Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1142742imm; Wed, 11 Jul 2018 18:28:07 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfcHjgkqJMKKJjnYopHnvOi2HktRrVtO91LYi3mdMTiS4tqqSkSHckiyTVAYc3no+ZKqHK2 X-Received: by 2002:a17:902:4c88:: with SMTP id b8-v6mr176357ple.285.1531358887613; Wed, 11 Jul 2018 18:28:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531358887; cv=none; d=google.com; s=arc-20160816; b=TRWELs6VqXlI0cVSFSlehXci8S6uwE1qNmbst0X30JPGBAaGzz3Q4lMJJ4lY7+jIG3 Oam5HPsgyqPSK6EtsOe79RDArxrnMHXHRMfBbE85bdhLYb7PMo/6eR+guuo1OmTyeY3q FEBWET4LTRV0XIsRLRfIqZIP8+i5Q6/XZRbO98F06ZRZNRV07dKy/envjdk94/JwGMI/ jwrMy6SThB40kuEaONEyugvb/WIhPBX6aIuBcDa/l26uy0ddzsYumq0jBLQxREkO6iTM mIz7eMUr69aqBkKJ79IgdEltKCIc2oTu+Xe0tZd4MwCM61PPbO3fb2SM5AjTwqZ6VjYk 6rLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=a3LXUR9nQD0pc+O2mZgeYpMpc/NwJ3OV10XN889Lpzk=; b=AR9BF9DG/dK0SvE/WuxR39C3KxofuEg/AyqmVf1lzImEm6LDor3CqMEdRuSve5hUIi 7UivZf7O4B2EPXq9gRf+7XicnS3rnblXRWQD5+3m99hIhMFuRPsyxNd6JN6SmtppUN3m mARkBvo7MuBHSTJSyCLJ6JMbnVSQz0v1G1N56i111NrC78mgn5NBoTyWiDV1G6gZoYTr MvkXWky12O9uaZJIlK4e9Ofbwg21QBUkTW3PMArcj2utdwdFxVBGjSY5j5/ljxA9CFDK 0D9tuVopJEHtxKy9AsvDzms/ml3swntq2GZiGrLHe3x1WnBeZsKSUTRS0IzrVTIxH5vf mDEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Su6v94ta; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m37-v6si20889689pla.148.2018.07.11.18.27.52; Wed, 11 Jul 2018 18:28:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Su6v94ta; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389583AbeGKTnQ (ORCPT + 99 others); Wed, 11 Jul 2018 15:43:16 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:39804 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389486AbeGKTnP (ORCPT ); Wed, 11 Jul 2018 15:43:15 -0400 Received: by mail-oi0-f68.google.com with SMTP id d189-v6so51378967oib.6 for ; Wed, 11 Jul 2018 12:37:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a3LXUR9nQD0pc+O2mZgeYpMpc/NwJ3OV10XN889Lpzk=; b=Su6v94tanbltsA+6+y8Rq9aI2A/VZ4v1G7rQ2r6JD26Uep44LItZocVVqss6fqkL5P eTs6//9kiW7/L6xn30kRsce3AIvFAdvkTlJyrI34DOm7R8OHBUVoVeNUJKbmM67d6NhQ ZM07JL2i5//NSlJsKRk12TTARh1Hfs7sLZW6+AliKW8LKAGNgPThgntFbrAQdAFpx/8X ZlKuX16LlBFPuCLayvW+cgKFopV4r9eWkB2BJ++LnM8Mpfjdpr3m6/tYQGbw2IkcFHNP LDtn1W+4yeHcEHbYX1yescRr/TRb8xNhaazB1hXREjmzEZl6xUMOykSVqKfsrFHEyQvy 4agg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a3LXUR9nQD0pc+O2mZgeYpMpc/NwJ3OV10XN889Lpzk=; b=Z7m/yNX9MaFJHpCGgZ80fJnBX7JNtFBRv5AkuupCqi/sPP5AW+thDG1qK2S35aNOMF ukgxQvEhBuSDqERDR6b+BUm/vaDLuZqzpRIaSMolbOpmdd0TX5DSBZvv9pe4I/vCIOFw SQK39DUQQG21nmsWKwI3corKcVHqUfgbd3H/to/EKE5u4sIQgh2r3MDdwoR4r0FK7tf8 igBjEFQvhsj5Km3EGpBOLGxK1gfSlYaO+WViM+ZN/vdtoF6UwZP+52BFFib8z0ZWNYDB r/tilykyPGDKqnIkBVbzq7Fa4N1ZQRzsc2DCWWAt5oKK+0K+10zex39ThOQoziRAXUjV Mu5g== X-Gm-Message-State: AOUpUlGMBZY1qdkHGJySGbvMO8wUehsetUvLm3kqc9QP24zN95FWrF6x IdnDEwgLxLSOqSjqLFw72So3AUElyULkR70E4RGVbg== X-Received: by 2002:aca:5155:: with SMTP id f82-v6mr742047oib.272.1531337846593; Wed, 11 Jul 2018 12:37:26 -0700 (PDT) MIME-Version: 1.0 References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-21-yu-cheng.yu@intel.com> In-Reply-To: <20180710222639.8241-21-yu-cheng.yu@intel.com> From: Jann Horn Date: Wed, 11 Jul 2018 12:37:00 -0700 Message-ID: Subject: Re: [RFC PATCH v2 20/27] x86/cet/shstk: ELF header parsing of CET To: yu-cheng.yu@intel.com Cc: "the arch/x86 maintainers" , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , bsingharora@gmail.com, Cyrill Gorcunov , Dave Hansen , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 3:31 PM Yu-cheng Yu wrote: > > Look in .note.gnu.property of an ELF file and check if shadow stack needs > to be enabled for the task. > > Signed-off-by: H.J. Lu > Signed-off-by: Yu-cheng Yu [...] > diff --git a/arch/x86/kernel/elf.c b/arch/x86/kernel/elf.c > new file mode 100644 > index 000000000000..233f6dad9c1f > --- /dev/null > +++ b/arch/x86/kernel/elf.c [...] > +#define NOTE_SIZE_BAD(n, align, max) \ > + ((n->n_descsz < 8) || ((n->n_descsz % align) != 0) || \ > + (((u8 *)(n + 1) + 4 + n->n_descsz) > (max))) Please do not compute out-of-bounds pointers and then compare them against an expected maximum pointer. Computing an out-of-bounds pointer is undefined behavior according to the C99 specification, section "6.5.6 Additive operators", paragraph 8; and in this case, n->n_descsz is 32 bits wide, which means that even if the compiler isn't doing anything funny, if you're operating on addresses in the last 4GiB of virtual memory and the pointer wraps around, this could break. In particular, if anyone ever uses this code in a 32-bit kernel, this is going to blow up. Please use size comparisons instead of pointer comparisons. > + > +/* > + * Go through the property array and look for the one > + * with pr_type of GNU_PROPERTY_X86_FEATURE_1_AND. > + */ > +static u32 find_x86_feature_1(u8 *buf, u32 size, u32 align) > +{ > + u8 *end = buf + size; > + u8 *ptr = buf; > + > + while (1) { > + u32 pr_type, pr_datasz; > + > + if ((ptr + 4) >= end) > + break; Theoretical UB. > + pr_type = *(u32 *)ptr; > + pr_datasz = *(u32 *)(ptr + 4); > + ptr += 8; > + > + if ((ptr + pr_datasz) >= end) > + break; UB, like in NOTE_SIZE_BAD(). > + if (pr_type == GNU_PROPERTY_X86_FEATURE_1_AND && > + pr_datasz == 4) > + return *(u32 *)ptr; > + > + ptr += pr_datasz; > + } > + return 0; > +} [...] > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 0ac456b52bdd..3395f6a631d5 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -1081,6 +1081,22 @@ static int load_elf_binary(struct linux_binprm *bprm) > goto out_free_dentry; > } > > +#ifdef CONFIG_ARCH_HAS_PROGRAM_PROPERTIES > + > + if (interpreter) { > + retval = arch_setup_features(&loc->interp_elf_ex, > + interp_elf_phdata, > + interpreter, true); > + } else { > + retval = arch_setup_features(&loc->elf_ex, > + elf_phdata, > + bprm->file, false); > + } So for non-static binaries, the ELF headers of ld.so determine whether CET will be on or off for the entire system, right? Is the intent here that ld.so should start with CET enabled, and then either use the compatibility bitmap or turn CET off at runtime if the executable or one of the libraries doesn't actually work with CET?