From patchwork Wed Aug 16 22:28:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Salyzyn X-Patchwork-Id: 9904689 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CF9D9600CA for ; Wed, 16 Aug 2017 22:30:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C0BFB28A6E for ; Wed, 16 Aug 2017 22:30:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B5CF928A70; Wed, 16 Aug 2017 22:30:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_LOW autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0CD6928A75 for ; Wed, 16 Aug 2017 22:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=UoXCRNg7NYwjY0WVN4ztw6hOC2ySH60e29/0xjbbPd0=; b=n9K iMA7x2lIAfKUzcBiUDiXUR1c4VTy7Qw/B92h1KnVJTMD4xH67JW38qHQS9XF97idwpHGfpubEMIrv pg6M9bgZ+Abs+gBWi+MK3wiyYq/YSoUiWozDNYJeNYSWEAxJn+MvApoqPNpC98RWq0jknX73asywo 0iZ1O7MdLehJZ9hatCcj68dIgBWb70aoDuIzaUD7rV33SljR9qG/RV95Yhev1wLQl6firHANFz9gG 7c5q2bbI+5QDtdnDRVC98Gz/+/7JPvQwIdiPb3JZIWHTuuJaO2BQ+AtKww7hF+QOe8XfQEIGK5Aph y4/YO17kIaJDySZb0bePM1+vSOkoNyw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1di6ou-0002yK-Of; Wed, 16 Aug 2017 22:29:48 +0000 Received: from mail-pg0-x22f.google.com ([2607:f8b0:400e:c05::22f]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1di6oX-0002iV-Rq for linux-arm-kernel@lists.infradead.org; Wed, 16 Aug 2017 22:29:45 +0000 Received: by mail-pg0-x22f.google.com with SMTP id i12so29828202pgr.3 for ; Wed, 16 Aug 2017 15:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UGnl7QpJn4I6pmHend7g5Tdx42dloLR7OquAtDXlePM=; b=CMUKT93ATNTZpA7kY1ylsloudng27mS+uryooYu4b5bRXluZ9+SPzBNwCTN/RS/e1I GZGTd0jT5vJZtl+rn73kGmNfS20Uj3A4sKBel3YSxKOJ2kp2njXgfI4zJyVOedNDgAc8 YEjFE+S04JbRj3YCD6yJFFpSlrC80WxrmRNjbikMcwRRtJGmmpj3B1nb8Oyg74HDrYOs UdPA55soB2wr8gIrkg4MewR2JTTXxqmKP9r36T1Al3oGSeMmF5R8L39Ax5M7RuvydQm3 T4+Z3zQ8t0xvhbLzPVFcLKKL4h/AyJbaYFjSHBeViG8MSbVQl5Gb7QF8ZkmtTovw7j+9 95oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UGnl7QpJn4I6pmHend7g5Tdx42dloLR7OquAtDXlePM=; b=V1pVYCFEj+dNhZ4bcveerbPsdDjaLH5S/bR60l7NzsU5I2qXbPvBM3tlCgBtesmvyl vEB/ab62nrxk3pZZ0xkvu2xP+Y2YBu7TOzCldxWeUzftGSZdCrbmG+kn+MS8CZdlJ3VB PlLVv6ivao/ge+Nz90qyjcKAHuvpDUQIHPHAMxTsOG1M8/y8sDdOflCfJw0jj2N2RFYe /QoIXswDOx7KAJ7q9EMCxAnvM9MS64cM1FgXy6jOve1G1KrTiU6pTYaYXpZ2liB9PDqj bUT9ltVYBLNeAQK6YBNr/E/jbdkFQokWSPSGNq7b6TjIGvHswgZjMJbmZBdfnp9HH3RH QlPQ== X-Gm-Message-State: AHYfb5hv2IkPNTnS0lXb2LOQPJq3POZH7GVOwWXWoPsLOw+g7GMdYp7q Dx+WTUqUceRPxczh X-Received: by 10.84.212.1 with SMTP id d1mr3526560pli.17.1502922543817; Wed, 16 Aug 2017 15:29:03 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([100.98.120.17]) by smtp.gmail.com with ESMTPSA id h192sm3058601pgc.20.2017.08.16.15.29.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 16 Aug 2017 15:29:03 -0700 (PDT) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Subject: [PATCH v2 3/3] arm64: compat: Add CONFIG_KUSER_HELPERS Date: Wed, 16 Aug 2017 15:28:35 -0700 Message-Id: <20170816222857.119247-1-salyzyn@android.com> X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170816_152926_140271_C5193732 X-CRM114-Status: GOOD ( 18.01 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Jisheng Zhang , Kees Cook , Ard Biesheuvel , Catalin Marinas , Kevin Brodsky , Will Deacon , Mark Salyzyn , Scott Wood , AKASHI Takahiro , Michal Marek , John Stultz , Laura Abbott , linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Kevin Brodsky Make it possible to disable the kuser helpers by adding a KUSER_HELPERS config option (enabled by default). When disabled, all kuser helpers-related code is removed from the kernel and no mapping is done at the fixed high address (0xffff0000); any attempt to use a kuser helper from a 32-bit process will result in a segfault. Signed-off-by: Kevin Brodsky Signed-off-by: Mark Salyzyn v2: - split off assembler changes to a new previous patch in series to reduce churn - modify slightly the feature documentation to reduce its reach - modify slightly the feature documentation to rationalize the yes default. - There are more ifdefs as a result of the rebase. --- arch/arm64/Kconfig | 30 ++++++++++++++++++++++++++++++ arch/arm64/kernel/Makefile | 2 +- arch/arm64/kernel/vdso.c | 10 ++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index dfd908630631..407f74e7a64a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1100,6 +1100,36 @@ config COMPAT If you want to execute 32-bit userspace applications, say Y. +config KUSER_HELPERS + bool "Enable the kuser helpers page in 32-bit processes" + depends on COMPAT + default y + help + Warning: disabling this option may break 32-bit applications. + + Provide kuser helpers in a special purpose fixed-address page. The + kernel provides helper code to userspace in read-only form at a fixed + location to allow userspace to be independent of the CPU type fitted + to the system. This permits 32-bit binaries to be run on ARMv6 through + to ARMv8 without modification. + + See Documentation/arm/kernel_user_helpers.txt for details. + + However, the fixed-address nature of these helpers can be used by ROP + (return-orientated programming) authors when creating exploits. + + If all of the 32-bit binaries and libraries that run on your platform + are built specifically for your platform, and make no use of these + helpers, then you can turn this option off to hinder such exploits. + However, in that case, if a binary or library relying on those helpers + is run, it will receive a SIGSEGV signal, which will terminate the + program. Typically, binaries compiled for ARMv7 or later do not use + the kuser helpers. + + Say N here only if you are absolutely certain that you do not need + these helpers; otherwise, the safe option is to say Y (the default + for now) + config SYSVIPC_COMPAT def_bool y depends on COMPAT && SYSVIPC diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index 59e1b2b002e5..12f9d1e3a027 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -30,7 +30,7 @@ $(obj)/%.stub.o: $(obj)/%.o FORCE arm64-obj-$(CONFIG_COMPAT) += sys32.o signal32.o \ sys_compat.o entry32.o arm64-obj-$(CONFIG_COMPAT) += sigreturn32.o -arm64-obj-$(CONFIG_COMPAT) += kuser32.o +arm64-obj-$(CONFIG_KUSER_HELPERS) += kuser32.o arm64-obj-$(CONFIG_FUNCTION_TRACER) += ftrace.o entry-ftrace.o arm64-obj-$(CONFIG_MODULES) += arm64ksyms.o module.o arm64-obj-$(CONFIG_ARM64_MODULE_PLTS) += module-plts.o diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c index 3777f232c18e..c2a483afd7bc 100644 --- a/arch/arm64/kernel/vdso.c +++ b/arch/arm64/kernel/vdso.c @@ -62,18 +62,22 @@ static const struct vm_special_mapping compat_vdso_spec[] = { .name = "[sigpage]", .pages = &vectors_page[0], }, +#ifdef CONFIG_KUSER_HELPERS { .name = "[kuserhelpers]", .pages = &vectors_page[1], }, +#endif }; static struct page *vectors_page[ARRAY_SIZE(compat_vdso_spec)] __ro_after_init; static int __init alloc_vectors_page(void) { +#ifdef CONFIG_KUSER_HELPERS extern char __kuser_helper_start[], __kuser_helper_end[]; size_t kuser_sz = __kuser_helper_end - __kuser_helper_start; unsigned long kuser_vpage; +#endif extern char __aarch32_sigret_code_start[], __aarch32_sigret_code_end[]; size_t sigret_sz = @@ -84,22 +88,26 @@ static int __init alloc_vectors_page(void) if (!sigret_vpage) return -ENOMEM; +#ifdef CONFIG_KUSER_HELPERS kuser_vpage = get_zeroed_page(GFP_ATOMIC); if (!kuser_vpage) { free_page(sigret_vpage); return -ENOMEM; } +#endif /* sigreturn code */ memcpy((void *)sigret_vpage, __aarch32_sigret_code_start, sigret_sz); flush_icache_range(sigret_vpage, sigret_vpage + PAGE_SIZE); vectors_page[0] = virt_to_page(sigret_vpage); +#ifdef CONFIG_KUSER_HELPERS /* kuser helpers */ memcpy((void *)kuser_vpage + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz); flush_icache_range(kuser_vpage, kuser_vpage + PAGE_SIZE); vectors_page[1] = virt_to_page(kuser_vpage); +#endif return 0; } @@ -128,11 +136,13 @@ int aarch32_setup_vectors_page(struct linux_binprm *bprm, int uses_interp) current->mm->context.vdso = (void *)addr; +#ifdef CONFIG_KUSER_HELPERS /* Map the kuser helpers at the ABI-defined high address. */ ret = _install_special_mapping(mm, AARCH32_KUSER_HELPERS_BASE, PAGE_SIZE, VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC, &compat_vdso_spec[1]); +#endif out: up_write(&mm->mmap_sem);