From patchwork Fri Mar 27 06:48:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461775 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9642B1668 for ; Fri, 27 Mar 2020 06:49:23 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 59F9A20716 for ; Fri, 27 Mar 2020 06:49:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="DPZ1kXs9"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="OCjXlmIo" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 59F9A20716 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=/ibTFjPZfDa23pv1kaYnJG4lIFQCTSHC7ra3KkyL6XE=; b=DPZ1kXs9XXmy2k LnQzgHtDYie+JgSdKW8K+xIxhFBOSOQ4booxQGBb7XqGt+smHPv04cZ0Wxk108BLsqSIxMoSrnw5c epWmQoOSkLTpN9gXiT1Y6cgVM/Cmkk3ynAkAXvIJpN+XMnxfFzxRndPV9b3qdoyH0oh+wAmZJBKsZ 2kLeSSHyq9mUP0z1bwQhNXPeYdaJ1A6JoxSYo9u2jMS8DrtKQuoXO5ate/d5sZTI8JvaRFlJ3w9jS CKCBgaFGvkukes4hCW1JblpOym4V8ggCSTobJyfqWQry9QS0ehU2FYbwduoM1cR18IrTJLzUdlpT0 s7Mrumqhjm2YUoavmWGA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHinv-0001rC-2S; Fri, 27 Mar 2020 06:49:19 +0000 Received: from mail-pj1-x1043.google.com ([2607:f8b0:4864:20::1043]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin5-00013N-Kx for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:29 +0000 Received: by mail-pj1-x1043.google.com with SMTP id jz1so4080922pjb.0 for ; Thu, 26 Mar 2020 23:48:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aCXQQNfM2EQYbGhE+c3i+WsEzSS1B+0KzErDD9Q3cJQ=; b=OCjXlmIoxfrnMcD6Fm7EqmFltbx9NqQHpjse+YKgPYhkHv6iZLLG1nlt7oUVP9C15G lQ19ipXBCR2dhvNCDNSaYaRpGtODDqGFdCxyjvW+VnHhSDXeSovFoVqIX6sa8HSy/zUS Tzoj2lH+NFiAotmdBSTAOMN6FsQCteguppeiQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aCXQQNfM2EQYbGhE+c3i+WsEzSS1B+0KzErDD9Q3cJQ=; b=Q5xVSdpJlzlL17IqkUirmHTVXy2MyWVz4s9zKSbtuXcwnsWI01DG/LxZrfx+8GGpt/ iN6VeMOhRbDRRDVOxpNkAkbjCSJ/UGjzY47/Cld3+90uRGnpAdLNIJDDLvMdSKdmvbKg NIU0vmaaWUdbqXfSg60j9gfLdnVdSI0aovDFVmAeW3ZB1GK+9XFcJdtRUaJFEyeAujPM pGHFrFaKQc7fU6Kxg2mKRCD2bOhiq941gWwoE/5Ei1hXyHiA4kMvyeTj1XcHc7hUlp1E vo00ovpbwCP2gC36qE9MhFX1FsLeDP7hsFsrrhmFa9QWv/wuYSDkiJdfZDuIBaL5D4dd 9vXQ== X-Gm-Message-State: ANhLgQ1+dKchVKgkVoj+ylK68odS9Racm105Sdn4cobrZwS5VJlicYr1 IpMGH/m3qDPgIOzYYuvw/CthVA== X-Google-Smtp-Source: ADFU+vuRG/7CwdAL7Hz1xKA5Bt+/nzzdYx30lzuff91wl0WePMdT+P2vk/HnJix1tQIiabhGWyh6wg== X-Received: by 2002:a17:90a:eb03:: with SMTP id j3mr4340967pjz.72.1585291706769; Thu, 26 Mar 2020 23:48:26 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z37sm3106644pgl.68.2020.03.26.23.48.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:23 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:15 -0700 Message-Id: <20200327064820.12602-2-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234827_697127_550B55E8 X-CRM114-Status: GOOD ( 11.28 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:1043 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..ee459d4c3b45 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | + * ELF:              |            |                  |                | + * ---------------------|------------|------------------|----------------| + * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) From patchwork Fri Mar 27 06:48:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461781 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C6B21668 for ; Fri, 27 Mar 2020 06:49:39 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7B2A020578 for ; Fri, 27 Mar 2020 06:49:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="texkYK1h"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EN7/Lyg4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7B2A020578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=wbQXPAeMJUoxXPZXdMsGwqreqVX2tmBQiBj3L8wC4yw=; b=texkYK1hu0pv+u NRLO8im+zW+rjC/2SEygixzPRttYsPtOuYEnNhQ+At8eRnZC2Igl96ppRfV+/w6V6q+mBD4d56Ct8 RPVRg0s99c6AbqC3/J11aWkO1Qw9jSatGIqbHEEyk7DyP++hA1UMRroY7Jd3IGSGrlge9BAwrEpsQ jKcvG+lS9C+liBeSZxmvCNltjvd9cp84f2F99Yuyn+OGefuEa0B/eGOSV1WRSO7oIxzlq9R0VaHh0 snfVQevsnyGRmd544EGpHHDGNaAw/Xcop58yEuiPLXvt0P5wBGqbNnpUlM8XsNKYlhmDRbpZnKMim 9zxe8db9uhLfieR0xEtw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHioC-000272-9d; Fri, 27 Mar 2020 06:49:36 +0000 Received: from mail-pf1-x443.google.com ([2607:f8b0:4864:20::443]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin6-00013m-H9 for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:30 +0000 Received: by mail-pf1-x443.google.com with SMTP id i13so4057756pfe.3 for ; Thu, 26 Mar 2020 23:48:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZTdPh9cpqKAayj+42mk/55nYw+jDQf8ejhb0i9ICEnI=; b=EN7/Lyg4dzcL5ijfnBiELInv0uwpf9cILpg/iZy1MhtJP1dlI3p/fZu6C0tEtWRcDT ciM1ErpmM6twLHmMQ5krksVL0jrw2o1Sla9jBavUg7zJVC/sMQ1TuM1swfQeu6hgQTqQ uBfbOptJ0cLByC0Y+tB/fdPP50WYBdQ1ETwDM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZTdPh9cpqKAayj+42mk/55nYw+jDQf8ejhb0i9ICEnI=; b=CsnFPXB8/VtDLrbhr5iwz79129c2RotMXUF3g2H4YX4gpcxx2sQCkXBrBGR4Rd1EGD MRLo9zxdL+wFOGGOt9A/l+XU07JfmoU8nQWVG2uox/6KtNhiF0VW8OE3tDyhLCxzHjQq Rj9VysNUgPJvvOIwzkz4awsyVKuvnXqf8L/GA5BpDfMJ9aIcPM9sgHHcmRWZ0eIPnXQd BGQmjvD43HfhdMwcTQeb9fbBx4x2bF6dYM98QC7bZvVouKqBpZgp0X8QLnsBKZ6qfcJ2 vWP1fdU5mu6ui4IyCK0rGSYOS0I64gZJqIv9E+UqB1f5eHAueaZSzCoEqDoTSZt8C5uX U4uQ== X-Gm-Message-State: ANhLgQ2kFRKD/yAIlBJYSK70tDSAFSGOvTkHbeHRJQbF+Yx80Ylxx6se zKdhTUomZ5J3jB9+HgjbYWUQpA== X-Google-Smtp-Source: ADFU+vt7GOdG4GJrRj468GubEkFUve/2A0teR6lM1LEYtLCojGHgXFTocsSWpD7m1gRNKoJs8FD9zw== X-Received: by 2002:a62:170f:: with SMTP id 15mr12765680pfx.12.1585291707764; Thu, 26 Mar 2020 23:48:27 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a18sm3314835pfr.109.2020.03.26.23.48.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:23 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Date: Thu, 26 Mar 2020 23:48:16 -0700 Message-Id: <20200327064820.12602-3-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234828_573755_6643E13B X-CRM114-Status: GOOD ( 13.88 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:443 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index ee459d4c3b45..397a1c74433e 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -288,12 +288,13 @@ extern u32 elf_hwcap2; * ELF:              |            |                  |                | * ---------------------|------------|------------------|----------------| * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | - * PT_GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -302,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack != EXSTACK_DISABLE_X) + (executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Fri Mar 27 06:48:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461759 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8607C13A4 for ; Fri, 27 Mar 2020 06:48:33 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 63F2220714 for ; Fri, 27 Mar 2020 06:48:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="sway2hZi"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QNhpPzdq" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 63F2220714 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=nrDLXRQ/e71NRVPdZJY46WYis6nRvLjEsTGB3J9T6P8=; b=sway2hZiZJPyfP MWwvRGSQR0yNbAzZ2Jcq/wrf0bShANiUO+qhAZDL4G1lnv96ImwOUlfVAQl6/zMB7GlUNfMn9PpRa WRAy22JiGFtKVxZ3SOdhTKPWnoCvST3u9hJqW1dh78N3TzRNtdYs8kEkfS9imuDXLO0tTuCX9ub8/ yA+3KWffqldv80kpmgy5IsxH7+w4HuXHbvoI9gX29+dVkBEgLIC/uCx/8fA3/rU1npvFFUW0P04ax HdE5e5h8N9v82S6UZTm8FaTBFRpjyPgJCGM0Hc/nBTi2lRGqGo3+xH/INLbrvXluwSEXFPMWl7k3f GNniTvKuN4/6LXaFP02A==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin6-00013s-Nd; Fri, 27 Mar 2020 06:48:28 +0000 Received: from mail-pf1-x442.google.com ([2607:f8b0:4864:20::442]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin3-00012U-FL for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:26 +0000 Received: by mail-pf1-x442.google.com with SMTP id j1so4069054pfe.0 for ; Thu, 26 Mar 2020 23:48:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RpYBuJfY08WhjaxaukJkaddMj0LXmdHxotG0jM4ptqg=; b=QNhpPzdqJpCei279jTF+h/ObhmvlR6FTP7G9SeLHFQQYYYl/hOo7K7A4ahYZW9rBTi CxTyqKu7s/VDnh0YhGgfs7LNY7Bn+lOco0Y3SE1ZH7MyzXiWqcevIJXEgNfXB9RcIubp WtzpdKV9R1aShxwRNBzHJ6OLnP2DSIhS0HLyA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RpYBuJfY08WhjaxaukJkaddMj0LXmdHxotG0jM4ptqg=; b=cHcHKBd/bGYay+L7isD/QFaUmBTF//woYDwuSioInvjE/c5YlsN9mnhK9WC6p3jVUE ZVMbmcx3NG6YRfyILNFrR959Q5QF4+P3ZFxHajG9yLP9gDdT51xxvwh/QuogkaLJsr4M WlUZXn5C2IS089OuV/JmFBoSwMOlNNZXE+AS9MTiNVHbyFIXfG1LnT8gP7ZQFwxVaDWt gIV8vHz9CquVpfbGjLJhEp9EgFELm0Nzf0jh/yj5QPwQNkDN/13l2gxKRxN7Q3/wMRnc g1aH36pE9l7J7rwGGedcPRmiOXN1xX6ryatpqabcDht4kn9z78CA9V42a7JdbRSP1mWN oJhg== X-Gm-Message-State: ANhLgQ0jeQCw9Uvp2dFUNjizQjwJYiqv+YdlWBCkPkUWYeajtwDZYcTR fmxjQ3ej+09ehyJw2eaubJcr+A== X-Google-Smtp-Source: ADFU+vsCyDBR9n7viFoDu0Ekx+5WslhiT7XTciFmLxv2z4EAe6/t7zwz9Rj+ofshsa0IFDSE5S7sOw== X-Received: by 2002:a62:75d0:: with SMTP id q199mr13127618pfc.72.1585291704670; Thu, 26 Mar 2020 23:48:24 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g14sm3227306pfb.131.2020.03.26.23.48.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:23 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Thu, 26 Mar 2020 23:48:17 -0700 Message-Id: <20200327064820.12602-4-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234825_538402_16FB512F X-CRM114-Status: GOOD ( 11.02 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:442 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org With modern x86 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture is intended to always be execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). There were very old x86_64 systems that lacked the NX bit, but for those, the NX bit is, obviously, unenforceable, so these changes should have no impact on them. Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 397a1c74433e..452beed7892b 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -287,7 +287,7 @@ extern u32 elf_hwcap2; *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | * ELF:              |            |                  |                | * ---------------------|------------|------------------|----------------| - * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | + * missing PT_GNU_STACK | exec-all   | exec-all         | exec-none      | * PT_GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * @@ -303,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack == EXSTACK_DEFAULT) + (mmap_is_ia32() && executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Fri Mar 27 06:48:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461763 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 17A7013A4 for ; Fri, 27 Mar 2020 06:48:47 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E9AB720716 for ; Fri, 27 Mar 2020 06:48:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="m+BDGWrA"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Tm4FMyfy" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E9AB720716 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=WhE11tuDrEbm8Jb0P9d2i/fLALA/1BJAzrf7NHzCwN8=; b=m+BDGWrAHI58nS IGQH8WLlDafnsgkkGb/qJXv4GTxqdtgZBIgMxsMCLKK1ZEZFyxqmNfENNNbdGmZVP83WcXb13pigc oB/GMbhQw10B+QCguqwX/B3Kju+S83WHp5/x4vzoNPYyhbPKwsasrRfZ/hfo7jmDkHn2sRpQn2GjR jPmJxSnI4D3TJnIDF2rKd49bgy3SOud0wvFwItD37Qwinvw5bfXpxSV3BH6oTK3fqSBauY36xBDYo qC5YzaRktEvvcl2huSleSNxh/KxUwSocJSKXecn7AqQIgL0Y6UKFBD22NX2uvCduPqKYgWwLcMWF1 +p98cIqqFrT2MG6U5noQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHinH-0001G5-PR; Fri, 27 Mar 2020 06:48:39 +0000 Received: from mail-pl1-x641.google.com ([2607:f8b0:4864:20::641]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin4-00012k-30 for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:27 +0000 Received: by mail-pl1-x641.google.com with SMTP id s23so3091862plq.13 for ; Thu, 26 Mar 2020 23:48:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mgxC9d4qXy1U6S4xZZ93iQn9OATjbx+7aDsjHxYmoto=; b=Tm4FMyfyM+cogSruDE6HvsM+6ZwmCpC70VZfPJPeA0p+kq4CJe5z5I2DHZ9LX+tWXU +NQzb1bYQeo9YhPAv4Z4oabDJ4d38VX5KW8GF7YKk2UeP4oHUqCJe3joDSiC6v18w10H Kq7G4OI4gxFxFK+ZrGvyhlubqD/l0vQZ9EUtM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mgxC9d4qXy1U6S4xZZ93iQn9OATjbx+7aDsjHxYmoto=; b=cvGvrLqOVQBJQGWSqOOzmJ+m2p9IIMYU+JOlGM/IUsvnbt9n1yE5g4Sl/Fv/aSnFse ZLh1xQO/tmqipjekOHLh7JbYrOUOWNvBI6he1u5fcjV8ezh3nWd9N756XkACDzqjiIM1 zWCZY1IR8xQwPzPDxaF7u5uZyGSEVL04Dl2qJDydvetT8ZbyY7nvM1zAXFw2sK8WO0f4 fCVF/LDOpb+fURfPsYA69I17Q+oScuQfuu2/nGpEjwbEFsP76eRCXnZRvmmbOaDLOmre rj6DNRxu/XmXTXtIAcU5O7oxgNeKq1KzurBXrv7ZhunAXzlQ6MoNvdvn8XWX44oCh03y ebaQ== X-Gm-Message-State: ANhLgQ2tzBkOjMC7i+J+5o87ifIzqRoWLlp7+qCGzIy2yL3+S0pGMhRx NOIftQBg84yJpXN6kgnFGHJ/ug== X-Google-Smtp-Source: ADFU+vvUCTEaE7rTCmfqpNAlHIP1Nzssf0r27kJDIMaQrHcgZSr12IA4FWWsjvLo1vxI4YLA34ar7w== X-Received: by 2002:a17:90a:33c1:: with SMTP id n59mr4125261pjb.4.1585291705258; Thu, 26 Mar 2020 23:48:25 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g12sm3330621pfo.200.2020.03.26.23.48.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:23 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:18 -0700 Message-Id: <20200327064820.12602-5-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234826_125618_9EBB26E7 X-CRM114-Status: GOOD ( 12.04 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:641 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org Add tables to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior for both arm64 and arm. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 24 +++++++++++++++++++++--- arch/arm64/include/asm/elf.h | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 182422981386..5ccd4aced6cc 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -78,9 +78,27 @@ void elf_set_personality(const struct elf32_hdr *x) EXPORT_SYMBOL(elf_set_personality); /* - * Set READ_IMPLIES_EXEC if: - * - the binary requires an executable stack - * - we're running on a CPU which doesn't support NX. + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX | + * ELF:              |            |           | + * ---------------------|------------|------------| + * missing PT_GNU_STACK | exec-all   | exec-all  | + * PT_GNU_STACK == RWX  | exec-all   | exec-all  | + * PT_GNU_STACK == RW   | exec-all  | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ int arm_elf_read_implies_exec(int executable_stack) { diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index b618017205a3..986ecf41fc0f 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -96,6 +96,26 @@ */ #define elf_check_arch(x) ((x)->e_machine == EM_AARCH64) +/* + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU*: | arm32    | arm64 | + * ELF:              |            |            | + * ---------------------|------------|------------| + * missing PT_GNU_STACK | exec-all   | exec-all   | + * PT_GNU_STACK == RWX  | exec-all   | exec-all   | + * PT_GNU_STACK == RW   | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *all arm64 CPUs support NX, so there is no "lacks NX" column. + * + */ #define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) #define CORE_DUMP_USE_REGSET From patchwork Fri Mar 27 06:48:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461785 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C4C6D1668 for ; Fri, 27 Mar 2020 06:50:14 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A2E1D20578 for ; Fri, 27 Mar 2020 06:50:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="DLVOWPaO"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="JROchnuo" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A2E1D20578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ek550kLOx6UZVyRMyHxYPSCyMDI7t6Qcc7FWpOmZWIE=; b=DLVOWPaOCmNqzQ CkMTiPyEFG9S6GfAiO/9S0xGfUX/hBi0MMBSVFCa5ulYmC+o8SYEEzem/AAcLwJpdaKQ8Pm8oBL21 h+uaEkfU519dmkXCjs18zwPy/sOLB9NdE/q2aca1NV1nIq6/j4Rr6JaJ16AhDNkk7pVrynGhPBxLo jn9kbaFz/kPkbC0n70qXQk8+Dzxn1S7rOuvt8R8QxFcDnkRQEw73qv1miI7d3JcUlaP/0y4NTnGLO jhjT7JFcH9dIn+OvpKIM+rgaGObwTat2OI7by4+JdsoDRqiaGGIymP6cUrIFWOJKZiJeHVz0Ddyy8 pPB8EFeCTeXzDUeCIVUA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHiog-0002YR-54; Fri, 27 Mar 2020 06:50:06 +0000 Received: from mail-pf1-x444.google.com ([2607:f8b0:4864:20::444]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin8-00015c-8i for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:32 +0000 Received: by mail-pf1-x444.google.com with SMTP id i13so4057784pfe.3 for ; Thu, 26 Mar 2020 23:48:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9LO2LzsxD2r9Xv+srqALdfcgB8lxU6x5iZM1oUedN0w=; b=JROchnuoQhF2R/Mx5z01GK7uJjfXpDKE0LvGoYpHwUfQ1LM+YDoX9iNWypkcK6H8ga Y52O13oWS8BcrW5QYSCbprsyCVbOVMXojnxUDi6FH0Bi6Y3Zq7JyhA+8mCT1Z1cEBymy PJxdNR/1VyMhsLDwzYotBhML4MtN9DLzspX50= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9LO2LzsxD2r9Xv+srqALdfcgB8lxU6x5iZM1oUedN0w=; b=hTQohRp2484DAVhxp2GIiUcY1ElAItAu187zMT0+OKv2PJOFcCacGOw4vz7vHBXd9B vJc1de/YcrqCNJHc4nrtWA74suA6creIryvkWmoCRaS/dSMslpQ70GmNl7tH/pyX03yi WCvzLqPKootqE2E2Io1HeXe+XJgcj2SrkIPJBfuL++FT0ZHXTWYlw++z9YMaoMU36CNM LZaCB4IIEB5M9MBvk7h0r4WlEBA4cLZz+BF18cQdnTuW6v0D7i13O5vW9O43qfpJ8D4C ntFT5Z0FyEwPUcYb/+paOQlwrOe/NgK3YtvwLUi+iA5FElYYjGVHu1MOQJDUVDSZdWbM yc2Q== X-Gm-Message-State: ANhLgQ1AC/8TcrhJaQ4vqbDKoGk/nt83GIXBu/ctvJRcxwMDYmPBSUQi TVE4I7jiXDqGE4kIpsUk4FfUhQ== X-Google-Smtp-Source: ADFU+vuA1LFfImtyYtbDmLUlKIzpXJoC5cD77qNyfHDvBSDw6ezHZbSgFf8tN7H3qURKXYRhUoj5iA== X-Received: by 2002:a62:2c8c:: with SMTP id s134mr13352706pfs.253.1585291709337; Thu, 26 Mar 2020 23:48:29 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n22sm2975913pjq.36.2020.03.26.23.48.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:27 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Date: Thu, 26 Mar 2020 23:48:19 -0700 Message-Id: <20200327064820.12602-6-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234830_347491_897D43BD X-CRM114-Status: GOOD ( 14.16 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:444 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. This changes arm32 and arm64 compat together, to keep behavior the same. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 5 +++-- arch/arm64/include/asm/elf.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 5ccd4aced6cc..254ab7138c85 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -87,12 +87,13 @@ EXPORT_SYMBOL(elf_set_personality); * ELF:              |            |           | * ---------------------|------------|------------| * missing PT_GNU_STACK | exec-all   | exec-all  | - * PT_GNU_STACK == RWX  | exec-all   | exec-all  | + * PT_GNU_STACK == RWX  | exec-all   | exec-stack | * PT_GNU_STACK == RW   | exec-all  | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -102,7 +103,7 @@ EXPORT_SYMBOL(elf_set_personality); */ int arm_elf_read_implies_exec(int executable_stack) { - if (executable_stack != EXSTACK_DISABLE_X) + if (executable_stack == EXSTACK_DEFAULT) return 1; if (cpu_architecture() < CPU_ARCH_ARMv6) return 1; diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 986ecf41fc0f..0074e9fd6431 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -106,17 +106,18 @@ * ELF:              |            |            | * ---------------------|------------|------------| * missing PT_GNU_STACK | exec-all   | exec-all   | - * PT_GNU_STACK == RWX  | exec-all   | exec-all   | + * PT_GNU_STACK == RWX  | exec-stack | exec-stack | * PT_GNU_STACK == RW   | exec-none | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) +#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE From patchwork Fri Mar 27 06:48:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461783 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 55F5713A4 for ; Fri, 27 Mar 2020 06:49:55 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1F20620578 for ; Fri, 27 Mar 2020 06:49:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="pmyQX046"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="i/kVRB9h" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1F20620578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=P9NXJZdp/3yqfYSBp5/wr7IatBMi7oKGfQb6tJXWzbg=; b=pmyQX046t1+XTD Ebg+hd33c16sEdRCCTpM7F9gxff5IrrGrSkTMQhPzBIYGzFK0JaDvMEnZX6XdZ0IVuyUW19tGWGdo P/8Ukt626zP9HZF1tEdCZxbdCWFLBQCl4T+eriaQmbrlnSBGY5rSqg9GmNcTruS6rUPY0V7jOWYqg yy13LrcI6WVGDJv/c+hudCK39WjP7i1co8YKRrWCZRL1VZ1OjzQaQDbCFUy2rkks6cF+AqcCEyg/9 R6tIJyFO4xYR22kqEE/MaR6ZG4oH5R4j+0nUtMBmj9TnoHSoV/R8D6DZJiaFovMB2i8O9LKo4IaCV 5olBOVrST3YM1vtPNd4Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHioM-0002Js-PE; Fri, 27 Mar 2020 06:49:48 +0000 Received: from mail-pl1-x643.google.com ([2607:f8b0:4864:20::643]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHin7-00014k-Kw for linux-arm-kernel@lists.infradead.org; Fri, 27 Mar 2020 06:48:31 +0000 Received: by mail-pl1-x643.google.com with SMTP id v23so3093969ply.10 for ; Thu, 26 Mar 2020 23:48:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/ziE3u+JHVGjUbo7zvAcqmvTGnTDwDeNLGHtkAuW1SE=; b=i/kVRB9h49fSIU/SXBBd76YRq+m2dKmO90EFoN2azRXHRsGFnN8fQwX1bWQShxfMO3 fsJCr1ApPfPLWPyVmqTHbvnE0/TQ+9Ft1N7AnyEv2Obi+yKqae7pHIiFGbj+dcCs3Qth hx/8AA5HN+FRYM8rSleK8Ggvfe0bb3ThM++NY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/ziE3u+JHVGjUbo7zvAcqmvTGnTDwDeNLGHtkAuW1SE=; b=Wc+7KckkTzh4Z5CQZPsfhDt1jHrskjoQ4wmRtnMr68rBruyJWutPKQyU9bEpnMnKup 2pRE1EovG9oMXIuk3JeirjrkuBgTOybvEQvG9p3jb2o1A2pZtJa77iMf+U9LscIVLHyK ePLLQPWYse87DfAseoka9phUxh0sUh742z+CuA+sPRz42v9Sq4Ot31iUmPOD0mWSKF2M A5Udmu2oDZDG8+FtUaN+/3dSKr/EbUXzBaWLG1w4enr+NF+1+TezBFC8xZ3fTtXW4bVJ b2+HcZdiCMZvF9zbFoLSM5qAM0PUM1P2iVlylgNfGwz72u5nukI+7xjhjzuFAvAEI/+/ xW+w== X-Gm-Message-State: ANhLgQ3e+9dxdkNINFdy+Jw/9wBZgjmn495GksZ4NTBP8iFKmnNLrfwu XnQk3anbqeM/3yWiH+Mk7A5/gg== X-Google-Smtp-Source: ADFU+vvGmOrrIs+Qj5TkNUJrkUU3G9n3+Tfo2n/9fFwWG4WT0SaqW8ECI8HTyCrm6d42Hjl+wwoUXQ== X-Received: by 2002:a17:90a:b395:: with SMTP id e21mr4362227pjr.33.1585291708788; Thu, 26 Mar 2020 23:48:28 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e184sm3275892pfh.219.2020.03.26.23.48.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Mar 2020 23:48:27 -0700 (PDT) From: Kees Cook To: Borislav Petkov Subject: [PATCH v5 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Thu, 26 Mar 2020 23:48:20 -0700 Message-Id: <20200327064820.12602-7-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200326_234829_728724_6BCF32AF X-CRM114-Status: GOOD ( 11.59 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:643 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kees Cook , Jann Horn , Catalin Marinas , x86@kernel.org, Hector Marco-Gisbert , Russell King , linux-kernel@vger.kernel.org, Jason Gunthorpe , Jason Gunthorpe , kernel-hardening@lists.openwall.com, Will Deacon , linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org With arm64 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm64/include/asm/elf.h | 4 ++-- fs/compat_binfmt_elf.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 0074e9fd6431..0e7df6f1eb7a 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -105,7 +105,7 @@ *              CPU*: | arm32    | arm64 | * ELF:              |            |            | * ---------------------|------------|------------| - * missing PT_GNU_STACK | exec-all   | exec-all   | + * missing PT_GNU_STACK | exec-all   | exec-none  | * PT_GNU_STACK == RWX  | exec-stack | exec-stack | * PT_GNU_STACK == RW   | exec-none | exec-none | * @@ -117,7 +117,7 @@ * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) +#define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index aaad4ca1217e..3068d57436b3 100644 --- a/fs/compat_binfmt_elf.c +++ b/fs/compat_binfmt_elf.c @@ -113,6 +113,11 @@ #define arch_setup_additional_pages compat_arch_setup_additional_pages #endif +#ifdef compat_elf_read_implies_exec +#undef elf_read_implies_exec +#define elf_read_implies_exec compat_elf_read_implies_exec +#endif + /* * Rename a few of the symbols that binfmt_elf.c will define. * These are all local so the names don't really matter, but it