From patchwork Tue Feb 25 05:13:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402525 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6173214BC for ; Tue, 25 Feb 2020 05:14:22 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2F90D24682 for ; Tue, 25 Feb 2020 05:14:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="oPXJ6JdK"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="avzQkIzW" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2F90D24682 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=5Tl0unxSCCxZ5migwPqkB0y2Eyz6PXixbSKzmZq6Jp0=; b=oPXJ6JdKN/VzKZ YbN/e2xGTSTN5gVju1OTTJ+nRZhqPR1ubuAuyCS7DDpD8AoEnliBrW4WWh/IBw+J1tigEuqRQtc/v U715JrI2XJa+e9dO9DLLkD0VoqxYFTJduRH1ABG/rDqW+m/Sw/AizOwVSms98zE36jETjpJzJ3e6O vMIhQHveuB4I3rYglgtidsaLnmggfn0c2QJid5DJtD4fOqoUZp0Hwt/li1gANLZE6kOCiRkWjQays YyXF3FEfc3hdrGkdXjAEz7il94Hvj+gHw7MDEAg9MbZTkwPyfsbGKnRtD224yagaUhADX6pvWI/h9 IIFVaN55LJoKJo05Lz1g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SY1-0007V0-Bg; Tue, 25 Feb 2020 05:14:21 +0000 Received: from mail-pl1-x642.google.com ([2607:f8b0:4864:20::642]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWx-0006aC-7s for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:17 +0000 Received: by mail-pl1-x642.google.com with SMTP id t14so4993275plr.8 for ; Mon, 24 Feb 2020 21:13:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YYkEUMiwoqC9g5twl30uamAlKq3Tsh5NtF9u9M+qrn4=; b=avzQkIzWP11XHI9dfw+sintU7jSdYyOmCfUcrZbVfI3neNkexyxVoipAlC0aEClJyH aCOUDg37itfNNyo5WKHg3hVZ3VCLg6AxDzjoOQ4lSK1OaOhtw93wixoun6PIjwoxoYId BANd3swsVOiMeZkStF0wE5AKrSqy5u7EzvUzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YYkEUMiwoqC9g5twl30uamAlKq3Tsh5NtF9u9M+qrn4=; b=br9FtAsOFzGrOox+2LOboGjgjtfN1Egdu41+mv273nR6D8PmuCUe1nkOav/fA3AJ2N xmjlHoyrbh0MtVMdNagGFD7ZSMhOBigElHmBcPHfLA/50YZznm6KAMV5tUjenhQlMgSk ZbRdzZVv7SvABIjXC3VfcvjAxyo7XgzacOhrAcmB1Xuw0DOW60C0eU4lhqgV7xord7ob HDvpigY1NGy459Hro/TVCBKGx6/npLIB3Ifntl9yspONMBdqnsH7L4pqtkdOj4I2h6bt zkRb/yAPjEQzoKV2KPeyUTJoVqhdFLO8HjcgBVmvFQNzHEKXmGMCxb27UhxBEFVA5fGZ 5l1g== X-Gm-Message-State: APjAAAXo9yueCxNvIJ/hN1tGhsfnuhEVJSa8zSiV9xL+MrqMhPnhna8U JKGZzIlK6jt5QjL/R+NoB94NBb57Fsw= X-Google-Smtp-Source: APXvYqzBUEzonruL33z1bqgvonSPWOcLoIk/bYLtdQnry1U+j3ClgjvqG2nmE0zuEw4fCLKGWa37Yw== X-Received: by 2002:a17:902:b617:: with SMTP id b23mr54721739pls.285.1582607594502; Mon, 24 Feb 2020 21:13:14 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l69sm14547852pgd.1.2020.02.24.21.13.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:11 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Mon, 24 Feb 2020 21:13:02 -0800 Message-Id: <20200225051307.6401-2-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211315_277112_62D17F53 X-CRM114-Status: GOOD ( 11.50 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:642 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..733f69c2b053 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | + * ELF:              |            |                  |                | + * -------------------------------|------------------|----------------| + * missing GNU_STACK | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) From patchwork Tue Feb 25 05:13:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402515 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0FFCB14BC for ; Tue, 25 Feb 2020 05:13:51 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C039E24682 for ; Tue, 25 Feb 2020 05:13:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="msc96tXM"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="cYoKF8t4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C039E24682 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=PpO8TkNGRZSHHS1/KHAwGBYtYvGB6ZmRVToNk2o6Hhk=; b=msc96tXMZVx58h xInIR82cqMeDmJvRY5BQIubIa4kKzH7p6ibpxuNAseXfVzALh6gO2fiHym5Pr7Zf75LkmT2kAGfDy yLSS5bBydoKmb4GgqdkQUQte2KLXpcChYt37ssdQMRMJXpf7D8MgwjQqf5rOB0oys0APrkSOEjBJ+ uFFFEoaq29/sQ6XmEJfksxR1mnu57TCM9fqdiT3NXKUNHa/VEfQ9vYU+qjTzNKtSU8UGj01Bk1rRH ErU66HMDgQLlAmYOo/UHZdZial6H0V4bYnecPSMVxJdi0qF4W8Hj0iTELnjSt0hOaIyS7YtaChXgB PxNVRzJVxzKE7TOVnIrQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SXV-00072h-R1; Tue, 25 Feb 2020 05:13:49 +0000 Received: from mail-pg1-x543.google.com ([2607:f8b0:4864:20::543]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWw-0006Zw-TE for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:17 +0000 Received: by mail-pg1-x543.google.com with SMTP id y30so6259045pga.13 for ; Mon, 24 Feb 2020 21:13:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xtFhZmUGg25ckYL+Nj/gQvxOaU7nm2sSSfbBJDheRi8=; b=cYoKF8t4ZKo9npvA7QP9XflS8FuxXhlRBK6xAEmgOI8SDB3qsyrUamZa+IZxIQeHEl hic9kuq1J+X/MvlwBhVTB5UE5AibQJRe0f4VCVIgnILVgGTTdcdSXyNKEVybEbiEpVNI KIqP3vXsNrYdk9Oin86blNR1kimWfFn+e1wBs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xtFhZmUGg25ckYL+Nj/gQvxOaU7nm2sSSfbBJDheRi8=; b=HNCfUDDm0y6wkAEoZhpAGVJmTr5/Mstx7oiXIgU8AF7UUfDfT3A0zFg26E1TB9xiSh Z8Xdgi5LgBXDKEpuN2L/HTqeDljv9DcraUdoDJJjsoZKuSiFLfoKE/TBQnrT8rqCVnlF K0doJxJx/VE0T606uk+ctM7OU9shduqNs6nv/kQul7sVGbbNt7o0x4Eim73hx6j+6WSj k/7CPCYZLtSumes9Us9oO54CvmiBv6/E7qRJkKHm+5/+1dvdkoKHvslstvDx7JA9h8L1 Ngk2mn4SjUCVrsSKevDNJbt5TGRhyHUtGtcHRxsKXpRv0ycNcOa43gwH5/KXQixGKkXx 5KXg== X-Gm-Message-State: APjAAAWm/Q/AR8+SmxARVRb5bDqk+HGLT691q5ZJL/i066zbKI3YZhUV +8NP+2cWylYOmjj2oFjE7aBcGQ== X-Google-Smtp-Source: APXvYqwODtU4FUfT5WxcMcB9c17YZwUi3dfzZeLH4lgWsLytNLFPaPcQmbSyyLc8Ik4xhECJhuDusg== X-Received: by 2002:a63:d40d:: with SMTP id a13mr57785788pgh.9.1582607593779; Mon, 24 Feb 2020 21:13:13 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id c19sm15219696pfc.144.2020.02.24.21.13.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:11 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable GNU_STACK Date: Mon, 24 Feb 2020 21:13:03 -0800 Message-Id: <20200225051307.6401-3-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211314_941264_15501F69 X-CRM114-Status: GOOD ( 14.10 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:543 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 733f69c2b053..a7035065377c 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -288,12 +288,13 @@ extern u32 elf_hwcap2; * ELF:              |            |                  |                | * -------------------------------|------------------|----------------| * missing GNU_STACK | exec-all   | exec-all         | exec-all       | - * GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -302,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack != EXSTACK_DISABLE_X) + (executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Tue Feb 25 05:13:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402505 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF95414E3 for ; Tue, 25 Feb 2020 05:13:18 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AFC322468D for ; Tue, 25 Feb 2020 05:13:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="C6sv+8mU"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="gdPEq+Jj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AFC322468D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=iUQ15I7ispokS1ot/j1nX8jkIZGaWY4d6jC8meirghA=; b=C6sv+8mUJTygWS xwGSh9elOYd7RgOgpnFyQekD2yOgIIxLEG1vPtZeiYknEH72GP2Y+tSzMfNJT56Tmg40/dmbTYIZY LGxOTYQoZEuVSfwUik1pJYjm89F3gcHc0oCIXWImwsuFhJwxP1zllMvB/90I//htfELLtLTGCqNJU mCRfjQywF199Vss9yORMJW/EgvPkYRTRnBCIPPqaS25MegaoqlPvOERMCZ6VDRTOcVIx2CDipap5T zy+wbMbsJ0GYdjZfmU9vr7u2NPV0iRIXYbj4DI6cuL9sFjNnHjrQN1h/SdaBbX6TyF32030guVpHm E+uTr94NRHYaicXYJPkA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWz-0006bW-3L; Tue, 25 Feb 2020 05:13:17 +0000 Received: from mail-pg1-x541.google.com ([2607:f8b0:4864:20::541]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWw-0006Zs-RQ for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:16 +0000 Received: by mail-pg1-x541.google.com with SMTP id 6so6301662pgk.0 for ; Mon, 24 Feb 2020 21:13:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZNLE8qanU9tB+qprhCqb5JhCmvZIHAS4t1qFulujc3c=; b=gdPEq+JjTnrTNZqPxDtXj3Xt27Obpw016njmHmr0gwgR2L0EhflW7LupjRtFxw9Gzn d6sOQ9k8yYEGUOhzaE7ZBqcsy7EJW5gT+CjF9zvaZkZkitVMHy3UQiBPck0XAuOlr352 foYbhGhFwUKbexhzLsmgLzdkttIU4h/cxj6PY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZNLE8qanU9tB+qprhCqb5JhCmvZIHAS4t1qFulujc3c=; b=SUMAKuZkI456EF3euHMSykYXaejxBW7P8Ct9OG3Xt9GLIpkERN6i/4FLBShTPX3LJ0 CgDlVv//i/PDVOJS0Vn6j0o4twELJcbz7x43sLJJVyr7l38bbe++Kwc1Ll9rmJ+RPYnJ RrdUqcCFQpsIHz9bFXHIYCj0o0Ac9FalFb28bkJrg6+LdSrMKOPpGUIkzqyiFqXs0hop M7144dL9A5I5lxw97LbtK9THKOXd9sNN66j6LXOqMetw8gvQFxA1Zh9TVf/iAvArnDAq YnfA3oO3a6l2KVgMSycw0ILkWU8Hz286FvOQAymsp3EfR/8X4L+Z1ndm8VYxN/KqSFwi ekfQ== X-Gm-Message-State: APjAAAX32rf+3Ue8+dypUglRCT2/Yw4iBvi/Lvbc+upZImLZxsCSLCvs 8UV3+/L3Gcyp4nHUUHu0RAniBw== X-Google-Smtp-Source: APXvYqzhhwjL9Yg+ZfnqgfEq+io+9jGp/eGcRcIoZfPqoFZ+RQ/M8xfh20Jez7PEOAC4j9RETiwkqw== X-Received: by 2002:aa7:8703:: with SMTP id b3mr53336326pfo.67.1582607593189; Mon, 24 Feb 2020 21:13:13 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z13sm14462509pge.29.2020.02.24.21.13.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:11 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Mon, 24 Feb 2020 21:13:04 -0800 Message-Id: <20200225051307.6401-4-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211314_884170_AB11AA33 X-CRM114-Status: GOOD ( 11.23 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:541 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org With modern x86 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture is intended to always be execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). There were very old x86_64 systems that lacked the NX bit, but for those, the NX bit is, obviously, unenforceable, so these changes should have no impact on them. Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index a7035065377c..c9b7be0bcad3 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -287,7 +287,7 @@ extern u32 elf_hwcap2; *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | * ELF:              |            |                  |                | * -------------------------------|------------------|----------------| - * missing GNU_STACK | exec-all   | exec-all         | exec-all       | + * missing GNU_STACK | exec-all   | exec-all         | exec-none      | * GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * @@ -303,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack == EXSTACK_DEFAULT) + (mmap_is_ia32() && executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Tue Feb 25 05:13:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402529 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01BCA14BC for ; Tue, 25 Feb 2020 05:14:37 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D41892467C for ; Tue, 25 Feb 2020 05:14:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="gEB86GVh"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="DcHSUo+5" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D41892467C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=V6V4hGdkXO39cpZgM3Usb0bpvTRWhmJtC32I0YgAwlo=; b=gEB86GVhvudgcQ KXqAjw01RmA3Fiw9qFfbN7l1VLSIUEdeEF+76pTdLRb05DmKkRmZYgNO5WQNtXFgWKYowl/xN7xxV akm+1rlqMHIOk69jh0kGEPeWx/T9rG0hKsQaN8XG2OpG4mzYKD4pERQVGHjaXM/wE3XDNkJuGiToS i7KPU0Njj+03sjUyWvoS1EQd6wxoamS4dpRJE91mDKqHA+0DC8SzXUM6JF7ZL7KmygIYB6F3xVeo0 rIIxBeNYKjXWWRBjSH0q30kz5jhxM136H3DLcofo83RRs+JO5tKROlCBdb/ofNM3Vs0SHEwDxUbIy p8wfrExtO1HaaqLYgf6A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SYE-0007iS-BR; Tue, 25 Feb 2020 05:14:34 +0000 Received: from mail-pg1-x543.google.com ([2607:f8b0:4864:20::543]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWy-0006aq-2J for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:17 +0000 Received: by mail-pg1-x543.google.com with SMTP id u12so6271795pgb.10 for ; Mon, 24 Feb 2020 21:13:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QU6tarMcleK7JZEKv6NGFcAaaMn8J85o/O86pl2boI8=; b=DcHSUo+5uhomdqc7fCqlU3p2aWJnrlaigJaUEKSmf+9FQuRxJNZKzo7AgMVRkj+enj PYAibvmj1Z4N2moDH7SYmegC9w9CQ+j3GWVpJV9v6+s1bSScng2s38DzUzJ80Wqsf+5R 8k71AqQfgLS9wzWOi0XFRsHjemnvNdL8m/Jzs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QU6tarMcleK7JZEKv6NGFcAaaMn8J85o/O86pl2boI8=; b=HpUHZe4lWFwYRF6B+tqJau7qNOoTeQSGIepKdUWbKgU02fF8eJD+C8YR5Na8pltPYh 30yf4vE9UPSn4D9PW7KfCUYbVXf34NsNENPUyPdjExBJd0iWFjrR/FeUzFA3frhwjJF3 ZOMfk70cn/HdP2tDQ2x+RRvTS99GsFWhvbL/FnuAfKdeMh8AbVLNh+r0fHFdCZtJc+wF j08Nxj2fYkAZd6oPx4JZ2o4Waf9c/aIVRPyB3XrNQvY8sgPrX8iGorjYaHu7OLEMDVkA WpyB/vbVrIZ7sUHj9gJL/ZD0S9vdKqn/yVfdIzG8oKwX5TiCYLnz17nUj4zlmubzKqFI q3Cg== X-Gm-Message-State: APjAAAUN/b/aLRpRUAwJubabvbpQBs0Yvp1XXvmKZhJAIyIOHlhP6BQp nXabc+LAcuqmfn5TvTh2uRu8pQ== X-Google-Smtp-Source: APXvYqzirNh6rCEGPBMMTd96cFvNHpeUqARTXcwmJmqfs1UtEUIGNuIRJqZRDNbnRdSDNFi3a6YNbQ== X-Received: by 2002:aa7:9e0b:: with SMTP id y11mr57940549pfq.182.1582607595420; Mon, 24 Feb 2020 21:13:15 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s14sm14472732pgv.74.2020.02.24.21.13.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:11 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Date: Mon, 24 Feb 2020 21:13:05 -0800 Message-Id: <20200225051307.6401-5-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211316_103795_710D479A X-CRM114-Status: GOOD ( 12.26 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:543 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org Add tables to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior for both arm64 and arm. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 24 +++++++++++++++++++++--- arch/arm64/include/asm/elf.h | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 182422981386..2f69cf978fe3 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -78,9 +78,27 @@ void elf_set_personality(const struct elf32_hdr *x) EXPORT_SYMBOL(elf_set_personality); /* - * Set READ_IMPLIES_EXEC if: - * - the binary requires an executable stack - * - we're running on a CPU which doesn't support NX. + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX | + * ELF:              |            |           | + * -------------------------------|------------| + * missing GNU_STACK | exec-all   | exec-all  | + * GNU_STACK == RWX  | exec-all   | exec-all  | + * GNU_STACK == RW   | exec-all  | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ int arm_elf_read_implies_exec(int executable_stack) { diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index b618017205a3..7fc779e3f1ec 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -96,6 +96,26 @@ */ #define elf_check_arch(x) ((x)->e_machine == EM_AARCH64) +/* + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *             CPU*: | arm32    | arm64 | + * ELF:              |            |            | + * -------------------------------|------------| + * missing GNU_STACK | exec-all   | exec-all   | + * GNU_STACK == RWX  | exec-all   | exec-all   | + * GNU_STACK == RW   | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *all arm64 CPUs support NX, so there is no "lacks NX" column. + * + */ #define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) #define CORE_DUMP_USE_REGSET From patchwork Tue Feb 25 05:13:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402531 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7D13114BC for ; Tue, 25 Feb 2020 05:14:55 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 59A7524682 for ; Tue, 25 Feb 2020 05:14:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="rP2LKrvI"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="DPDiTUn9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 59A7524682 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=CmdIdE7J75w/wL6MMwhqD+VMoKQgriCLh4uLnS34zyg=; b=rP2LKrvIL7X1ZX GvfoTFRCNEmfg4C/EuJRDjx/0xNPmiJKIn3SmgE7MGa3CG4iMXZ7mXhIAV0g1/BF4p1/pKZa2zmoT wj1SjbTjHVoj1uQL6vw3KsyZnPbq3+UK9xg3t4ZYkZmWtrVNnZmFCTOGTpbPvouX5WC9QlwJJyyor 3UEaAv28W4KzO4lj8sR5uBqCXP8kzW1NERFvxTZsQPhS1HHa4cEXZMF6JeV7vCrvhAcrutrKtr3oj kpzXffCl0kjDWBprMoge6PEtiZ6xpMCS9xgi+NivaWyhz7BVmh/r7nfrUsSigx2nZKYRj3SVDCnMG 2DUTZK6BSAjHv10v816A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SYW-00081F-Hn; Tue, 25 Feb 2020 05:14:52 +0000 Received: from mail-pg1-x542.google.com ([2607:f8b0:4864:20::542]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWz-0006bu-P2 for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:19 +0000 Received: by mail-pg1-x542.google.com with SMTP id d6so6294812pgn.5 for ; Mon, 24 Feb 2020 21:13:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2lIWrB2rl2fls1DP3gLk6fTzwbihtKCjsTFZYdDbGQ4=; b=DPDiTUn9mHAJPUVeuO6O/4+ZWGT7CXMflUkvN2DOGwNzNVpUoWmOyBDAPPODhXWKny NAGKI6c4hPVF4ebdPpwklU4evW4Jv0T46fb90WvXFEfUBpzH+zSH2ffMjDvLcQk8cmtw yow7naoX3eK49OZ2mSrrxi/CmK2iPRw64SR2c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2lIWrB2rl2fls1DP3gLk6fTzwbihtKCjsTFZYdDbGQ4=; b=Cd/PzsLObq+7lTt7pkE8fHxP6ynHayJUyG3JGtXe4L3x1HjJ3Y/4Sgw5mRLoRs05+f 51PEyNT+Ny39xow9p4K4JdEWHMOXEUH4jeDPeXijTOk4vm4r9DN/iw2rsgC4IbxnZ7+v 2xueRgF6Ruvmn4tuoJAZXov8YCJMmTZdCZVWgt4ECU2macckcAmudAs82jsdAj1b4BB/ t/EVcenmjEgY+ZwSlTCSkgAPbbqA6rf2pSiCdiqjKGofk6fV13cN3KJIkJeuqi19w4Px tKXjCefu+QJT/lG9w7XwgiLLx0+ObxhUZR16GvPKJ1mqvDD9aW9ZuQ4izxsmPS8HITBP uRfQ== X-Gm-Message-State: APjAAAX6FINLEZ2zxxYiNoAsfYB6atn8Kq2RuQHQmy2nqVdjiZsLXq3h kRdQ9gOrqeDpW0uJuVZeZ7QYjQ== X-Google-Smtp-Source: APXvYqypIEhUi0EJIgMKTYt0m4YMRHeIhF58LfEi+94S8qvARJ0jimCVUlM03w63T/gtF6c3CH2Xsg== X-Received: by 2002:aa7:8101:: with SMTP id b1mr56045649pfi.105.1582607596919; Mon, 24 Feb 2020 21:13:16 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 23sm15084529pfh.28.2020.02.24.21.13.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:15 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable GNU_STACK Date: Mon, 24 Feb 2020 21:13:06 -0800 Message-Id: <20200225051307.6401-6-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211317_838401_2630AF55 X-CRM114-Status: GOOD ( 14.38 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:542 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. This changes arm32 and arm64 compat together, to keep behavior the same. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 5 +++-- arch/arm64/include/asm/elf.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 2f69cf978fe3..6965a673a141 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -87,12 +87,13 @@ EXPORT_SYMBOL(elf_set_personality); * ELF:              |            |           | * -------------------------------|------------| * missing GNU_STACK | exec-all   | exec-all  | - * GNU_STACK == RWX  | exec-all   | exec-all  | + * GNU_STACK == RWX  | exec-all   | exec-stack | * GNU_STACK == RW   | exec-all  | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -102,7 +103,7 @@ EXPORT_SYMBOL(elf_set_personality); */ int arm_elf_read_implies_exec(int executable_stack) { - if (executable_stack != EXSTACK_DISABLE_X) + if (executable_stack == EXSTACK_DEFAULT) return 1; if (cpu_architecture() < CPU_ARCH_ARMv6) return 1; diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 7fc779e3f1ec..03ada29984a7 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -106,17 +106,18 @@ * ELF:              |            |            | * -------------------------------|------------| * missing GNU_STACK | exec-all   | exec-all   | - * GNU_STACK == RWX  | exec-all   | exec-all   | + * GNU_STACK == RWX  | exec-stack | exec-stack | * GNU_STACK == RW   | exec-none | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) +#define elf_read_implies_exec(ex,stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE From patchwork Tue Feb 25 05:13:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402521 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F03E914E3 for ; Tue, 25 Feb 2020 05:14:04 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BA59F2467C for ; Tue, 25 Feb 2020 05:14:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="biTMMj1c"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FNMuINYq" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BA59F2467C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=qA/gwBFHQmwDbECTBAV2+AvLSP/MECgV0Fo2grCSw6A=; b=biTMMj1cCQBlmm Vj3Q6eeIDUbFEpfzDxIAgEiL7I/iQmWYF/lbex8nlEhFB/+Bc25/gZhd31m88NU7QGWnkEeLtppzz MaF0U2m6vd+Bjtzhb9FDmwfn8p1pYW+hP64fqieRet2CrKM6Nrr5ZerN4WgXWHb3HY9BtpWkB8vtk Z16eiMdXeY19qGSUo2DiAsZLRXIRM1ReyyQLeSdC8gGvTwHNjE8XV3c7v/pK50wjaZEatbQYOuQOh dQVUq3N7xTedCPSx7ssN9MZIGrUhnnRBiLVFGbbb3La6YrxY7QJjPANK0Q4GwmtMm8aYEMtrzoNCC kUmfQO6QNtC/r57YKXSA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SXj-0007EF-8U; Tue, 25 Feb 2020 05:14:03 +0000 Received: from mail-pg1-x543.google.com ([2607:f8b0:4864:20::543]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6SWy-0006bH-ME for linux-arm-kernel@lists.infradead.org; Tue, 25 Feb 2020 05:13:17 +0000 Received: by mail-pg1-x543.google.com with SMTP id w21so6274573pgl.9 for ; Mon, 24 Feb 2020 21:13:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KFgEd5ihB5mpYJHgTJ73YmLe+8HUk6ELkCILmCi0oOk=; b=FNMuINYqjkWcMKmsC54Bq/gTZBk8TfWE/kHSeHazPaZ6Qsgq4UEwtaKxNjx3U/LSOL lSxriB94mOtmP7ZumY1pLpyXNh1eiELD+deo2AfzoltvtXbJresnxC13IfnGI7/zF0u8 gfw7+zy+BpP4vi9hf0mYsgj0+sBmXM2UX7Dlk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KFgEd5ihB5mpYJHgTJ73YmLe+8HUk6ELkCILmCi0oOk=; b=iB6D9NhyoyZqj+BgAI2D4VdJat6Th5L0lc4q6yJeoE8DuoO4Dg/gxUBC+KcVg8aZpZ KYtacP9sykLD8ByMFddUHCGwjE8krmSNBtsBWkuecDoRQ2XnB1FlfkYydUl9RPeTH8tI d5k0eCjODz6/HDjnaoDLxr4VRCSrAz6qcTGH/oXVmylk4TjX7YrUS71oeoYzccNesYTR 9iOT1o9YTnT7CYfhIXqf+Af/k7XmlpEJjETYBb9shlFNTikUOxd4hk2Immou/Xh0FNIF 9v2F8au7q7QxmNCkCjav4ScM6RB8xe2kVUOL1WvKJpYVPUyjkEv/MTiCEcznYHL6u9Xd gl4A== X-Gm-Message-State: APjAAAV952GMqqEKgzaq1r/HAhCsV8T7Q57QenSUfNIwnnP+Q/xUgXTh tqB1dtIQSXTThI4L7pSzo2eLYg== X-Google-Smtp-Source: APXvYqwchftXeveUuXJHknSGejturvoBpu91/DIibP3TqJfUAAo+U3HXFzD6DGyObdeKZ5MP3RURPQ== X-Received: by 2002:a63:5b54:: with SMTP id l20mr19043243pgm.324.1582607596247; Mon, 24 Feb 2020 21:13:16 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j17sm14695804pfa.16.2020.02.24.21.13.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 21:13:15 -0800 (PST) From: Kees Cook To: Borislav Petkov Subject: [PATCH v4 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Mon, 24 Feb 2020 21:13:07 -0800 Message-Id: <20200225051307.6401-7-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_211316_728364_85E1EE5C X-CRM114-Status: GOOD ( 11.81 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:543 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org With arm64 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm64/include/asm/elf.h | 4 ++-- fs/compat_binfmt_elf.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 03ada29984a7..ea9221ed68a1 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -105,7 +105,7 @@ *             CPU*: | arm32    | arm64 | * ELF:              |            |            | * -------------------------------|------------| - * missing GNU_STACK | exec-all   | exec-all   | + * missing GNU_STACK | exec-all   | exec-none  | * GNU_STACK == RWX  | exec-stack | exec-stack | * GNU_STACK == RW   | exec-none | exec-none | * @@ -117,7 +117,7 @@ * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk == EXSTACK_DEFAULT) +#define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index aaad4ca1217e..3068d57436b3 100644 --- a/fs/compat_binfmt_elf.c +++ b/fs/compat_binfmt_elf.c @@ -113,6 +113,11 @@ #define arch_setup_additional_pages compat_arch_setup_additional_pages #endif +#ifdef compat_elf_read_implies_exec +#undef elf_read_implies_exec +#define elf_read_implies_exec compat_elf_read_implies_exec +#endif + /* * Rename a few of the symbols that binfmt_elf.c will define. * These are all local so the names don't really matter, but it