| Message ID | 20200210193049.64362-1-keescook@chromium.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs | expand |
On Mon, Feb 10, 2020 at 11:30:42AM -0800, Kees Cook wrote: > Hi, > > This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think > it incorporates the feedback from v2, and I've now added a selftest. This > series is for x86, arm, and arm64; I'd like it to go via -tip, though, > just to keep this change together with the selftest. To that end, I'd like > to collect Acks from the respective architecture maintainers. (Note that > most other architectures don't suffer from this problem. e.g. powerpc's > behavior appears to already be correct. MIPS may need adjusting but the > history of CPU features and toolchain behavior is very unclear to me.) > > Repeating the commit log from later in the series: > > > The READ_IMPLIES_EXEC work-around was designed for old toolchains that > lacked the ELF PT_GNU_STACK marking under the assumption that toolchains > that couldn't specify executable permission flags for the stack may not > know how to do it correctly for any memory region. > > This logic is sensible for having ancient binaries coexist in a system > with possibly NX memory, but was implemented in a way that equated having > a PT_GNU_STACK marked executable as being as "broken" as lacking the > PT_GNU_STACK marking entirely. Things like unmarked assembly and stack > trampolines may cause PT_GNU_STACK to need an executable bit, but they > do not imply all mappings must be executable. > > This confusion has led to situations where modern programs with explicitly > marked executable stack are forced into the READ_IMPLIES_EXEC state when > no such thing is needed. (And leads to unexpected failures when mmap()ing > regions of device driver memory that wish to disallow VM_EXEC[1].) > > In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann > Horn noted that glibc thread stacks have always been marked RWX (until > 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And > musl doesn't support executable stacks at all[3]. As such, no breakage > for multithreaded applications is expected from this change. > > [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com > [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 > [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx I'm happy to see this, I think it will help the situation. While I'm not well versed in all the historical details, the general approach makes sense to me and I've looked through the patches. I would like to follow this up with a patch to again block VM_EXEC from the RDMA related mmap of BAR paths.. Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Jason
Hi, This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think it incorporates the feedback from v2, and I've now added a selftest. This series is for x86, arm, and arm64; I'd like it to go via -tip, though, just to keep this change together with the selftest. To that end, I'd like to collect Acks from the respective architecture maintainers. (Note that most other architectures don't suffer from this problem. e.g. powerpc's behavior appears to already be correct. MIPS may need adjusting but the history of CPU features and toolchain behavior is very unclear to me.) Repeating the commit log from later in the series: The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx -Kees v3: - split steps in to distinct patches - include arm32 and arm64/compat - add selftests to validate behavior v2: https://lore.kernel.org/lkml/20190424203408.GA11386@beast/ v1: https://lore.kernel.org/lkml/20190423181210.GA2443@beast/ Kees Cook (7): x86/elf: Add table to document READ_IMPLIES_EXEC x86/elf: Split READ_IMPLIES_EXEC from executable GNU_STACK x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces arm32/64, elf: Add tables to document READ_IMPLIES_EXEC arm32/64, elf: Split READ_IMPLIES_EXEC from executable GNU_STACK arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces selftests/exec: Add READ_IMPLIES_EXEC tests arch/arm/kernel/elf.c | 27 +++- arch/arm64/include/asm/elf.h | 23 +++- arch/x86/include/asm/elf.h | 22 +++- fs/compat_binfmt_elf.c | 5 + tools/testing/selftests/exec/Makefile | 42 +++++- .../selftests/exec/read_implies_exec.c | 121 ++++++++++++++++++ .../selftests/exec/strip-gnu-stack-bits.c | 34 +++++ .../testing/selftests/exec/strip-gnu-stack.c | 69 ++++++++++ 8 files changed, 336 insertions(+), 7 deletions(-) create mode 100644 tools/testing/selftests/exec/read_implies_exec.c create mode 100644 tools/testing/selftests/exec/strip-gnu-stack-bits.c create mode 100644 tools/testing/selftests/exec/strip-gnu-stack.c