Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1198023imm; Wed, 11 Jul 2018 19:55:25 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfYrFAgIBGi1IufSlF2rc6jbNXM43jgBedYdfeuSqeHAcLsk1293GSNoXjPFHMbRTJuKwsA X-Received: by 2002:a62:3f99:: with SMTP id z25-v6mr474517pfj.250.1531364125637; Wed, 11 Jul 2018 19:55:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531364125; cv=none; d=google.com; s=arc-20160816; b=szIkVjW639snH2rSYEUDfjHXeODIBkFRyixoDr5OSs5dMJk7Ince4hC85x1mQzFZ+x 1P+TYw77PB9EEKBiccUm68d/gIg64B1AE2su2rV0Gd8PHoAX7A0pFf2kSinx+OpI7ryN X/dUp6/5uEMhcBEkhy43NYmiYx3wqU6vJEXrfB9lgSSbnPzt7JDJR57GoxYJYT159VoO 2BZaEX5QiLHVC0dk+qBYe1s1ZGMgeYMpPL33IKI3dQzLxaBxqA9caTv85fBBKUP8yW0L tBwJ8jeigxBSukkNXGsuFJLGgkdozxsgQWHzq1gjiZEdCszSXkkMuwetlm4RCDi0htr8 kz3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=GGwnt49G5TfVK2HPMx+SnI8Fbpn1pJXiuUefCXpgQ9M=; b=SCZrnjZIZnKKplsI1xDSNq0MEVLV5IKnDSN2q4cS151bCUP9nQHRtsDEdDvwHIz7QI naKMAWX1Z/9nv/A+74t1zpD4ttSK/kPLx6Lhmg3JVVfPAL8fVQdBmrQphC7Wg4hsWXB/ f0yrv4SkMgzD0hd+XsyKoCsoR1c89xZR241tXYSh8joMlDeJj2oUxr+CEVOA46i6mg6+ jPpAX+4UtUUsnNzvE38S3VUhOuQ7OnRYwctrcgoEdPxe3mrNd4ZwEOhWkrw3zqHxONvg jXfeL908oUr7RZoK7tysFHChUOj6uhGQYBYd7W1i4iAe4Zi0gmmWofhCb5m2Z30id3C5 bVeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d35-v6si20852284pla.116.2018.07.11.19.55.10; Wed, 11 Jul 2018 19:55:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388854AbeGKVDU (ORCPT + 99 others); Wed, 11 Jul 2018 17:03:20 -0400 Received: from mga05.intel.com ([192.55.52.43]:64723 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726611AbeGKVDT (ORCPT ); Wed, 11 Jul 2018 17:03:19 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jul 2018 13:57:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,338,1526367600"; d="scan'208";a="66205150" Received: from 2b52.sc.intel.com ([143.183.136.52]) by orsmga003.jf.intel.com with ESMTP; 11 Jul 2018 13:57:02 -0700 Message-ID: <1531342404.15351.35.camel@intel.com> Subject: Re: [RFC PATCH v2 20/27] x86/cet/shstk: ELF header parsing of CET From: Yu-cheng Yu To: Jann Horn Cc: the arch/x86 maintainers , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Andy Lutomirski , bsingharora@gmail.com, Cyrill Gorcunov , Dave Hansen , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , keescook@chromiun.org, Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com Date: Wed, 11 Jul 2018 13:53:24 -0700 In-Reply-To: References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-21-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-07-11 at 12:37 -0700, Jann Horn wrote: > On Tue, Jul 10, 2018 at 3:31 PM Yu-cheng Yu > wrote: > > > > > > Look in .note.gnu.property of an ELF file and check if shadow stack > > needs > > to be enabled for the task. > > > > Signed-off-by: H.J. Lu > > Signed-off-by: Yu-cheng Yu > [...] > > > > diff --git a/arch/x86/kernel/elf.c b/arch/x86/kernel/elf.c > > new file mode 100644 > > index 000000000000..233f6dad9c1f > > --- /dev/null > > +++ b/arch/x86/kernel/elf.c > [...] > > > > +#define NOTE_SIZE_BAD(n, align, max) \ > > +       ((n->n_descsz < 8) || ((n->n_descsz % align) != 0) || \ > > +        (((u8 *)(n + 1) + 4 + n->n_descsz) > (max))) > Please do not compute out-of-bounds pointers and then compare them > against an expected maximum pointer. Computing an out-of-bounds > pointer is undefined behavior according to the C99 specification, > section "6.5.6 Additive operators", paragraph 8; and in this case, > n->n_descsz is 32 bits wide, which means that even if the compiler > isn't doing anything funny, if you're operating on addresses in the > last 4GiB of virtual memory and the pointer wraps around, this could > break. > In particular, if anyone ever uses this code in a 32-bit kernel, this > is going to blow up. > Please use size comparisons instead of pointer comparisons. I will fix it. > [...] > > > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > > index 0ac456b52bdd..3395f6a631d5 100644 > > --- a/fs/binfmt_elf.c > > +++ b/fs/binfmt_elf.c > > @@ -1081,6 +1081,22 @@ static int load_elf_binary(struct > > linux_binprm *bprm) > >                 goto out_free_dentry; > >         } > > > > +#ifdef CONFIG_ARCH_HAS_PROGRAM_PROPERTIES > > + > > +       if (interpreter) { > > +               retval = arch_setup_features(&loc->interp_elf_ex, > > +                                            interp_elf_phdata, > > +                                            interpreter, true); > > +       } else { > > +               retval = arch_setup_features(&loc->elf_ex, > > +                                            elf_phdata, > > +                                            bprm->file, false); > > +       } > So for non-static binaries, the ELF headers of ld.so determine > whether > CET will be on or off for the entire system, right? Is the intent > here > that ld.so should start with CET enabled, and then either use the > compatibility bitmap or turn CET off at runtime if the executable or > one of the libraries doesn't actually work with CET? The kernel command-line options "no_cet_shstk" and "no_cet_ibt" turn off CET features for the whole system.  The GLIBC tunable "glibc.tune.hwcap=-SHSTK,-IBT" turns off CET features for the current shell.  Another GLIBC tunable "glibc.tune.x86_shstk=" determines, in the current shell, how dlopen() deals with SHSTK legacy lib's. So, if ld.so's ELF header has SHSTK/IBT, and CET is enabled in the current shell, it will run with CET enabled.  If the application executable and all its dependent libraries have CET, ld.so runs the application with CET enabled.  Otherwise ld.so turns off SHSTK (and/or sets up legacy bitmap for IBT) before passing to the application. Yu-cheng