Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp721233pxf; Thu, 25 Mar 2021 12:25:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyy4M2j9/WxAp7h8w/zkYopuGqdftvzt7/9OKYotbJRLnL5cMVK1a4D6WulqtAGwx2fVpDx X-Received: by 2002:a05:6402:3122:: with SMTP id dd2mr10672411edb.253.1616700350349; Thu, 25 Mar 2021 12:25:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616700350; cv=none; d=google.com; s=arc-20160816; b=PZ5eYaN0iMiHE/6BLZQCTC3j++lwoFMOZIT/Pyn4A6hflYA3Y+/IaPUKJQyO+22uaI Nikvxj4Meo1iPO5NIfmAGM15yqfuLxpFKjE9+1Ht2Wb/Evlkub1Ae9zhAleWKeCO1E5H LIxiRBTSAypmbThSo3idaKuBd5WsK2BPCuj8FmCrAtuw26rAdlD524smGNEDQYnPUCNX EnneN1sjBVlNypnRHhWs91H2zHlvZLN58u/4BHYTO1vTWRydrrmao1tWflqK4VKWZ6y8 QC/vxEa7T7j6BTWzVChSV6x5MSQYYgyCUDD51wwa9lbUBW8p7+cXBuD2OTy1AWd57vTg SI3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=L8T2Txzb0BtewZ5F66NCn7EN1kBqfXmON7PRQ3Cxnj0=; b=0jG2kbkkLHiqrvTXbnFXktaxeGUUpULgj+CcESDZ0k6CvFyf6FCi8ESrxMKq+mpUjN jIkKvSJRG9N/tmOWsCi8oPfTUS5PsCbu9ADuNkM1tM1YQBqIHMrb0GMCSxAD5HrO5Swi JxI8D79bbvsR4+UUar9yA+M5FRvz/UZGKxChuoOseds8w8xYwVAQxveOwrrLUFRwu8Yf BxGPLrA71VrrZPUjXzgFfLQG7vHPH45qi8V8L0JV1xTCdjXl8ZcLl9SqHtm1tfJrj/EM mQ6+jgbO+/rjd7Vzo6B1IyFarelCG/WW1UU+vdD6hv9yB9kA+jixypiJqxTuau+B5Wxb WRrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=uz61an9M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id du4si4868797ejc.94.2021.03.25.12.25.27; Thu, 25 Mar 2021 12:25:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=uz61an9M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229614AbhCYTYd (ORCPT + 99 others); Thu, 25 Mar 2021 15:24:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230137AbhCYTYV (ORCPT ); Thu, 25 Mar 2021 15:24:21 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90792C06174A for ; Thu, 25 Mar 2021 12:24:20 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id v15so4171952lfq.5 for ; Thu, 25 Mar 2021 12:24:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=L8T2Txzb0BtewZ5F66NCn7EN1kBqfXmON7PRQ3Cxnj0=; b=uz61an9M1dHhsmDDzYlBWKFkQ0xFbDqOq4tzPA/WEzSnTTQCl2j5f8LgyUWMqy2g09 rdNbc0rSfLnOZbF0YVzDhVv9e89BB5Og4wIpAp2lAyNINw48Noa07QzbgcsxalTXL4te D9TmW4W0KtLb8SQ03Bb0h49PnnjNgh67Wbf+64r0HmxesLknzb/SBwbmT1MWQwu/Dwwb UxwEmRS/qlYXp7WfviJPQzKD6EuRRh3cBE6TsOCveAzkZkR+ova0kT9Rv2sGUpN9hBNJ xI5O2RvX7yTKVqc3T/l+xd0VUH+Z/ZT9EB//l7xYB73ukuS3iI1mdqcRLXdP03/MJvKB eHvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=L8T2Txzb0BtewZ5F66NCn7EN1kBqfXmON7PRQ3Cxnj0=; b=o9BCv8T26gD/QF6HtfBpA8cVXYSBoZzvZa9eFBItePjIU5Kjx8Qp4FgZ7aJnOweLNp vbPUfanBNm6SYk1hoh0O4HjUbqye9vmuOV/H975+7/9bccVUt79Yk3776EReTBSJe178 OuND+VbiPFnDFifdmX3IdW0hUmC2AKgHPlnSE6sOHzUEwh+PFmcDX1eBz3s5SKd03Oad Ddyy4WQfHy6uIjmi1Ax/ndjLCUfhJx26BUxz/nmaWWYGl8Ms62Wk1Z/dHolgrGk8MSOp vfl/kj7nE2AzJOBAsiTDIe4vHj9rf7bWrmzGpoZ2+Dq7FH2ReG5WzFQsMc3daxBLoghP r5Dw== X-Gm-Message-State: AOAM533wnQIwHN+UaCzDXe/Rm3/JG4o9yTEBS8FcRUu3/RWepPzu4lt3 Tj9/uzpJHZfpQT9eGXFr/XJaWmBYHCbtJNtXaTU8nw== X-Received: by 2002:a19:6a16:: with SMTP id u22mr5622616lfu.356.1616700258737; Thu, 25 Mar 2021 12:24:18 -0700 (PDT) MIME-Version: 1.0 From: Jann Horn Date: Thu, 25 Mar 2021 20:23:52 +0100 Message-ID: Subject: ARM FDPIC_FUNCPTRS personality flag handling looks broken To: Nicolas Pitre , Russell King - ARM Linux admin , Linux ARM , kernel list Cc: Tavis Ormandy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! Tavis noticed that on ARM kernels with CONFIG_BINFMT_ELF_FDPIC, it looks like the FDPIC_FUNCPTRS personality flag is not reset on execve(). This would mean that if a process first executes an ELF FDPIC binary (which forces the personality to PER_LINUX_FDPIC), and then executes a non-FDPIC binary, the signal handling code (setup_return()) will have bogus behavior (interpreting a normal function pointer as an FDPIC function handle). I think FDPIC_FUNCPTRS should probably either be reset on every execve() or not be a personality flag at all (since AFAIU pretty much the whole point of personality flags is that they control behavior even across execve()). (I don't have an FDPIC toolchain, so I'm writing this solely based on having read the code, without having actually tested it.)