From patchwork Mon May 21 21:11:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 10416595 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 10EF260365 for ; Mon, 21 May 2018 21:24:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 00DF328A77 for ; Mon, 21 May 2018 21:24:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E8BAE28A7C; Mon, 21 May 2018 21:24:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3293B28A77 for ; Mon, 21 May 2018 21:24:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3A8DF6B0008; Mon, 21 May 2018 17:24:17 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 3579D6B000A; Mon, 21 May 2018 17:24:17 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 248706B000C; Mon, 21 May 2018 17:24:17 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pl0-f69.google.com (mail-pl0-f69.google.com [209.85.160.69]) by kanga.kvack.org (Postfix) with ESMTP id DA0D76B0008 for ; Mon, 21 May 2018 17:24:16 -0400 (EDT) Received: by mail-pl0-f69.google.com with SMTP id b31-v6so10816609plb.5 for ; Mon, 21 May 2018 14:24:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:in-reply-to:references:user-agent:mime-version; bh=7zAVnflMppk3faQV0qSoTFiI3SVYf0ekb+jwaIafOFU=; b=pTYobI1+xRasop8zm/syDMFmxEjJEYJ2mQ60BrYfRnIK3h0sEU7yqzyf17blJWqT+N S2avem4KsbPHzRwyTO+crUL/UF7QmW34swATGZAK20inX7NmJRGSJmzRVKiwZbHrpI2E cCoWJMzIx0wwMB59M1WK2qsCYC0RGqOuPfrGaN6m32O83P0IGePoedhTHs98Z/PqpbDa XLEw9UvEm6plb/fkHXDu8sM8AxtZUmJuQZSUy2s/6oJs3zv6q6WpTpTaTY7mEhp8fFmC ZN+KgnG/pSxbNUqf+2v0+tSbz2HGAi5i0By0jdH7wdeGLpPBnU9c/CqrCZ+dtMtWpP+F oYJA== X-Gm-Message-State: ALKqPwfb4KfPF8aaB5oBkQvV1Wh5Vo0+7ynF72IA4uqmtbMUJcM+rabq 4ikekfK0TW2iz2GqYzBtvTW5KNubsLt66TI8FrI/s9iK/229lJ+LZ7wsZM9sjNqhlKVPpAK+pzQ 3cihPBiF4c+Fds2wNgWq4tLPHKqyRPjZxlI7c0//rCB0XufqflKa3Fla2RuNnl2c= X-Received: by 2002:a63:774a:: with SMTP id s71-v6mr7841560pgc.290.1526937856500; Mon, 21 May 2018 14:24:16 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqB5p1FtiZsOTaoGlHp3Q4IfwfHAuFIa/r9L6xdiVSyvfTv4mAD6t4iWGtpWtEOKbaDrmLE X-Received: by 2002:a63:774a:: with SMTP id s71-v6mr7841533pgc.290.1526937855676; Mon, 21 May 2018 14:24:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526937855; cv=none; d=google.com; s=arc-20160816; b=z2gYII+NCjv+CT9CWRahrSuSKttTEZsu1MmAN8ijWsn2ZbMvq7LTaD3eUuFLN0LLEl 5Tz7+T0NxZwSwO6R4F+VEiV50XmjxjGj60K7EBuC6LnwcKVV3TeKbgXBflN+f1wXN/5W 576zcq1Iv6VXPVXzNoanteJxgBBmD9SV0GZAiSHpIvtqt2inUjiHi9fu04m2AW8ShS2a LHmvIkBeB4h49+407D59LoextbB6kxdbr2J2NjzZn4TM1s7bOuP7E4nvyQHaCyhxF4fc QiUV2js1rJB4ugtbyv1Rcuw8h3mMPR9esIFKZYgVNekGfFf0W6Mk1gA1ehzZ7Qn7rEPI uGfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=7zAVnflMppk3faQV0qSoTFiI3SVYf0ekb+jwaIafOFU=; b=tXqg9jHMAKOGtkoPyalCFHPd8yGPzDBe6fHSbLA3MIDEEY9DjMpDxvGPhfhueVndbP 9/JVsufCbgZYOrwKotRfKhnVYCj7fkYUWM9kBqLLE4u/jr8lJpPKt9j9swBWFiowKhw/ RxHs1YA5ng20rGH0RQ2n5sMIjvxjcuOV2lX7owVCdf4aZrGzIUw8d65OnaPDnN9vOlBN KxRxi8E/A7Vag3PpPIDLZu7qWVXwr68PK8Vc/lEeJ6+kR+ZpH5+X3ivZs1dwfsiF2+V7 dNpqK7wVgD0W6g5X95FnzVCcEb1op03D3CjNaCBFG1mz6rFMNwohhfwtAfNnTggPZGEW YbTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FC2E/Bgf; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id j6-v6si11744799pgp.534.2018.05.21.14.24.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 May 2018 14:24:15 -0700 (PDT) Received-SPF: pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) client-ip=198.145.29.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FC2E/Bgf; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A30E82075C; Mon, 21 May 2018 21:24:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937855; bh=wIfinqddn9l8hmk5i/Aid1osLpng3OONd1cBMSy0mz8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FC2E/BgfQEGxIIXoaNihi9po6tXUKnVOOvAH5tlasAo0Hz02NV04fh0cAD0xHidmC 1qxeVT+TlE1MijuqKgOM8rt/2wECKdYY7F8mepd2W+WsMzSo6z9zrQqWN/jcSZOpyN 79szwjERK8rVZT5IUVvMwJNdRHMweMr44HOfUFdI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Izbyshev , Dmitry Safonov , Thomas Gleixner , Cyrill Gorcunov , Borislav Petkov , Alexander Monakov , Dmitry Safonov <0x7f454c46@gmail.com>, linux-mm@kvack.org, Andy Lutomirski , "H. Peter Anvin" , "Kirill A. Shutemov" Subject: [PATCH 4.16 050/110] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall Date: Mon, 21 May 2018 23:11:47 +0200 Message-Id: <20180521210509.418263210@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210503.823249477@linuxfoundation.org> References: <20180521210503.823249477@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry Safonov commit acf46020012ccbca1172e9c7aeab399c950d9212 upstream. The x86 mmap() code selects the mmap base for an allocation depending on the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and for 32bit mm->mmap_compat_base. exec() calls mmap() which in turn uses in_compat_syscall() to check whether the mapping is for a 32bit or a 64bit task. The decision is made on the following criteria: ia32 child->thread.status & TS_COMPAT x32 child->pt_regs.orig_ax & __X32_SYSCALL_BIT ia64 !ia32 && !x32 __set_personality_x32() was dropping TS_COMPAT flag, but set_personality_64bit() has kept compat syscall flag making in_compat_syscall() return true during the first exec() syscall. Which in result has user-visible effects, mentioned by Alexey: 1) It breaks ASAN $ gcc -fsanitize=address wrap.c -o wrap-asan $ ./wrap32 ./wrap-asan true ==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING. ==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range. ==1217==Process memory map follows: 0x000000400000-0x000000401000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000600000-0x000000601000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000601000-0x000000602000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x0000f7dbd000-0x0000f7de2000 /lib64/ld-2.27.so 0x0000f7fe2000-0x0000f7fe3000 /lib64/ld-2.27.so 0x0000f7fe3000-0x0000f7fe4000 /lib64/ld-2.27.so 0x0000f7fe4000-0x0000f7fe5000 0x7fed9abff000-0x7fed9af54000 0x7fed9af54000-0x7fed9af6b000 /lib64/libgcc_s.so.1 [snip] 2) It doesn't seem to be great for security if an attacker always knows that ld.so is going to be mapped into the first 4GB in this case (the same thing happens for PIEs as well). The testcase: $ cat wrap.c int main(int argc, char *argv[]) { execvp(argv[1], &argv[1]); return 127; } $ gcc wrap.c -o wrap $ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE AT_BASE: 0x7f63b8309000 AT_BASE: 0x7faec143c000 AT_BASE: 0x7fbdb25fa000 $ gcc -m32 wrap.c -o wrap32 $ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE AT_BASE: 0xf7eff000 AT_BASE: 0xf7cee000 AT_BASE: 0x7f8b9774e000 Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") Fixes: ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec") Reported-by: Alexey Izbyshev Bisected-by: Alexander Monakov Investigated-by: Andy Lutomirski Signed-off-by: Dmitry Safonov Signed-off-by: Thomas Gleixner Reviewed-by: Cyrill Gorcunov Cc: Borislav Petkov Cc: Alexander Monakov Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: stable@vger.kernel.org Cc: linux-mm@kvack.org Cc: Andy Lutomirski Cc: "H. Peter Anvin" Cc: Cyrill Gorcunov Cc: "Kirill A. Shutemov" Link: https://lkml.kernel.org/r/20180517233510.24996-1-dima@arista.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/process_64.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -528,6 +528,7 @@ void set_personality_64bit(void) clear_thread_flag(TIF_X32); /* Pretend that this comes from a 64bit execve */ task_pt_regs(current)->orig_ax = __NR_execve; + current_thread_info()->status &= ~TS_COMPAT; /* Ensure the corresponding mm is not marked. */ if (current->mm)