From patchwork Fri Mar 27 06:48:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461771 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1402F13A4 for ; Fri, 27 Mar 2020 06:49:08 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 7148A20716 for ; Fri, 27 Mar 2020 06:49:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="OCjXlmIo" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7148A20716 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18251-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26330 invoked by uid 550); 27 Mar 2020 06:48:40 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26224 invoked from network); 27 Mar 2020 06:48:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aCXQQNfM2EQYbGhE+c3i+WsEzSS1B+0KzErDD9Q3cJQ=; b=OCjXlmIoxfrnMcD6Fm7EqmFltbx9NqQHpjse+YKgPYhkHv6iZLLG1nlt7oUVP9C15G lQ19ipXBCR2dhvNCDNSaYaRpGtODDqGFdCxyjvW+VnHhSDXeSovFoVqIX6sa8HSy/zUS Tzoj2lH+NFiAotmdBSTAOMN6FsQCteguppeiQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aCXQQNfM2EQYbGhE+c3i+WsEzSS1B+0KzErDD9Q3cJQ=; b=cD6jzPptXqNAIh5GuD9dw2AW2TXg88DqXn/7s0Ngk9u1iqcABuSJj39bpXR3AVfp9A a2sjqV+w3oZJhABN34fcI4Aabupoj5FMp4rj0vSki6nPr0cRy3kKB73BYI/SkQpJ++nn Uhw+LatM26R0ZOT0UoRaAl0zk5i8voEDgxB7rbQAsSuET2skJ+XZdRhcd13hZVJlsQSk FtQuqMBptK4IWnG6YVZtsQ2/UXaLgVYNHaPmd0DJLRRPqd1D/De9VnkXcGbNqVYjIQN+ ysL2q8hH2lCNolbH+FzBOyjrxSvZbsrQ2F/ZasTrAVAWSRpUiN69KReIT2Vs6KYa9ndV bOMQ== X-Gm-Message-State: ANhLgQ1BKw0STyY82upsqXfhGCMJuFzGf9+dv/GCjVywRQJpC+NSey1p 4upHWP+9cUVA7wwDKXOaaK+xbg== X-Google-Smtp-Source: ADFU+vuRG/7CwdAL7Hz1xKA5Bt+/nzzdYx30lzuff91wl0WePMdT+P2vk/HnJix1tQIiabhGWyh6wg== X-Received: by 2002:a17:90a:eb03:: with SMTP id j3mr4340967pjz.72.1585291706769; Thu, 26 Mar 2020 23:48:26 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Jason Gunthorpe , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:15 -0700 Message-Id: <20200327064820.12602-2-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..ee459d4c3b45 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | + * ELF:              |            |                  |                | + * ---------------------|------------|------------------|----------------| + * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) From patchwork Fri Mar 27 06:48:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461773 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8F1F41668 for ; Fri, 27 Mar 2020 06:49:16 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id EBD2A20578 for ; Fri, 27 Mar 2020 06:49:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EN7/Lyg4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EBD2A20578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18252-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26390 invoked by uid 550); 27 Mar 2020 06:48:41 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26297 invoked from network); 27 Mar 2020 06:48:39 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZTdPh9cpqKAayj+42mk/55nYw+jDQf8ejhb0i9ICEnI=; b=EN7/Lyg4dzcL5ijfnBiELInv0uwpf9cILpg/iZy1MhtJP1dlI3p/fZu6C0tEtWRcDT ciM1ErpmM6twLHmMQ5krksVL0jrw2o1Sla9jBavUg7zJVC/sMQ1TuM1swfQeu6hgQTqQ uBfbOptJ0cLByC0Y+tB/fdPP50WYBdQ1ETwDM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZTdPh9cpqKAayj+42mk/55nYw+jDQf8ejhb0i9ICEnI=; b=EU0/zMhFqsRKg6U62I14dBawWw0hONrnaDcBVzk+sH6c+7hccfa4YKUoi4I9Fii1pD SCxxs5YgddgldfstgcAZtC82Bo+TMRcHQrXr/15NUmNJs2JCq7aYMDcQTE33RtMrMaoU 4TJDzoBZanOy7E+0XFv8qS2CzbDZiJzIOmFfjtSevYF0DY4anoVZ3I9FAeQLE+xArIHo nu2ZZGNck0pUiu9KbTeVZLU4vBHNBQAmbtq2kcpvu5b7sYqaUi2cLGX53D3m5bda8Kgl AscQcmeEZGPT4WaEGtjdPdBk++lLpQsjMAP5Habpd4nZedqMtnDUcexkZAY6/Q5k0RPk IsJQ== X-Gm-Message-State: ANhLgQ0zzwtSnTwZ71bilylLs7em6oPNzeiMMQCV1f35sY9jxElw6nQc 8Vxpfgi5vZ8KUzOU0Lqog03pRg== X-Google-Smtp-Source: ADFU+vt7GOdG4GJrRj468GubEkFUve/2A0teR6lM1LEYtLCojGHgXFTocsSWpD7m1gRNKoJs8FD9zw== X-Received: by 2002:a62:170f:: with SMTP id 15mr12765680pfx.12.1585291707764; Thu, 26 Mar 2020 23:48:27 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Date: Thu, 26 Mar 2020 23:48:16 -0700 Message-Id: <20200327064820.12602-3-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index ee459d4c3b45..397a1c74433e 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -288,12 +288,13 @@ extern u32 elf_hwcap2; * ELF:              |            |                  |                | * ---------------------|------------|------------------|----------------| * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | - * PT_GNU_STACK == RWX  | exec-all   | exec-all         | exec-all       | + * PT_GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -302,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack != EXSTACK_DISABLE_X) + (executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Fri Mar 27 06:48:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461761 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 573FF13A4 for ; Fri, 27 Mar 2020 06:48:46 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 6ABFA20716 for ; Fri, 27 Mar 2020 06:48:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QNhpPzdq" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6ABFA20716 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18248-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26189 invoked by uid 550); 27 Mar 2020 06:48:38 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26155 invoked from network); 27 Mar 2020 06:48:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RpYBuJfY08WhjaxaukJkaddMj0LXmdHxotG0jM4ptqg=; b=QNhpPzdqJpCei279jTF+h/ObhmvlR6FTP7G9SeLHFQQYYYl/hOo7K7A4ahYZW9rBTi CxTyqKu7s/VDnh0YhGgfs7LNY7Bn+lOco0Y3SE1ZH7MyzXiWqcevIJXEgNfXB9RcIubp WtzpdKV9R1aShxwRNBzHJ6OLnP2DSIhS0HLyA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RpYBuJfY08WhjaxaukJkaddMj0LXmdHxotG0jM4ptqg=; b=EMXDQ6tzt9/t8/Zun3CARSYjZmkQ30AhYFVov1bzxCkyc006f1i5VjxCXIVKWv69mE DR2nV9MopXCQcG8x2jqbXtT4eX75cyJVIG4v3BRdlDNWTNSFxQxn7Ty9C24EVGnFzqTv D4ALQc/lWWFwV350Z1kLB+HXcXv1o5jtajO+QPV1i3Ea4UgemAy6RYdL3Nb3y8uNi4jo +yoxAi7I2eIuXu22/xCOi9DXoERd/QJoTB/mo5emTExP121Orb17iSnJiytBtglbSAGs pFx0bylUhP3e2MDg+KRfkQZfGvYZecBmx3oQOGXGlRFRSpK7jnRLtOWUdl3SEcgzbbIk /hyA== X-Gm-Message-State: ANhLgQ3NYqgU2ZSRSZfI4Zvv2xL3bMnKjQtIok11MlL9SIH4K5QaIWXb 8fjIl5raA1NoOIfp0IpzEp1dxw== X-Google-Smtp-Source: ADFU+vsCyDBR9n7viFoDu0Ekx+5WslhiT7XTciFmLxv2z4EAe6/t7zwz9Rj+ofshsa0IFDSE5S7sOw== X-Received: by 2002:a62:75d0:: with SMTP id q199mr13127618pfc.72.1585291704670; Thu, 26 Mar 2020 23:48:24 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Jason Gunthorpe , Catalin Marinas , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Thu, 26 Mar 2020 23:48:17 -0700 Message-Id: <20200327064820.12602-4-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 With modern x86 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture is intended to always be execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). There were very old x86_64 systems that lacked the NX bit, but for those, the NX bit is, obviously, unenforceable, so these changes should have no impact on them. Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe --- arch/x86/include/asm/elf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 397a1c74433e..452beed7892b 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -287,7 +287,7 @@ extern u32 elf_hwcap2; *              CPU: | lacks NX*  | has NX, ia32     | has NX, x86_64 | * ELF:              |            |                  |                | * ---------------------|------------|------------------|----------------| - * missing PT_GNU_STACK | exec-all   | exec-all         | exec-all       | + * missing PT_GNU_STACK | exec-all   | exec-all         | exec-none      | * PT_GNU_STACK == RWX  | exec-stack | exec-stack       | exec-stack     | * PT_GNU_STACK == RW   | exec-none  | exec-none        | exec-none      | * @@ -303,7 +303,7 @@ extern u32 elf_hwcap2; * */ #define elf_read_implies_exec(ex, executable_stack) \ - (executable_stack == EXSTACK_DEFAULT) + (mmap_is_ia32() && executable_stack == EXSTACK_DEFAULT) struct task_struct; From patchwork Fri Mar 27 06:48:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461765 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B768D1668 for ; Fri, 27 Mar 2020 06:48:52 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 2054820717 for ; Fri, 27 Mar 2020 06:48:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Tm4FMyfy" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2054820717 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18249-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26256 invoked by uid 550); 27 Mar 2020 06:48:39 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26156 invoked from network); 27 Mar 2020 06:48:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mgxC9d4qXy1U6S4xZZ93iQn9OATjbx+7aDsjHxYmoto=; b=Tm4FMyfyM+cogSruDE6HvsM+6ZwmCpC70VZfPJPeA0p+kq4CJe5z5I2DHZ9LX+tWXU +NQzb1bYQeo9YhPAv4Z4oabDJ4d38VX5KW8GF7YKk2UeP4oHUqCJe3joDSiC6v18w10H Kq7G4OI4gxFxFK+ZrGvyhlubqD/l0vQZ9EUtM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mgxC9d4qXy1U6S4xZZ93iQn9OATjbx+7aDsjHxYmoto=; b=hlsPkurHeTAYblshAGUfNV/7rVSdfDn5Qadlya98NapHOqgTIL8F+VVloFL2bR4l+O TovNNaPdM/XR8KwhSYG/sbhRhPBWjkgUUh2oval+4m7gFbf2V5r3RrnGTZs+OG3etQxz UmuqdqzZCXl66913zHZzIImbC++EELFWnwdDf1E8gfzoGwF0To18glGFYNMqdziV7OAm 6xu1BZ+vwhhpnmJDoYar+yooOOti8PlLpKbrVdSIR1/0xIevctDhlaEBYuNRCV/eHzob G2F+eTnuvw8nyt8fG8SaDY9LRaIf/21oCq8a1VDicg6BKWosDyT5ltxWSNdBus3qnXSl WApg== X-Gm-Message-State: ANhLgQ09LRXD9K1BGQpeP+wzORqvYXTXXi63TE3kf9/inmg3iYq9qisy 4q/4dFVRWmALPXYKofIGTr6+nA== X-Google-Smtp-Source: ADFU+vvUCTEaE7rTCmfqpNAlHIP1Nzssf0r27kJDIMaQrHcgZSr12IA4FWWsjvLo1vxI4YLA34ar7w== X-Received: by 2002:a17:90a:33c1:: with SMTP id n59mr4125261pjb.4.1585291705258; Thu, 26 Mar 2020 23:48:25 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Jason Gunthorpe , Catalin Marinas , Hector Marco-Gisbert , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:18 -0700 Message-Id: <20200327064820.12602-5-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 Add tables to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior for both arm64 and arm. Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 24 +++++++++++++++++++++--- arch/arm64/include/asm/elf.h | 20 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 182422981386..5ccd4aced6cc 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -78,9 +78,27 @@ void elf_set_personality(const struct elf32_hdr *x) EXPORT_SYMBOL(elf_set_personality); /* - * Set READ_IMPLIES_EXEC if: - * - the binary requires an executable stack - * - we're running on a CPU which doesn't support NX. + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU: | lacks NX*  | has NX | + * ELF:              |            |           | + * ---------------------|------------|------------| + * missing PT_GNU_STACK | exec-all   | exec-all  | + * PT_GNU_STACK == RWX  | exec-all   | exec-all  | + * PT_GNU_STACK == RW   | exec-all  | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ int arm_elf_read_implies_exec(int executable_stack) { diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index b618017205a3..986ecf41fc0f 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -96,6 +96,26 @@ */ #define elf_check_arch(x) ((x)->e_machine == EM_AARCH64) +/* + * An executable for which elf_read_implies_exec() returns TRUE will + * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + *              CPU*: | arm32    | arm64 | + * ELF:              |            |            | + * ---------------------|------------|------------| + * missing PT_GNU_STACK | exec-all   | exec-all   | + * PT_GNU_STACK == RWX  | exec-all   | exec-all   | + * PT_GNU_STACK == RW   | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *all arm64 CPUs support NX, so there is no "lacks NX" column. + * + */ #define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) #define CORE_DUMP_USE_REGSET From patchwork Fri Mar 27 06:48:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461779 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 15E421668 for ; Fri, 27 Mar 2020 06:49:35 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 4720E20578 for ; Fri, 27 Mar 2020 06:49:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="JROchnuo" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4720E20578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18254-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 27681 invoked by uid 550); 27 Mar 2020 06:48:45 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26353 invoked from network); 27 Mar 2020 06:48:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9LO2LzsxD2r9Xv+srqALdfcgB8lxU6x5iZM1oUedN0w=; b=JROchnuoQhF2R/Mx5z01GK7uJjfXpDKE0LvGoYpHwUfQ1LM+YDoX9iNWypkcK6H8ga Y52O13oWS8BcrW5QYSCbprsyCVbOVMXojnxUDi6FH0Bi6Y3Zq7JyhA+8mCT1Z1cEBymy PJxdNR/1VyMhsLDwzYotBhML4MtN9DLzspX50= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9LO2LzsxD2r9Xv+srqALdfcgB8lxU6x5iZM1oUedN0w=; b=aCtmCZzLZQYKlCFnMFSFuqRu57YyvyYrcwZcZJpCGqfm1l2DJ1P5f78uUyyh8au4qz 6vgqqfTH7/ONerKfd+MczFP5f3pQE8G68/DfHvuUU+I4yNgIPegrsuO7QS75LCnv0o1z pgf/BTy7annDgKZb5jkyp32DLmJmkG2MUKhu83ED/B32kYMfG48wCJxWR2xMGpB7NV7i AffO0M++mA8En1JLc+heY3B5jShTXTtqJCA18J9hr4OAsn3zDQwtoppZF9ljPGsHLolR a7/+kvpkv3pyeG1D0EcpaQKRxLe6uzgEpjen1v/bZsEUdLwT5+I2fCWQmvpjq2p1De6A Hghw== X-Gm-Message-State: ANhLgQ1DzhI+eA2rcMKihjfL29uIA2GmaKgdtsh3BXUP8uSmIqKuXwhF 7JI8K4PM3IPK5E6Bpor+O7tacA== X-Google-Smtp-Source: ADFU+vuA1LFfImtyYtbDmLUlKIzpXJoC5cD77qNyfHDvBSDw6ezHZbSgFf8tN7H3qURKXYRhUoj5iA== X-Received: by 2002:a62:2c8c:: with SMTP id s134mr13352706pfs.253.1585291709337; Thu, 26 Mar 2020 23:48:29 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Date: Thu, 26 Mar 2020 23:48:19 -0700 Message-Id: <20200327064820.12602-6-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. This changes arm32 and arm64 compat together, to keep behavior the same. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm/kernel/elf.c | 5 +++-- arch/arm64/include/asm/elf.h | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c index 5ccd4aced6cc..254ab7138c85 100644 --- a/arch/arm/kernel/elf.c +++ b/arch/arm/kernel/elf.c @@ -87,12 +87,13 @@ EXPORT_SYMBOL(elf_set_personality); * ELF:              |            |           | * ---------------------|------------|------------| * missing PT_GNU_STACK | exec-all   | exec-all  | - * PT_GNU_STACK == RWX  | exec-all   | exec-all  | + * PT_GNU_STACK == RWX  | exec-all   | exec-stack | * PT_GNU_STACK == RW   | exec-all  | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with @@ -102,7 +103,7 @@ EXPORT_SYMBOL(elf_set_personality); */ int arm_elf_read_implies_exec(int executable_stack) { - if (executable_stack != EXSTACK_DISABLE_X) + if (executable_stack == EXSTACK_DEFAULT) return 1; if (cpu_architecture() < CPU_ARCH_ARMv6) return 1; diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 986ecf41fc0f..0074e9fd6431 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -106,17 +106,18 @@ * ELF:              |            |            | * ---------------------|------------|------------| * missing PT_GNU_STACK | exec-all   | exec-all   | - * PT_GNU_STACK == RWX  | exec-all   | exec-all   | + * PT_GNU_STACK == RWX  | exec-stack | exec-stack | * PT_GNU_STACK == RW   | exec-none | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. + * exec-stack: only the stack and PROT_EXEC user mappings are executable. * * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X) +#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE From patchwork Fri Mar 27 06:48:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 11461777 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4604313A4 for ; Fri, 27 Mar 2020 06:49:25 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id A1DAD20714 for ; Fri, 27 Mar 2020 06:49:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="i/kVRB9h" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A1DAD20714 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18253-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 26456 invoked by uid 550); 27 Mar 2020 06:48:43 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 26329 invoked from network); 27 Mar 2020 06:48:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/ziE3u+JHVGjUbo7zvAcqmvTGnTDwDeNLGHtkAuW1SE=; b=i/kVRB9h49fSIU/SXBBd76YRq+m2dKmO90EFoN2azRXHRsGFnN8fQwX1bWQShxfMO3 fsJCr1ApPfPLWPyVmqTHbvnE0/TQ+9Ft1N7AnyEv2Obi+yKqae7pHIiFGbj+dcCs3Qth hx/8AA5HN+FRYM8rSleK8Ggvfe0bb3ThM++NY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/ziE3u+JHVGjUbo7zvAcqmvTGnTDwDeNLGHtkAuW1SE=; b=JrgzfYVzNP3Grn3olz2H75jlvpbsyRIq9G9rYaMCu+TlHOj73pztpmqGOeMyJ/FQtu 4kE+IVKW/LfNbXF7jiJPTBJ61Ku13KJqBfcu172911Yx/ZVlUxXnrZVWFL90aUQtR0wI ZkUM7uR6bdEMXJGEDAXCiTNxkZCB/R0dZS6xL/BQl9AZOBVgQ/obfsv/Gl/N4cjGoubz w97vTEe0hMu8xCp36c4Zuz4+ZJRHhm9yfMmJx4g3rzjoNha9WBVw3HPvUpHpIE2bSY6T GuWGIC0PwV/9gn8vRe3AAY+O3I8+rxukBnCI9DZ6njt2XDr/ZTxxM2lH9+3ZbW8u2724 2LMA== X-Gm-Message-State: ANhLgQ2BAVD2N9WlbEUzalewzFqMuMNQ8fdisKu5QwwyrTpVQJEgpWVq pVCcRcIbtd14XukEtzBQcE1LrA== X-Google-Smtp-Source: ADFU+vvGmOrrIs+Qj5TkNUJrkUU3G9n3+Tfo2n/9fFwWG4WT0SaqW8ECI8HTyCrm6d42Hjl+wwoUXQ== X-Received: by 2002:a17:90a:b395:: with SMTP id e21mr4362227pjr.33.1585291708788; Thu, 26 Mar 2020 23:48:28 -0700 (PDT) From: Kees Cook To: Borislav Petkov Cc: Kees Cook , Hector Marco-Gisbert , Jason Gunthorpe , Catalin Marinas , Jason Gunthorpe , Russell King , Will Deacon , Jann Horn , x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Date: Thu, 26 Mar 2020 23:48:20 -0700 Message-Id: <20200327064820.12602-7-keescook@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> References: <20200327064820.12602-1-keescook@chromium.org> MIME-Version: 1.0 With arm64 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). Suggested-by: Hector Marco-Gisbert Signed-off-by: Kees Cook Reviewed-by: Jason Gunthorpe Reviewed-by: Catalin Marinas --- arch/arm64/include/asm/elf.h | 4 ++-- fs/compat_binfmt_elf.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 0074e9fd6431..0e7df6f1eb7a 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -105,7 +105,7 @@ *              CPU*: | arm32    | arm64 | * ELF:              |            |            | * ---------------------|------------|------------| - * missing PT_GNU_STACK | exec-all   | exec-all   | + * missing PT_GNU_STACK | exec-all   | exec-none  | * PT_GNU_STACK == RWX  | exec-stack | exec-stack | * PT_GNU_STACK == RW   | exec-none | exec-none | * @@ -117,7 +117,7 @@ * *all arm64 CPUs support NX, so there is no "lacks NX" column. * */ -#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) +#define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define CORE_DUMP_USE_REGSET #define ELF_EXEC_PAGESIZE PAGE_SIZE diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index aaad4ca1217e..3068d57436b3 100644 --- a/fs/compat_binfmt_elf.c +++ b/fs/compat_binfmt_elf.c @@ -113,6 +113,11 @@ #define arch_setup_additional_pages compat_arch_setup_additional_pages #endif +#ifdef compat_elf_read_implies_exec +#undef elf_read_implies_exec +#define elf_read_implies_exec compat_elf_read_implies_exec +#endif + /* * Rename a few of the symbols that binfmt_elf.c will define. * These are all local so the names don't really matter, but it