:12:28 +0000 (UTC) Received: (qmail 25833 invoked by uid 550); 23 Apr 2019 18:12:27 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 25798 invoked from network); 23 Apr 2019 18:12:26 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=iQaTskhF6JjLMWEw5W+1Do9KKSLCJ8elWvLEKowTXV4=; b=kRhipY3UZwc9rz5bMuokumNv1HTIF0IlHukWPJp+QBwJxXU2gsz+L/ydaFbl98PReA 7F4ASBIUnn0XdGTgcuaabrBmGGTebpJVIfPSyfz87dDq6SFPHF1M55xyfW9kNwahsg+U BrUQI+TdhetqSQ1HIpGkpMkd1AB/VLShupllA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=iQaTskhF6JjLMWEw5W+1Do9KKSLCJ8elWvLEKowTXV4=; b=iEAkcTkDkKgEDiV7iYMRH6zGGJew0SHFXXFJ8ScJX++MNmBo4lscjBKwFuVUzgUAHL cy7FwdqoZRiUd+IYd9a7gPuW9t7IN0TOSNS/7++/TENMhlwH62v6pF3EHGc7XAQJmTRU P3QJ88rm+ZdSgP/16KRlEAFvLZtKnPZbQLWm6HUAI2a/GUqV3gRPIZvj3I8ZNyaKIxTt U2+YDwGm314GJq2tMLvE7VtCkZVc9IXImt/oxzl9fha1TzAgUWFxaxklVwLazevHDOl2 shfhDG+78m01oBz8msrWmQexx3cQONXpYpJldzbzBI5oVfW9deW5TiwdQ/stKnb5Wb+Z nvsw== X-Gm-Message-State: APjAAAV4RKS75goMvhqYnbZq87ZPeihI+q32Oh+hYfg4aCgjZjC/S341 LZgeK7C7Undy/1Ozefg8hyjJfw== X-Google-Smtp-Source: APXvYqz+Wl8zgwpGbBimCpQBQ9iX0uqtiSfQGROAG3ZfN/J7JhymD7vEcpy0QuMf3DyuHmdwF6SQ3g== X-Received: by 2002:a63:4b21:: with SMTP id y33mr26698232pga.37.1556043132959; Tue, 23 Apr 2019 11:12:12 -0700 (PDT) Date: Tue, 23 Apr 2019 11:12:10 -0700 From: Kees Cook To: Andrew Morton Cc: Hector Marco-Gisbert , Jason Gunthorpe , linux-kernel@vger.kernel.org, x86@kernel.org, Thomas Gleixner , Andy Lutomirski , Kernel Hardening , Mark Rutland , linux-arm-kernel@lists.infradead.org Subject: [PATCH] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs Message-ID: <20190423181210.GA2443@beast> MIME-Version: 1.0 Content-Disposition: inline X-Virus-Scanned: ClamAV using ClamSMTP The READ_IMPLIES_EXEC work-around was designed for old CPUs lacking NX (to have the visible permission flags on memory regions reflect reality: they are all executable), and for old toolchains that lacked the ELF PT_GNU_STACK marking (under the assumption than toolchains that couldn't even specify memory protection flags may have it wrong for all memory regions). This logic is sensible, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. This is not a reasonable assumption for CPUs that have had NX support from the start (or very close to the start). This confusion has led to situations where modern 64-bit programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) To fix this, elf_read_implies_exec() is adjusted on arm64 (where NX has always existed and all toolchains include PT_GNU_STACK), and x86 is adjusted to handle this combination of possible outcomes: CPU: | lacks NX | has NX, ia32 | has NX, x86_64 | ELF: | | | | ------------------------------|------------------|------------------| missing GNU_STACK | needs RIE | needs RIE | no RIE | GNU_STACK == RWX | needs RIE | no RIE: stack X | no RIE: stack X | GNU_STACK == RW | needs RIE | no RIE: stack NX | no RIE: stack NX | This has the effect of making binfmt_elf's EXSTACK_DEFAULT actually take on the correct architecture default of being non-executable on arm64 and x86_64, and being executable on ia32. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook --- arch/arm64/include/asm/elf.h | 9 ++++++++- arch/x86/include/asm/elf.h | 24 +++++++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 6adc1a90e7e6..7fbd295a76d2 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -107,7 +107,14 @@ */ #define elf_check_arch(x) ((x)->e_machine == EM_AARCH64) -#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) +/* + * 64-bit processes should not automatically gain READ_IMPLIES_EXEC. Only + * 32-bit processes without PT_GNU_STACK should trigger READ_IMPLIES_EXEC + * out of an abundance of caution against ancient toolchains not knowing + * how to mark memory protection flags correctly. + */ +#define elf_read_implies_exec(ex, stk) \ + (is_compat_task() && stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..87d9cf7643b4 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -280,10 +280,28 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will - * have the READ_IMPLIES_EXEC personality flag set automatically. + * have the READ_IMPLIES_EXEC personality flag set automatically. This + * is needed either to show the truth about a memory mapping (i.e. CPUs + * that lack NX have all memory implicitly executable, so this makes + * sure that the visible permissions reflect reality), or to deal with + * old toolchains on new CPUs. Old binaries entirely lacking a GNU_STACK + * indicate they were likely built with a toolchain that has no idea about + * memory permissions, and so we must default to the lowest reasonable + * common denominator for the architecture: on ia32 we assume all memory + * to be executable by default, and on x86_64 we assume all memory to be + * non-executable by default. + * + * CPU: | lacks NX | has NX, ia32 | has NX, x86_64 | + * ELF: | | | | + * ------------------------------|------------------|------------------| + * missing GNU_STACK | needs RIE | needs RIE | no RIE | + * GNU_STACK == RWX | needs RIE | no RIE: stack X | no RIE: stack X | + * GNU_STACK == RW | needs RIE | no RIE: stack NX | no RIE: stack NX | + * */ -#define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack != EXSTACK_DISABLE_X) +#define elf_read_implies_exec(ex, stk) \ + (!(__supported_pte_mask & _PAGE_NX) ? 1 : \ + (mmap_is_ia32() && stk == EXSTACK_DEFAULT)) struct task_struct;