Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1164405ybh;
        Thu, 16 Jul 2020 05:07:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyLs2+H8sXdt5NIInPDj5gDg4AhRDGzpSTCOJniMJWEr/It7UIK9clw5bWIT4dbYeTsYMGk
X-Received: by 2002:a05:6402:202e:: with SMTP id ay14mr4147912edb.233.1594901251131;
        Thu, 16 Jul 2020 05:07:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594901251; cv=none;
        d=google.com; s=arc-20160816;
        b=06cI/892nUQ86yPWgaUe5fn8kqF4+u/T/ge/hVwjZhYVVCkbqkaOkp13rO8C2IXXkG
         Qjmofxi0H0P67vj6DxvNicB5QiNKvy59YQFRYw9FqcFu2SpdQJgO4pUqxg7hvGa/g4cR
         Qw9s0WaQYbxNcqPRLG0BXSVqVUtUKXDw1zQ2VA46Dnt6S8lhzV7Epay4YDTtx8w+r37c
         Tdb0eHJjIBk7O2Yq1liqzZMILfHBf+/IfcNr/ZtznxL9yWPAJn0G4RcPNbmfXb0xzZ8b
         K7tOP3AXM9kNuHGAkUjtlkN2L6aEjHn1itrsunranZxb/pho4WD+Ge8VTusaWqUZyn1V
         SX1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=foVSVucUMvDiKhfkvWwg9LmtGPct9VUHKy3BR85n4no=;
        b=jmlGqtbz3k5arKi2yEQxZy11WL0ydb297litUNx18ufHbmDvwUKQOMkvcgdCqqjF5M
         RuD7dnmwGKJ3in7U2L3WXwrS1wJiQx7KeIcxNXuNg3juZl+E4fn5+EkI5qhZf0DdEeMo
         lkz/RESRnk2tIllZeP080G1WGfYK5JJ/4njDRDp1AoQ+z7B+gFGmElae0Xbg7rroril8
         NhunB1Ud9CSEoIP420vMVf7nRk1OZlu8XTg7BNpD5cR3biAN1V/Pm866MigO43FB7g6P
         ZrrPk6WrTggkU9dYUaDh7Jx92j0rUNgdBeaM02mg1+P9n/SiB3RrYBRcx7mfYhgxS0It
         b6oQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f20si3003131edc.220.2020.07.16.05.07.07;
        Thu, 16 Jul 2020 05:07:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728301AbgGPMEn (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Thu, 16 Jul 2020 08:04:43 -0400
Received: from elvis.franken.de ([193.175.24.41]:38371 "EHLO elvis.franken.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728001AbgGPMEn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Jul 2020 08:04:43 -0400
Received: from uucp (helo=alpha)
        by elvis.franken.de with local-bsmtp (Exim 3.36 #1)
        id 1jw2cz-0000rW-00; Thu, 16 Jul 2020 14:04:41 +0200
Received: by alpha.franken.de (Postfix, from userid 1000)
        id 2E6AFC080E; Thu, 16 Jul 2020 13:59:51 +0200 (CEST)
Date:   Thu, 16 Jul 2020 13:59:51 +0200
From:   Thomas Bogendoerfer <tsbogend@alpha.franken.de>
To:     Tiezhu Yang <yangtiezhu@loongson.cn>
Cc:     linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org,
        Kees Cook <keescook@chromium.org>,
        Xuefeng Li <lixuefeng@loongson.cn>,
        Juxin Gao <gaojuxin@loongson.cn>
Subject: Re: [PATCH] MIPS: Prevent READ_IMPLIES_EXEC propagation
Message-ID: <20200716115951.GA11361@alpha.franken.de>
References: <1594114741-26852-1-git-send-email-yangtiezhu@loongson.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1594114741-26852-1-git-send-email-yangtiezhu@loongson.cn>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 07, 2020 at 05:39:01PM +0800, Tiezhu Yang wrote:
> In the MIPS architecture, we should clear the security-relevant
> flag READ_IMPLIES_EXEC in the function SET_PERSONALITY2() of the
> file arch/mips/include/asm/elf.h.
> 
> Otherwise, with this flag set, PROT_READ implies PROT_EXEC for
> mmap to make memory executable that is not safe, because this
> condition allows an attacker to simply jump to and execute bytes
> that are considered to be just data [1].
> 
> In mm/mmap.c:
> unsigned long do_mmap(struct file *file, unsigned long addr,
> 			unsigned long len, unsigned long prot,
> 			unsigned long flags, vm_flags_t vm_flags,
> 			unsigned long pgoff, unsigned long *populate,
> 			struct list_head *uf)
> {
> 	[...]
> 	if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
> 		if (!(file && path_noexec(&file->f_path)))
> 			prot |= PROT_EXEC;
> 	[...]
> }
> 
> By the way, x86 and ARM64 have done the similar thing.
> 
> After commit 250c22777fe1 ("x86_64: move kernel"), in the file
> arch/x86/kernel/process_64.c:
> void set_personality_64bit(void)
> {
> 	[...]
> 	current->personality &= ~READ_IMPLIES_EXEC;
> }
> 
> After commit 48f99c8ec0b2 ("arm64: Preventing READ_IMPLIES_EXEC
> propagation"), in the file arch/arm64/include/asm/elf.h:
> #define SET_PERSONALITY(ex)						\
> ({									\
> 	clear_thread_flag(TIF_32BIT);					\
> 	current->personality &= ~READ_IMPLIES_EXEC;			\
> })
> 
> [1] https://insights.sei.cmu.edu/cert/2014/02/feeling-insecure-blame-your-parent.html
> 
> Reported-by: Juxin Gao <gaojuxin@loongson.cn>
> Co-developed-by: Juxin Gao <gaojuxin@loongson.cn>
> Signed-off-by: Juxin Gao <gaojuxin@loongson.cn>
> Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
> ---
>  arch/mips/include/asm/elf.h | 1 +
>  1 file changed, 1 insertion(+)

applied to mips-next.

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]