Hi Miodrag,
> When kernel is detecting the type of mapping it should apply :
>
> fs/binfmt_elf.c:
> ...
> if (elf_read_implies_exec(loc->elf_ex, executable_stack))
> current->personality |= READ_IMPLIES_EXEC;
> ...
>
> this effectively calls mips_elf_read_implies_exec() which performs a check:
> ...
> if (!cpu_has_rixi) {
> /* The CPU doesn't support non-executable memory */
> return 1;
> }
>
> return 0;
> }
>
> This will in turn make stack & heap executable on processors without
> RIXI, which are practically all processors with MIPS ISA R < 6.
>
> We would like to have an option to override this and force
> non-executable mappings for such systems.
Of course you can't force a non-executable mapping with a system where
all valid pages are executable, as David has already noted. Did you mean
the other condition, that is:
if (exstack != EXSTACK_DISABLE_X) {
/* The binary doesn't request a non-executable stack */
return 1;
}
? In which case you do want to respect the lack of the RIXI feature,
i.e.:
int mips_elf_read_implies_exec(void *elf_ex, int exstack)
{
if (!cpu_has_rixi) {
/* The CPU doesn't support non-executable memory */
return 1;
}
switch (nonxstack) {
case EXSTACK_DISABLE_X:
return 0;
case EXSTACK_ENABLE_X:
return 1;
default:
break;
}
if (exstack != EXSTACK_DISABLE_X) {
/* The binary doesn't request a non-executable stack */
return 1;
}
return 0;
}
(I'd replace `break' with `return exstack != EXSTACK_DISABLE_X' and
discard the code that follows, but that can be a separate optimisation).
What problem are you trying to solve anyway? Is it not something that
can be handled with the `execstack' utility?
NB as someone has observed with programs that do not request a
non-executable stack we actually propagate the execute permission to all
data pages. Is it not something we would want to handle differently?
Maciej
Hi Maciej, Aleksandar,
On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> What problem are you trying to solve anyway? Is it not something that
> can be handled with the `execstack' utility?
The commit message states that for Android "non-exec stack is required".
Is Android checking that then Aleksandar? If so, how? I presume what you
actually want here is for the kernel to lie & indicate to whatever part
of Android that performs this check that the stack is non-executable
even when it is really executable?
Is this aimed at the Android emulator? If so would it be possible to
instead implement RIXI support & make the non-exec stack actually work?
> NB as someone has observed with programs that do not request a
> non-executable stack we actually propagate the execute permission to all
> data pages. Is it not something we would want to handle differently?
It would of course be ideal to mark data/heap memory non-executable -
the question is how should we know that it's safe to do so. The approach
I took in 1a770b85c1f1 ("MIPS: non-exec stack & heap when non-exec
PT_GNU_STACK is present") was to require the PT_GNU_STACK header in
order to mark both stack & heap non-executable, for reasons outlined in
its commit message:
- I was told at the time that no MIPS tools were yet emitting
PT_GNU_STACK, so we wouldn't be changing the behaviour of any
existing binaries & thus wouldn't break any.
- It matches the behaviour of both ARM & x86.
Marking the heap non-executable by default would have advantages in that
we wouldn't need to worry about icache coherency for it in
set_pte_at()/__update_cache(), so one idea I had was that we could
possibly initially mark pages non-executable in the TLB & later enable
execution only if we take a TLBXI exception, with the assumption being
that in most cases we'll never try executing from the heap. That's not
an idea I've yet found the time to implement or measure the impact of
though.
Thanks,
Paul
Hi Paul, David, Maciej,
thanks for taking interest in this topic and your valuable comments.
Aleksandar is currently on sick leave but I think I can address
all previous questions and concerns by answering to this Pauls last post:
> On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> > What problem are you trying to solve anyway? Is it not something that
> > can be handled with the `execstack' utility?
>
> The commit message states that for Android "non-exec stack is required".
> Is Android checking that then Aleksandar? If so, how?
Android is using SELinux configured to disallow NX mappings by handling
the following sepolicy rules :
* Executable stack (execstack)
* Executable heap (execheap)
* File-based executable code which has been modified (execmod)
* All other executable memory (execmem)
Nice explanation can be found here:
https://android-review.googlesource.com/#/c/platform/bionic/+/145004/
> I presume what you
> actually want here is for the kernel to lie & indicate to whatever part
> of Android that performs this check that the stack is non-executable
> even when it is really executable?
Basically yes, because we do not have other options at this point.
And this kernel parameter should definitely not be used in a production
environments. Hopefully, any future MIPS Android device would have
CPU with RIXI.
> Is this aimed at the Android emulator? If so would it be possible to
> instead implement RIXI support & make the non-exec stack actually work?
This issue was indeed detected using Android emulator while testing the "Ranchu"
platform kernel we are trying to integrate in another series.
We could probably change the emulator and enable RIXI, but the whole point of using it
is to emulate real HW as close as possible (And detect issues which could be
found on real HW as well), so I would tend to keep it unmodified.
But if we do not come to a consensus regarding this patch, we would need to modify it.
For emulating android on different MIPS arch variants we are using the
following CPU emulations:
- For mips32[r1|r2][dsp] - we are using 74Kf - No RIXI
- For mips32r5[msa] - we are using P5600 - has RIXI
- For mips[32|64]r6[msa] - I6400 - has RIXI
The CI20 development board (lacks XI) would also be affected by this issue and it has been running
Android for quite some time now. The kernel for CI20 which we are currently using
is 3.18 and it does NOT yet contain 1a770b85c1f1 ("MIPS: non-exec stack & heap when non-exec
PT_GNU_STACK is present").
The effect of not having some workaround like this in the kernel, would
be to run Android only in SELinux permissive mode.
> > NB as someone has observed with programs that do not request a
> > non-executable stack we actually propagate the execute permission to all
> > data pages. Is it not something we would want to handle differently?
>
> It would of course be ideal to mark data/heap memory non-executable -
> the question is how should we know that it's safe to do so. The approach
> I took in 1a770b85c1f1 ("MIPS: non-exec stack & heap when non-exec
> PT_GNU_STACK is present") was to require the PT_GNU_STACK header in
> order to mark both stack & heap non-executable, for reasons outlined in
> its commit message:
>
> - I was told at the time that no MIPS tools were yet emitting
> PT_GNU_STACK, so we wouldn't be changing the behaviour of any
> existing binaries & thus wouldn't break any.
>
> - It matches the behaviour of both ARM & x86.
>
For Android, Google placed PT_GNU_STACK header in crtend* and this effectively
makes all executables and libraries request NX stack:
https://android-review.googlesource.com/#/c/platform/bionic/+/40773/
The toolchain for Android was updated as well:
https://android-review.googlesource.com/#/c/platform/ndk/+/37140/
------------------
@David:
> All Cavium processors since OCTEON Plus (more than ten years ago)
> support RIXI.
Sure, I missed to mention Cavium. Than I suppose, Cavium would have no issues running Android.
> Also, this does nothing for multi-threaded programs where libc sets the
> permissions on the thread stacks.
I don't think Android bionic is doing anything similar, at least we
haven't seen any issues so far related to this.
> If you really need something, at a minimum, use the same parameter name
> that x86 uses.
Sure, I agree, this was my dilemma as well, we will update the parameter name
to be "noexec".
Kind regards,
Miodrag
________________________________________
From: Paul Burton [[email protected]]
Sent: Wednesday, December 6, 2017 7:24 PM
To: Maciej Rozycki; Aleksandar Markovic; Aleksandar Markovic
Cc: Miodrag Dinic; James Hogan; David Daney; [email protected]; Andrew Morton; DengCheng Zhu; Ding Tianhong; Douglas Leung; Frederic Weisbecker; Goran Ferenc; Ingo Molnar; James Cowgill; Jonathan Corbet; [email protected]; [email protected]; Marc Zyngier; Matt Redfearn; Mimi Zohar; Paul E. McKenney; Petar Jovanovic; Raghu Gandham; Ralf Baechle; Thomas Gleixner; Tom Saeger
Subject: Re: [PATCH v2] MIPS: Add nonxstack=on|off kernel parameter
Hi Maciej, Aleksandar,
On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> What problem are you trying to solve anyway? Is it not something that
> can be handled with the `execstack' utility?
The commit message states that for Android "non-exec stack is required".
Is Android checking that then Aleksandar? If so, how? I presume what you
actually want here is for the kernel to lie & indicate to whatever part
of Android that performs this check that the stack is non-executable
even when it is really executable?
Is this aimed at the Android emulator? If so would it be possible to
instead implement RIXI support & make the non-exec stack actually work?
> NB as someone has observed with programs that do not request a
> non-executable stack we actually propagate the execute permission to all
> data pages. Is it not something we would want to handle differently?
It would of course be ideal to mark data/heap memory non-executable -
the question is how should we know that it's safe to do so. The approach
I took in 1a770b85c1f1 ("MIPS: non-exec stack & heap when non-exec
PT_GNU_STACK is present") was to require the PT_GNU_STACK header in
order to mark both stack & heap non-executable, for reasons outlined in
its commit message:
- I was told at the time that no MIPS tools were yet emitting
PT_GNU_STACK, so we wouldn't be changing the behaviour of any
existing binaries & thus wouldn't break any.
- It matches the behaviour of both ARM & x86.
Marking the heap non-executable by default would have advantages in that
we wouldn't need to worry about icache coherency for it in
set_pte_at()/__update_cache(), so one idea I had was that we could
possibly initially mark pages non-executable in the TLB & later enable
execution only if we take a TLBXI exception, with the assumption being
that in most cases we'll never try executing from the heap. That's not
an idea I've yet found the time to implement or measure the impact of
though.
Thanks,
Paul
Hi Miodrag,
> > I presume what you
> > actually want here is for the kernel to lie & indicate to whatever part
> > of Android that performs this check that the stack is non-executable
> > even when it is really executable?
>
> Basically yes, because we do not have other options at this point.
Please make the purpose of this option unambiguous in documentation then,
along with suitable precautionary notes about any adverse consequences of
its use.
Maciej
Hi,
On Thu, Dec 07, 2017 at 11:33:47AM +0000, Miodrag Dinic wrote:
> > On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> > > What problem are you trying to solve anyway? Is it not something that
> > > can be handled with the `execstack' utility?
> >
> > The commit message states that for Android "non-exec stack is required".
> > Is Android checking that then Aleksandar? If so, how?
>
> Android is using SELinux configured to disallow NX mappings by handling
> the following sepolicy rules :
> * Executable stack (execstack)
> * Executable heap (execheap)
> * File-based executable code which has been modified (execmod)
> * All other executable memory (execmem)
...
> The effect of not having some workaround like this in the kernel, would
> be to run Android only in SELinux permissive mode.
So you want to override the lack of RIXI so that SELinux sees an
RX->RW->RX transition as execmod instead of execmem (since without RIXI
its effectively RX->RWX->RX which is execmem)?
Looking at file_map_prot_check(), it does the execmem check on this
condition:
if (default_noexec &&
(prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
(!shared && (prot & PROT_WRITE)))) {
/*
* We are making executable an anonymous mapping or a
* private file mapping that will also be writable.
* This has an additional check.
*/
default_noexec is set if VM_DATA_DEFAULT_FLAGS doesn't have the exec
flag set, and that flag depends on current->personality &
READ_IMPLIES_EXEC, which depends on elf_read_implies_exec(), i.e.
mips_elf_read_implies_exec(), and that should already return 1 if RIXI
is unavailable.
I.e.
mips_elf_read_implies_exec() == 1
elf_read_implies_exec() == 1
READ_IMPLIES_EXEC will be set in current->personality
VM_DATA_DEFAULT_FLAGS will have VM_EXEC set
default_noexec will be set to 0 in selinux_init()
none of the execmem, execheap, execstack, execmod permission
checks should take place.
So whats the problem exactly? Perhaps I misinterpreted something.
Cheers
James
>
> ________________________________________
> From: James Hogan [[email protected]]
> Sent: Thursday, February 8, 2018 12:55 PM
>
> Hi,
>
> On Thu, Dec 07, 2017 at 11:33:47AM +0000, Miodrag Dinic wrote:
> > > On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> > > > What problem are you trying to solve anyway? Is it not something that
> > > > can be handled with the `execstack' utility?
> > >
> > > The commit message states that for Android "non-exec stack is required".
> > > Is Android checking that then Aleksandar? If so, how?
> >
> > Android is using SELinux configured to disallow NX mappings by handling
> > the following sepolicy rules :
> > * Executable stack (execstack)
> > * Executable heap (execheap)
> > * File-based executable code which has been modified (execmod)
> > * All other executable memory (execmem)
>
> ...
>
> > The effect of not having some workaround like this in the kernel, would
> > be to run Android only in SELinux permissive mode.
>
> So you want to override the lack of RIXI so that SELinux sees an
> RX->RW->RX transition as execmod instead of execmem (since without RIXI
> its effectively RX->RWX->RX which is execmem)?
>
That is correct.
>
> Looking at file_map_prot_check(), it does the execmem check on this
> condition:
>
> if (default_noexec &&
> (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
> (!shared && (prot & PROT_WRITE)))) {
> /*
> * We are making executable an anonymous mapping or a
> * private file mapping that will also be writable.
> * This has an additional check.
> */
>
> default_noexec is set if VM_DATA_DEFAULT_FLAGS doesn't have the exec
> flag set, and that flag depends on current->personality &
> READ_IMPLIES_EXEC, which depends on elf_read_implies_exec(), i.e.
> mips_elf_read_implies_exec(), and that should already return 1 if RIXI
> is unavailable.
>
> I.e.
>
> mips_elf_read_implies_exec() == 1
>
> elf_read_implies_exec() == 1
>
> READ_IMPLIES_EXEC will be set in current->personality
>
> VM_DATA_DEFAULT_FLAGS will have VM_EXEC set
>
> default_noexec will be set to 0 in selinux_init()
>
> none of the execmem, execheap, execstack, execmod permission
> checks should take place.
>
> So whats the problem exactly? Perhaps I misinterpreted something.
Thanks, James, for the analysis of this scenario! Hope the additional
info below will be useful for clarifying this matter.
-------------------
Let me rephrase the scenario (for configurations where cpu_has_rixi
equals to 0) that you described: (line numbers may be approximate)
1. mips_elf_read_implies_exec() will return 1
(arch/mips/kernel/elf.c:336)
2. elf_read_implies_exec() will return 1
(arch/mips/include/asm/elf.h:513)
3. READ_IMPLIES_EXEC will be set in current->personality
(fs/binfmt_elf_fdpic.c:357)
4. VM_DATA_DEFAULT_FLAGS will have VM_EXEC set
(while execiting selinux_init() in security/selinux/hooks.c:6644)
5. default_noexec will be set to 0 in selinux_init()
(security/selinux/hooks.c:6644)
6. none of the execmem, execstack permission checks should take place.
-------------------
However, in reality, these steps are not executed in this order, but in the following one:
4a. VM_DATA_DEFAULT_FLAGS will *NOT* have VM_EXEC set
(while execiting selinux_init() in security/selinux/hooks.c:6644)
5a. default_noexec will be set to *1* in selinux_init()
(security/selinux/hooks.c:6644)
1. mips_elf_read_implies_exec() will return 1
(arch/mips/kernel/elf.c:336)
2. elf_read_implies_exec() will return 1
(arch/mips/include/asm/elf.h:513)
3. READ_IMPLIES_EXEC will be set in current->personality
(fs/binfmt_elf_fdpic.c:357)
6a. both the execmem, execstack permission checks *do* take place.
------------------
The proposed change does affect the kernel in the sense that it indeed
hides the executable vulnerability of the system without RIXI support.
But we have made it unambiguous in the comments what are the
consequences of using this option.
------------------
Regards,
Aleksandar
>
> Cheers
> James