From patchwork Tue Feb 25 05:13:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402517 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A56D314BC for ; Tue, 25 Feb 2020 05:13:55 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 0BA8F24683 for ; Tue, 25 Feb 2020 05:13:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="avzQkIzW" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0BA8F24683 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17901-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7528 invoked by uid 550); 25 Feb 2020 05:13:28 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7394 invoked from network); 25 Feb 2020 05:13:26 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YYkEUMiwoqC9g5twl30uamAlKq3Tsh5NtF9u9M+qrn4=; b=avzQkIzWP11XHI9dfw+sintU7jSdYyOmCfUcrZbVfI3neNkexyxVoipAlC0aEClJyH aCOUDg37itfNNyo5WKHg3hVZ3VCLg6AxDzjoOQ4lSK1OaOhtw93wixoun6PIjwoxoYId BANd3swsVOiMeZkStF0wE5AKrSqy5u7EzvUzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YYkEUMiwoqC9g5twl30uamAlKq3Tsh5NtF9u9M+qrn4=; b=qfFmRACA8U+3+pcXkKH4Ujdk7O5V7K9le0rwSmjkjSAtN3S6ymfSkz2wcDtviIWl2I UhqFv2RLwKKvDZoFZ7077iShTMp2fX63KyVPZX35Y2DI9HgmZfR4R6eEivL40EEZVknT sjgGKj7ZrhaVMEf9pPwkX+n7o22u1dfU8Jgoxva20bxG4DNeQlauf2u4JR+fM5rS2tMI lAcJkfK8QTIbEWp2TIsLk/KfvJCgHSqHejUkMKrpMbfJhZZX+LTO/wr4FDItZXDWXqZn eEcVJ9JDIASW2eSTDYrWnEO3b5QTbVqDJBW0SgQrpsG5otJ/xdZQFnuy78GMs4knv25L sJog== X-Gm-Message-State: APjAAAUocre7/d+2/r8oInHiiXTpfKNbv5bttKsTaD44+uOKXdpCWK5n lwfiisKiCapRL5HOY7v8BatFwQ== X-Google-Smtp-Source: APXvYqzBUEzonruL33z1bqgvonSPWOcLoIk/bYLtdQnry1U+j3ClgjvqG2nmE0zuEw4fCLKGWa37Yw== X-Received: by 2002:a17:902:b617:: with SMTP id b23mr54721739pls.285.1582607594502; Mon, 24 Feb 2020 21:13:14 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Jason Gunthorpe , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Mon, 24 Feb 2020 21:13:02 -0800 Message-Id: <20200225051307.6401-2-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..733f69c2b053 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | + * ELF:              |            |                  |                | + * -------------------------------|------------------|----------------| + * missing GNU_STACK | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) From patchwork Tue Feb 25 05:13:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402511 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6189614BC for ; Tue, 25 Feb 2020 05:13:41 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id BD82124683 for ; Tue, 25 Feb 2020 05:13:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="cYoKF8t4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BD82124683 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17899-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7435 invoked by uid 550); 25 Feb 2020 05:13:26 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7359 invoked from network); 25 Feb 2020 05:13:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xtFhZmUGg25ckYL+Nj/gQvxOaU7nm2sSSfbBJDheRi8=; b=cYoKF8t4ZKo9npvA7QP9XflS8FuxXhlRBK6xAEmgOI8SDB3qsyrUamZa+IZxIQeHEl hic9kuq1J+X/MvlwBhVTB5UE5AibQJRe0f4VCVIgnILVgGTTdcdSXyNKEVybEbiEpVNI KIqP3vXsNrYdk9Oin86blNR1kimWfFn+e1wBs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xtFhZmUGg25ckYL+Nj/gQvxOaU7nm2sSSfbBJDheRi8=; b=TBGKJi4pKBDf3sfZH5DYR4ehjHULMrTeNH7GowodgMDzFyqC/pnd0LlNb7hQX97hiA c4ABLCf4rqp+wdmglJRwVo7OIE+Kbs96RJWC8vvPvH8s8miaAaCnuuTf0ClUCfgQwdP7 2K81I+bLVGd/UDTpuX9xgTb741+pdpd2Tk1mKKq0pRFF/sAi7c/VOmnoBwwJnUEYz8Vp FfC6dt4FXF6Z/guL0xgr5cgXAAoB1p6slDmWS1OX3n9qM2Yp/v+VUMl0CW+1YJ03aE/w dGtNt1N44+riN2HGCqTPFWNk9vpUvQH2vx/HqsLgRHvvINbS3hjaz9ANdd3UlIsmyG19 Jz9Q== X-Gm-Message-State: APjAAAUX0A2/lOxcHkdl360dKSU6alnosFUKEMmJRGGIHEOCRa6p6mta /fwOhiD1ZrkqJdoWyb+rIB5uiA== X-Google-Smtp-Source: APXvYqwODtU4FUfT5WxcMcB9c17YZwUi3dfzZeLH4lgWsLytNLFPaPcQmbSyyLc8Ik4xhECJhuDusg== X-Received: by 2002:a63:d40d:: with SMTP id a13mr57785788pgh.9.1582607593779; Mon, 24 Feb 2020 21:13:13 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable GNU_STACK Date: Mon, 24 Feb 2020 21:13:03 -0800 Message-Id: <20200225051307.6401-3-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 733f69c2b053..a7035065377c 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -288,12 +288,13 @@ extern u32 elf_hwcap2; * ELF:              |            |                  |                | * -------------------------------|------------------|----------------| * missing GNU_STACK | exec-all   | exec-all         | exec-all       | - * GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -302,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack != EXSTACK_DISABLE_X) + (executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Tue Feb 25 05:13:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402509 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8DDE414BC for ; Tue, 25 Feb 2020 05:13:34 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id A9B5724683 for ; Tue, 25 Feb 2020 05:13:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="gdPEq+Jj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A9B5724683 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17898-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7393 invoked by uid 550); 25 Feb 2020 05:13:26 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7358 invoked from network); 25 Feb 2020 05:13:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZNLE8qanU9tB+qprhCqb5JhCmvZIHAS4t1qFulujc3c=; b=gdPEq+JjTnrTNZqPxDtXj3Xt27Obpw016njmHmr0gwgR2L0EhflW7LupjRtFxw9Gzn d6sOQ9k8yYEGUOhzaE7ZBqcsy7EJW5gT+CjF9zvaZkZkitVMHy3UQiBPck0XAuOlr352 foYbhGhFwUKbexhzLsmgLzdkttIU4h/cxj6PY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZNLE8qanU9tB+qprhCqb5JhCmvZIHAS4t1qFulujc3c=; b=iRmCJeNEqVn35jMfdGTQ/ho5WSXa9EGINBPUGMTmZbZ7MKCcvROTqLMYdP6/BNd6xz 7uB6+JAFDhDQEF1AEj/mtNrD7Pq+2qiD9ejV74b6m0dznTghDSUoTpLwSON9Z3M11bst swMKHr7iJ9aByV1Z7TCwe98taBQpO5UCpOpkuW0Ftuu+WOITDwVV2LeqaUxYHdvnOVeu b2YZxyPpSuflThpnJgZTrtrBqCi/8nvuEVUL9ApMrUqVtRLZKrJJ2CxBkjSIe8vn68si 4Y/xHre8FgXKxxcbR5IOM3bt3JUoKhVsIw+hGdJROcf6vmTHW35VVcyA8NYrjO1KgGLN 7QFw== X-Gm-Message-State: APjAAAVV4FwlmoPUIG2O3R9Whx1tnLdzHIdDeb8O0OLGnGcs7Vk/Z+He 0jaGbuRiD8jpVlq7GD5X7P7wYA== X-Google-Smtp-Source: APXvYqzhhwjL9Yg+ZfnqgfEq+io+9jGp/eGcRcIoZfPqoFZ+RQ/M8xfh20Jez7PEOAC4j9RETiwkqw== X-Received: by 2002:aa7:8703:: with SMTP id b3mr53336326pfo.67.1582607593189; Mon, 24 Feb 2020 21:13:13 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Mon, 24 Feb 2020 21:13:04 -0800 Message-Id: <20200225051307.6401-4-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 With modern x86 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture is intended to always be execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). There were very old x86_64 systems that lacked the NX bit, but for those, the NX bit is, obviously, unenforceable, so these changes should have no impact on them. Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index a7035065377c..c9b7be0bcad3 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -287,7 +287,7 @@ extern u32 elf_hwcap2; *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | * ELF:              |            |                  |                | * -------------------------------|------------------|----------------| - * missing GNU_STACK | exec-all   | exec-all         | exec-all       | + * missing GNU_STACK | exec-all   | exec-all         | exec-none      | * GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * @@ -303,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack == EXSTACK_DEFAULT) + (mmap_is_ia32() && executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Tue Feb 25 05:13:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402519 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 40AE514BC for ; Tue, 25 Feb 2020 05:14:03 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 9B9612467C for ; Tue, 25 Feb 2020 05:14:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="DcHSUo+5" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9B9612467C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17902-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7582 invoked by uid 550); 25 Feb 2020 05:13:29 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7493 invoked from network); 25 Feb 2020 05:13:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QU6tarMcleK7JZEKv6NGFcAaaMn8J85o/O86pl2boI8=; b=DcHSUo+5uhomdqc7fCqlU3p2aWJnrlaigJaUEKSmf+9FQuRxJNZKzo7AgMVRkj+enj PYAibvmj1Z4N2moDH7SYmegC9w9CQ+j3GWVpJV9v6+s1bSScng2s38DzUzJ80Wqsf+5R 8k71AqQfgLS9wzWOi0XFRsHjemnvNdL8m/Jzs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QU6tarMcleK7JZEKv6NGFcAaaMn8J85o/O86pl2boI8=; b=BVW+YHmUwortsYp7SjT5wiolRp1EMOqW1y0SlAMubXlIb/bQAcYP7IE/t0kddjj0W1 bMpiWcwVm7IQ8RVnAgR33PpbKNnsHz5knRRop9c36r9IVB6mbNh+yaFkLarIQMEIyfwj aZFM6BB+Z+5vrh+wDYPum9jPE4Z0KDqesjpdrYBx56IgT3nWwciwoHpvFFn2GYVgt7j0 KSmKk1rsq5ZxhrD8ZPwtLnuxd2eNkB0mwO+bfo2UTg+egKHYFuMiGrcRYs7TMmUcJvQR nhORxX06YINcWDxy9bOWKT8dALzxVLKlPjQhWs+4i7iwXGsLssRsaWL3Y/mIceYDK3VZ oT4w== X-Gm-Message-State: APjAAAXRqiK0bOYT/seaAF2uREG7e3NBpdEavSJZ5R0oWE1HFhXiTEXT O7WZIaQ55UEAb87PVXdTTbNopQ== X-Google-Smtp-Source: APXvYqzirNh6rCEGPBMMTd96cFvNHpeUqARTXcwmJmqfs1UtEUIGNuIRJqZRDNbnRdSDNFi3a6YNbQ== X-Received: by 2002:aa7:9e0b:: with SMTP id y11mr57940549pfq.182.1582607595420; Mon, 24 Feb 2020 21:13:15 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Jason Gunthorpe , Catalin Marinas , Hector Marco-Gisbert , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Date: Mon, 24 Feb 2020 21:13:05 -0800 Message-Id: <20200225051307.6401-5-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 Add tables to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior for both arm64 and arm. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 24 +++++++++++++++++++++--- arch/arm64/include/asm/elf.h | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 182422981386..2f69cf978fe3 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -78,9 +78,27 @@ void elf_set_personality(const struct elf32_hdr *x) EXPORT_SYMBOL(elf_set_personality); /* - * Set READ_IMPLIES_EXEC if: - * - the binary requires an executable stack - * - we're running on a CPU which doesn't support NX. + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX | + * ELF:              |            |           | + * -------------------------------|------------| + * missing GNU_STACK | exec-all   | exec-all  | + * GNU_STACK == RWX  | exec-all   | exec-all  | + * GNU_STACK == RW   | exec-all  | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ int arm_elf_read_implies_exec(int executable_stack) { diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index b618017205a3..7fc779e3f1ec 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -96,6 +96,26 @@ */ #define elf_check_arch(x) ((x)->e_machine == EM_AARCH64) +/* + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *             CPU*: | arm32    | arm64 | + * ELF:              |            |            | + * -------------------------------|------------| + * missing GNU_STACK | exec-all   | exec-all   | + * GNU_STACK == RWX  | exec-all   | exec-all   | + * GNU_STACK == RW   | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *all arm64 CPUs support NX, so there is no "lacks NX" column. + * + */ #define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) #define CORE_DUMP_USE_REGSET From patchwork Tue Feb 25 05:13:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402527 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9949914E3 for ; Tue, 25 Feb 2020 05:14:23 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id CBEB22467C for ; Tue, 25 Feb 2020 05:14:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="DPDiTUn9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CBEB22467C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17904-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7727 invoked by uid 550); 25 Feb 2020 05:13:32 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7538 invoked from network); 25 Feb 2020 05:13:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2lIWrB2rl2fls1DP3gLk6fTzwbihtKCjsTFZYdDbGQ4=; b=DPDiTUn9mHAJPUVeuO6O/4+ZWGT7CXMflUkvN2DOGwNzNVpUoWmOyBDAPPODhXWKny NAGKI6c4hPVF4ebdPpwklU4evW4Jv0T46fb90WvXFEfUBpzH+zSH2ffMjDvLcQk8cmtw yow7naoX3eK49OZ2mSrrxi/CmK2iPRw64SR2c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2lIWrB2rl2fls1DP3gLk6fTzwbihtKCjsTFZYdDbGQ4=; b=pwJxXk/h1YFoUc0eBNbqM+4UQaDiK0z9Oacu5UH+cafHi1GWYgP6my4IcwCfgDrIxd wsAOSjMQHKCurOJAr1jfVhcEy2L0WmXgUj5P0IXDdyZsJ0Kqo6Wvux7bDWjj5Y3DA4lA Mv/UtwfNd0v4pIUaK7SrWI8qCPnDrGQME/3PsC4PSmkFCC6QMMw5crJTKjEiq9+vZxdR E+D0fUaiZ+Dhaf8kbWLxbYc/yZO7MoVYX8TFZYVoyhDoCR0++sS2+Ad0eT73++RNLbfQ YgjEDv54fQq2pa4m05mvLNQGOnNzp5YkwUJ37rmbjh1TYMqZuj8RL/bY3dVycE3ZELQZ xUAQ== X-Gm-Message-State: APjAAAXlrPzZwf+M2/UchPu1S7A7V3yEVOBfiv66SOZvq6SfclNtUPOn 5vbHd0n7WR/W6qb+wboX9NgPJQ== X-Google-Smtp-Source: APXvYqypIEhUi0EJIgMKTYt0m4YMRHeIhF58LfEi+94S8qvARJ0jimCVUlM03w63T/gtF6c3CH2Xsg== X-Received: by 2002:aa7:8101:: with SMTP id b1mr56045649pfi.105.1582607596919; Mon, 24 Feb 2020 21:13:16 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable GNU_STACK Date: Mon, 24 Feb 2020 21:13:06 -0800 Message-Id: <20200225051307.6401-6-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. This changes arm32 and arm64 compat together, to keep behavior the same. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 5 +++-- arch/arm64/include/asm/elf.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 2f69cf978fe3..6965a673a141 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -87,12 +87,13 @@ EXPORT_SYMBOL(elf_set_personality); * ELF:              |            |           | * -------------------------------|------------| * missing GNU_STACK | exec-all   | exec-all  | - * GNU_STACK == RWX  | exec-all   | exec-all  | + * GNU_STACK == RWX  | exec-all   | exec-stack | * GNU_STACK == RW   | exec-all  | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -102,7 +103,7 @@ EXPORT_SYMBOL(elf_set_personality); */ int arm_elf_read_implies_exec(int executable_stack) { - if (executable_stack != EXSTACK_DISABLE_X) + if (executable_stack == EXSTACK_DEFAULT) return 1; if (cpu_architecture() < CPU_ARCH_ARMv6) return 1; diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 7fc779e3f1ec..03ada29984a7 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -106,17 +106,18 @@ * ELF:              |            |            | * -------------------------------|------------| * missing GNU_STACK | exec-all   | exec-all   | - * GNU_STACK == RWX  | exec-all   | exec-all   | + * GNU_STACK == RWX  | exec-stack | exec-stack | * GNU_STACK == RW   | exec-none | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) +#define elf_read_implies_exec(ex,stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE From patchwork Tue Feb 25 05:13:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11402523 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F068514E3 for ; Tue, 25 Feb 2020 05:14:12 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 5781D2467C for ; Tue, 25 Feb 2020 05:14:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FNMuINYq" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5781D2467C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17903-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 7644 invoked by uid 550); 25 Feb 2020 05:13:30 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7517 invoked from network); 25 Feb 2020 05:13:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KFgEd5ihB5mpYJHgTJ73YmLe+8HUk6ELkCILmCi0oOk=; b=FNMuINYqjkWcMKmsC54Bq/gTZBk8TfWE/kHSeHazPaZ6Qsgq4UEwtaKxNjx3U/LSOL lSxriB94mOtmP7ZumY1pLpyXNh1eiELD+deo2AfzoltvtXbJresnxC13IfnGI7/zF0u8 gfw7+zy+BpP4vi9hf0mYsgj0+sBmXM2UX7Dlk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KFgEd5ihB5mpYJHgTJ73YmLe+8HUk6ELkCILmCi0oOk=; b=dLZODGAYk7ifwd6NUDvib+0mEPyCSYewBRWS6QU2UeY74kaIng/JLSBZnHK3myJ2qB R0FIiWF/cc8xNPa+yVVORInPCS2PeM3ZrkchE8WGzuUElSGRKH2Hs274elYbRPU7YeAB ZNUS1nvnRNQiEfC5TaWWMEqwRirDuYbN/SYQ14RKeliEuWvmm70omNeL9SFhoEn8ZbIC jdsIvpkj6xzg7/OIKRvM8KQhTUzYWpwaZqhauKzcr7Yxrh6J3mHK1CmR1upu/54o3+N9 RsofL5yuFEHPI/oFuxw5sUzhJqtg0GsYCDvZzI2HMdMs6cuFSgGAMLW59C8TKk11x6n/ QXfg== X-Gm-Message-State: APjAAAUh24MjPy53I2HOqSqe/QgPieDGMUEwe/rqCGcwBCcKmVvQeMgp DHuMivDGX93Lkk8VEA1/coev/A== X-Google-Smtp-Source: APXvYqwchftXeveUuXJHknSGejturvoBpu91/DIibP3TqJfUAAo+U3HXFzD6DGyObdeKZ5MP3RURPQ== X-Received: by 2002:a63:5b54:: with SMTP id l20mr19043243pgm.324.1582607596247; Mon, 24 Feb 2020 21:13:16 -0800 (PST) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Mon, 24 Feb 2020 21:13:07 -0800 Message-Id: <20200225051307.6401-7-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200225051307.6401-1-keescook@chromium.org> References: <20200225051307.6401-1-keescook@chromium.org> MIME-Version: 1.0 With arm64 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm64/include/asm/elf.h | 4 ++-- fs/compat_binfmt_elf.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 03ada29984a7..ea9221ed68a1 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -105,7 +105,7 @@ *             CPU*: | arm32    | arm64 | * ELF:              |            |            | * -------------------------------|------------| - * missing GNU_STACK | exec-all   | exec-all   | + * missing GNU_STACK | exec-all   | exec-none  | * GNU_STACK == RWX  | exec-stack | exec-stack | * GNU_STACK == RW   | exec-none | exec-none | * @@ -117,7 +117,7 @@ * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk == EXSTACK_DEFAULT) +#define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index aaad4ca1217e..3068d57436b3 100644 --- a/fs/compat_binfmt_elf.c +++ b/fs/compat_binfmt_elf.c @@ -113,6 +113,11 @@ #define arch_setup_additional_pages compat_arch_setup_additional_pages #endif +#ifdef compat_elf_read_implies_exec +#undef elf_read_implies_exec +#define elf_read_implies_exec compat_elf_read_implies_exec +#endif + /* * Rename a few of the symbols that binfmt_elf.c will define. * These are all local so the names don't really matter, but it