From: Kees Cook <keescook@chromium.org>
To: Borislav Petkov <bp@alien8.de>
Cc: Kees Cook <keescook@chromium.org>,
Hector Marco-Gisbert <hecmargi@upv.es>,
Jason Gunthorpe <jgg@mellanox.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Russell King <linux@armlinux.org.uk>,
Will Deacon <will@kernel.org>, Jann Horn <jannh@google.com>,
x86@kernel.org, linux-arm-kernel@lists.infradead.org,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org
Subject: [PATCH v5 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces
Date: Thu, 26 Mar 2020 23:48:20 -0700 [thread overview]
Message-ID: <20200327064820.12602-7-keescook@chromium.org> (raw)
In-Reply-To: <20200327064820.12602-1-keescook@chromium.org>
With arm64 64-bit environments, there should never be a need for automatic
READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware
(as in, the default memory protection should be NX unless a region
explicitly requests to be executable).
Suggested-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
arch/arm64/include/asm/elf.h | 4 ++--
fs/compat_binfmt_elf.c | 5 +++++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index 0074e9fd6431..0e7df6f1eb7a 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -105,7 +105,7 @@
* CPU*: | arm32 | arm64 |
* ELF: | | |
* ---------------------|------------|------------|
- * missing PT_GNU_STACK | exec-all | exec-all |
+ * missing PT_GNU_STACK | exec-all | exec-none |
* PT_GNU_STACK == RWX | exec-stack | exec-stack |
* PT_GNU_STACK == RW | exec-none | exec-none |
*
@@ -117,7 +117,7 @@
* *all arm64 CPUs support NX, so there is no "lacks NX" column.
*
*/
-#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT)
+#define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT)
#define CORE_DUMP_USE_REGSET
#define ELF_EXEC_PAGESIZE PAGE_SIZE
diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
index aaad4ca1217e..3068d57436b3 100644
--- a/fs/compat_binfmt_elf.c
+++ b/fs/compat_binfmt_elf.c
@@ -113,6 +113,11 @@
#define arch_setup_additional_pages compat_arch_setup_additional_pages
#endif
+#ifdef compat_elf_read_implies_exec
+#undef elf_read_implies_exec
+#define elf_read_implies_exec compat_elf_read_implies_exec
+#endif
+
/*
* Rename a few of the symbols that binfmt_elf.c will define.
* These are all local so the names don't really matter, but it
--
2.20.1
prev parent reply other threads:[~2020-03-27 6:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-27 6:48 [PATCH v5 0/6] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs Kees Cook
2020-03-27 6:48 ` [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Kees Cook
2020-03-27 6:48 ` [PATCH v5 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Kees Cook
2020-03-27 6:48 ` [PATCH v5 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Kees Cook
2020-03-27 6:48 ` [PATCH v5 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Kees Cook
2020-03-27 6:48 ` [PATCH v5 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Kees Cook
2020-03-27 6:48 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200327064820.12602-7-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=hecmargi@upv.es \
--cc=jannh@google.com \
--cc=jgg@mellanox.com \
--cc=jgg@ziepe.ca \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).