From patchwork Mon May 21 06:41:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 10414025
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6617B60365 for <patchwork-linux-mm@patchwork.kernel.org>;
	Mon, 21 May 2018 06:43:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5593027FA9
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Mon, 21 May 2018 06:43:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 47A8F2841F; Mon, 21 May 2018 06:43:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CEAA27FA9
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Mon, 21 May 2018 06:43:13 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8B0106B0266; Mon, 21 May 2018 02:43:12 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 886FA6B0269; Mon, 21 May 2018 02:43:12 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 775846B026A; Mon, 21 May 2018 02:43:12 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl0-f69.google.com (mail-pl0-f69.google.com
	[209.85.160.69])
	by kanga.kvack.org (Postfix) with ESMTP id 32AA46B0266
	for <linux-mm@kvack.org>; Mon, 21 May 2018 02:43:12 -0400 (EDT)
Received: by mail-pl0-f69.google.com with SMTP id f10-v6so9463459pln.21
	for <linux-mm@kvack.org>; Sun, 20 May 2018 23:43:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:dkim-signature:subject:to:cc:from:date
	:message-id:mime-version:content-transfer-encoding;
	bh=a+u7wKoQzrS284xxfuJ2Vp7suJwtrj7lHy2hks3FvTc=;
	b=OFWomkkiJ4Z0KeO+/WvoOJ7Z1B5uEf0YABPLoNH/RQKTmJT8TEj88vmCz8LGp8I9CS
	s1NC/tRW7LTs8OGQnJpThd/AU4s9P7ylcvwo9wX4rpyVmsMiYMqC3lRBJyhvAp7y55OX
	9ZWhB+TnmaF+cRz8ahas41kKDO+UX2s73VDjtPewucvbQYK9RlhCzVB1VoZX8PwsOPpQ
	BiHj5Ky/Tn2Hv9aew2Z7fNn3fPrIyHREtn6jKoywGRSyqrqQRnQA8meqZN6a68CohvFt
	lyV9uNd/ziZs1NzXUw4JWTKU5A8iVKvP/KkzfPn/vKDNc/1gwZvlZnlcgu/npQj03aMi
	tmaQ==
X-Gm-Message-State: ALKqPwfxPP3alK0oPXrBs/PSJ1AhatrtZwoWdSZyxnl+M0DcvYXUnrlz
	wqSKa5DH/cCFXcdreV0tfZFP8TLeKwhsjaBXYJY5qVXc3NyHKPt4goSl13POxeruuAZ3cklWzPg
	b5dq3KKTCYKOY2FE//CK4cfJDkEN1Rgdfso8JcHkCZ1WgCsrtuj511PNI6UHsnss=
X-Received: by 2002:a17:902:6549:: with SMTP id
	d9-v6mr19375328pln.196.1526884991873;
	Sun, 20 May 2018 23:43:11 -0700 (PDT)
X-Google-Smtp-Source: 
 AB8JxZp92AKtbzi8S1qocpPbe/VU8eXJ5eYr1tEVxyRrEfdNTjME28hkUwlUf3da4wvjqvzf9B7e
X-Received: by 2002:a17:902:6549:: with SMTP id
	d9-v6mr19375299pln.196.1526884991143;
	Sun, 20 May 2018 23:43:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526884991; cv=none;
	d=google.com; s=arc-20160816;
	b=M0bzg3TRKbS0v3UYhVqQtYmDqOrhOJ+CM3TNn8nJwYOsmQHscD3r6Ufvx0KE+Q2fn5
	aiOtRFrcpgMIfsjYIHfD4hj6YzRmbZv5tmdO7Lw6ioVu645eIJADw8Qr/CHkAivIz53s
	EAMT88WpgG3OMrHWneAyHH5Mgvqfi5XZ7igWmDrmZO+e55pDFQiqSYwJD2LbEMprHPge
	jUsppMeesSNEZkddkjHRcVKvuycKWW52J1+hj34jWCDvirzxKmTdFXNR496kCz3AueEm
	j4f/ejbEXabrDAiUkgFrlWo9gRHGOgYMM/saO2iDQ1tTO2/u6u0yc9p5Nis8xUNXl8Xm
	vRqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=content-transfer-encoding:mime-version:message-id:date:from:cc:to
	:subject:dkim-signature:arc-authentication-results;
	bh=a+u7wKoQzrS284xxfuJ2Vp7suJwtrj7lHy2hks3FvTc=;
	b=olJDTKscSuvaxC+jAy1FSZw2iFGwZHh/Norrc3pH/iXCjj3dFygTO9fkgrbY428fNC
	n28J30Qam4/pfMNKLuQ6rlLCwNyUbO+y5+mXcqvBBIW7YAhxokjtfFU5R3rWccAlR151
	XszKdAuYWgVhAyo/iz+w1qxb8p2vKO4ShwINftjlf7Sp3o93f+nZCYImKzHH87fRhHtT
	k2tlP+kCsLSsH6/0t99GxeE4537OGskwhT06zyxPDWh3R5zOrDVSOLL9Hm88GGzHOWfg
	c+cbGktO0F6d9LnCG9BkGkoIcHGtEcYAEUdbkvu23ide/ai5JRPw37K+n8fFCUMYcg0j
	JYhQ==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=pass header.i=@kernel.org header.s=default header.b=yS4bhLE2;
	spf=pass (google.com: domain of
	srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates
	198.145.29.99 as permitted sender)
	smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org
Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99])
	by mx.google.com with ESMTPS id
	z124-v6si10461031pgb.241.2018.05.20.23.43.10
	for <linux-mm@kvack.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 20 May 2018 23:43:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of
	srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates
	198.145.29.99 as permitted sender) client-ip=198.145.29.99;
Authentication-Results: mx.google.com;
	dkim=pass header.i=@kernel.org header.s=default header.b=yS4bhLE2;
	spf=pass (google.com: domain of
	srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates
	198.145.29.99 as permitted sender)
	smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr
	[90.92.61.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 0069B20875;
	Mon, 21 May 2018 06:43:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1526884990;
	bh=uC298pki0UM1fxYID1W8EOL71xk9ohvTdOtAJmOtGaM=;
	h=Subject:To:Cc:From:Date:From;
	b=yS4bhLE2pYffpcbgLD57Dmu/htoXCgIYYd3MPCay7JAm74hGclUJL26GXvyRXPGfR
	hSzT2yb0r4xjXNABDNwlG5ehE8WCfR39ilp4503jLO3CVtzRATBg/JW/weof0hu3zP
	XGoxYZeQ5qiYSjcT2OECObL4WjnvSHd8US4zPqbY=
Subject: Patch "x86/mm: Drop TS_COMPAT on 64-bit exec() syscall" has been
	added to the 4.16-stable tree
To: 0x7f454c46@gmail.com, 20180517233510.24996-1-dima@arista.com,
	amonakov@ispras.ru, bp@suse.de, dima@arista.com,
	gorcunov@openvz.org, gregkh@linuxfoundation.org, hpa@zytor.com,
	izbyshev@ispras.ru, kirill.shutemov@linux.intel.com,
	linux-mm@kvack.org, luto@kernel.org, tglx@linutronix.de
Cc: <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Mon, 21 May 2018 08:41:52 +0200
Message-ID: <15268849126109@kroah.com>
MIME-Version: 1.0
X-stable: commit
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This is a note to let you know that I've just added the patch titled

    x86/mm: Drop TS_COMPAT on 64-bit exec() syscall

to the 4.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-mm-drop-ts_compat-on-64-bit-exec-syscall.patch
and it can be found in the queue-4.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From acf46020012ccbca1172e9c7aeab399c950d9212 Mon Sep 17 00:00:00 2001
From: Dmitry Safonov <dima@arista.com>
Date: Fri, 18 May 2018 00:35:10 +0100
Subject: x86/mm: Drop TS_COMPAT on 64-bit exec() syscall

From: Dmitry Safonov <dima@arista.com>

commit acf46020012ccbca1172e9c7aeab399c950d9212 upstream.

The x86 mmap() code selects the mmap base for an allocation depending on
the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and
for 32bit mm->mmap_compat_base.

exec() calls mmap() which in turn uses in_compat_syscall() to check whether
the mapping is for a 32bit or a 64bit task. The decision is made on the
following criteria:

  ia32    child->thread.status & TS_COMPAT
   x32    child->pt_regs.orig_ax & __X32_SYSCALL_BIT
  ia64    !ia32 && !x32

__set_personality_x32() was dropping TS_COMPAT flag, but
set_personality_64bit() has kept compat syscall flag making
in_compat_syscall() return true during the first exec() syscall.

Which in result has user-visible effects, mentioned by Alexey:
1) It breaks ASAN
$ gcc -fsanitize=address wrap.c -o wrap-asan
$ ./wrap32 ./wrap-asan true
==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range.
==1217==Process memory map follows:
        0x000000400000-0x000000401000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000600000-0x000000601000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000601000-0x000000602000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x0000f7dbd000-0x0000f7de2000   /lib64/ld-2.27.so
        0x0000f7fe2000-0x0000f7fe3000   /lib64/ld-2.27.so
        0x0000f7fe3000-0x0000f7fe4000   /lib64/ld-2.27.so
        0x0000f7fe4000-0x0000f7fe5000
        0x7fed9abff000-0x7fed9af54000
        0x7fed9af54000-0x7fed9af6b000   /lib64/libgcc_s.so.1
[snip]

2) It doesn't seem to be great for security if an attacker always knows
that ld.so is going to be mapped into the first 4GB in this case
(the same thing happens for PIEs as well).

The testcase:
$ cat wrap.c

int main(int argc, char *argv[]) {
  execvp(argv[1], &argv[1]);
  return 127;
}

$ gcc wrap.c -o wrap
$ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
AT_BASE:         0x7f63b8309000
AT_BASE:         0x7faec143c000
AT_BASE:         0x7fbdb25fa000

$ gcc -m32 wrap.c -o wrap32
$ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
AT_BASE:         0xf7eff000
AT_BASE:         0xf7cee000
AT_BASE:         0x7f8b9774e000

Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Fixes: ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec")
Reported-by: Alexey Izbyshev <izbyshev@ispras.ru>
Bisected-by: Alexander Monakov <amonakov@ispras.ru>
Investigated-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Alexander Monakov <amonakov@ispras.ru>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: stable@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Link: https://lkml.kernel.org/r/20180517233510.24996-1-dima@arista.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/process_64.c |    1 +
 1 file changed, 1 insertion(+)



Patches currently in stable-queue which might be from dima@arista.com are

queue-4.16/x86-mm-drop-ts_compat-on-64-bit-exec-syscall.patch

--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -528,6 +528,7 @@ void set_personality_64bit(void)
 	clear_thread_flag(TIF_X32);
 	/* Pretend that this comes from a 64bit execve */
 	task_pt_regs(current)->orig_ax = __NR_execve;
+	current_thread_info()->status &= ~TS_COMPAT;
 
 	/* Ensure the corresponding mm is not marked. */
 	if (current->mm)