Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp637773yba; Thu, 18 Apr 2019 07:14:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqwkbzdHGtE2mvrp7LyAnEFU2Ctp7CvoOIqCXFVXW3BYls5sHRNWPIwrBUV4i6t1xE41F1tX X-Received: by 2002:a65:500d:: with SMTP id f13mr89911696pgo.250.1555596842271; Thu, 18 Apr 2019 07:14:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555596842; cv=none; d=google.com; s=arc-20160816; b=K/nFkabn0ulfU+xkL+eH5hGen1jCha6eIxizxXnwc8Zt3vNvVGj6OH7QPGHLZ1voHV sJlNzXAOL8YxB7bT+60qrgtxbUX/WYBszpP95LWqmWB6CpqyQzMZJDhc73DPaD+BEiY0 kFlJbTGCFv+ryEugAbENSZr+MgtGK3xBUw09dpnbw0CJOaEGQp6CorMrrQXaYb4Q/YL0 cE/8CvF2ICyEjREiF5TWrUT93HD8jtMFKUWuoUwMxYRTNtcnKdFLai/pJbJhP7UluHH7 NBJ5hIyRyhpsKtwaPAxgB69JU46CtU3kw/dBjwcpYf3CtGi8xjV92VsaTTbZVMQDv538 5wbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YmPgqTO/Ej1YV//EeHsX93xlvTquoKBPoI/41sJ9W2s=; b=AH38QcC5aGmkYpyez5Fjzg4uP7LEe5PTt/wAsaYoPpgEFAVjswLJAa+cgGISAXUYeh j49T7lvotbXH+HAxpGxWA3p5kYH+3w1LC6Sr+5Zp8E6Hu7x2en+WskaaSMUf2bv+Huj0 As0kR/wQ7+VCMeEekk72RC2jdVQidMfgRI+Z2uYNQr9ErSsN6lJq/4iyQnFmDS75jMmP 8dS8dlIWumtTFUpjbDTC7sCZHlkRQ44xGFWj9Z+8Uawq6cA61xkjNw1CWhYoHSRnO5TO RrXrwMtm3+PD+VScoEBNEX+OYyVNhTcKclnifDpvwTnPPvl2HxXqllUFjymLD293J0l2 fEaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=mG0tYTmW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2si1939317pgq.129.2019.04.18.07.13.46; Thu, 18 Apr 2019 07:14:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=mG0tYTmW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389247AbfDROLc (ORCPT + 99 others); Thu, 18 Apr 2019 10:11:32 -0400 Received: from mail-ua1-f66.google.com ([209.85.222.66]:34046 "EHLO mail-ua1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388495AbfDROLc (ORCPT ); Thu, 18 Apr 2019 10:11:32 -0400 Received: by mail-ua1-f66.google.com with SMTP id c6so810498uan.1 for ; Thu, 18 Apr 2019 07:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YmPgqTO/Ej1YV//EeHsX93xlvTquoKBPoI/41sJ9W2s=; b=mG0tYTmWwlCehrvbHFJO44406SoJzEWxnY7l/5J8jhSuzBDjJEiJVa4sNaA7OndfSj qJZ/Q6KJVcV8kfX9Sh2glwX5FGzLAGZ4fq3EeFIUdBwML2+hNyP2KiEU/r9DkimTl/F5 ZEynTUoXtfL/BT69F+A2K2gDWMdWNZ7pmprJI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YmPgqTO/Ej1YV//EeHsX93xlvTquoKBPoI/41sJ9W2s=; b=ss7+pEPBQmVSfA1Jklv2tnU04EgaarKdOOqecP2iDkkFU9tjfRITw5WHQqQ3HFAgVU lZjhsm38NXXgTPV3+sZOSZUuNyy9r+ik1EFxq7qtnla5L98SxSstessGCIpRwuPOztVr g33tj3/gq5JXKbSLvLUD1306Df5i/yV/7WW4H/tySY+3srzTdBj4oSPAOZ9FpsrQghrp hd5v3J4nrWAaQLvGl/GCdDGG/hgvjsDbYwxXveIcq00cZFdewCXlLAOOIeE3imDyDw41 zJgqH4zN5YgyT73QAe3QaV6gWKNlMfZuwFlZjLXGr+WpHPjPaatlWPakRtSPP60h6mJM XbeA== X-Gm-Message-State: APjAAAWTOTyfM43UtGSwWHIsIUn2nUmUjy2TlaG9aOt0KWMfcjbG2OWV zO87L+XaMh2hc4zQ4NIcajcc/NwN998= X-Received: by 2002:ab0:2653:: with SMTP id q19mr7054738uao.76.1555596690166; Thu, 18 Apr 2019 07:11:30 -0700 (PDT) Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com. [209.85.222.49]) by smtp.gmail.com with ESMTPSA id e198sm483990vsc.3.2019.04.18.07.11.27 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 18 Apr 2019 07:11:28 -0700 (PDT) Received: by mail-ua1-f49.google.com with SMTP id d5so797757uan.6 for ; Thu, 18 Apr 2019 07:11:27 -0700 (PDT) X-Received: by 2002:a9f:3fce:: with SMTP id m14mr50781446uaj.96.1555596686834; Thu, 18 Apr 2019 07:11:26 -0700 (PDT) MIME-Version: 1.0 References: <1462963502-11636-1-git-send-email-hecmargi@upv.es> In-Reply-To: From: Kees Cook Date: Thu, 18 Apr 2019 09:11:15 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] x86_64: Disabling read-implies-exec when the stack is executable To: Thomas Gleixner Cc: Hector Marco-Gisbert , LKML , Ingo Molnar , "H. Peter Anvin" , X86 ML , Brian Gerst , Andy Lutomirski , Borislav Petkov , Huaitong Han , Ismael Ripoll Ripoll , Kernel Hardening , Jason Gunthorpe , Andi Kleen , Mark Rutland Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 18, 2019 at 3:17 AM Thomas Gleixner wrote: > > On Thu, 18 Apr 2019, Kees Cook wrote: > > On Wed, May 11, 2016 at 5:45 AM Hector Marco-Gisbert wrote: > > *thread necromancy* > > > > I'd still like to see this get landed. READ_IMPLIES_EXEC is way too > > powerful (it impacts, for example, mmap() regions of device driver > > memory, forcing drivers to not be able to disallow VM_EXEC[1]). > > > > The only case it could break is on an AMD K8 (Athlon only, I assume?), > > which seems unlikely to have a modern kernel run on it. If there is > > still concern, then we could just test against the NX CPU feature: > > > > diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h > > index 69c0f892e310..367cd36259a4 100644 > > --- a/arch/x86/include/asm/elf.h > > +++ b/arch/x86/include/asm/elf.h > > @@ -280,10 +280,12 @@ extern u32 elf_hwcap2; > > > > /* > > * An executable for which elf_read_implies_exec() returns TRUE will > > - * have the READ_IMPLIES_EXEC personality flag set automatically. > > + * have the READ_IMPLIES_EXEC personality flag set automatically when > > + * a CPU did not support NX or is using a 32-bit memory layout. > > */ > > -#define elf_read_implies_exec(ex, executable_stack) \ > > - (executable_stack != EXSTACK_DISABLE_X) > > +#define elf_read_implies_exec(ex, executable_stack) \ > > + (mmap_is_ia32() || !(__supported_pte_mask & _PAGE_NX) ? \ > > What's special about ia32? All what matters is whether PAGE_NX is supported > or not. That has nothing to do with 32/64bit unless I'm missing something > (as usual). I think the reasoning was that older toolchains from ia32 wouldn't provide any permissions marking at all, and this was a signal that it might need executable heaps as well as stack. So, since ia32 gained NX along the way, lacking the gnu-stack marking was a reasonable indicator that the ELF needed this crazy setting to effectively disable NX for the ELF. But yes, just looking at the NX feature should cover this. One thing I'd also like to adjust is the logic about the gnu-stack existing and requesting an executable stack should apply only to the stack, and not trigger READ_IMPLIES_EXEC. i.e. if the ELF has gnu-stack marking of any kind, it should never flag READ_IMPLIES_EXEC. It would, of course, continue to control the stack perms. And if this is wrong ... well, we'll find out how and we can more correctly document this. So how about: #define elf_read_implies_exec(ex, executable_stack) \ (!(__supported_pte_mask & _PAGE_NX) && \ (executable_stack == EXSTACK_DEFAULT)) -- Kees Cook