From: Kees Cook <keescook@chromium.org> To: Borislav Petkov <bp@alien8.de> Cc: Kees Cook <keescook@chromium.org>, Jason Gunthorpe <jgg@mellanox.com>, Hector Marco-Gisbert <hecmargi@upv.es>, Jason Gunthorpe <jgg@ziepe.ca>, Catalin Marinas <catalin.marinas@arm.com>, Russell King <linux@armlinux.org.uk>, Will Deacon <will@kernel.org>, Jann Horn <jannh@google.com>, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org Subject: [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:15 -0700 [thread overview] Message-ID: <20200327064820.12602-2-keescook@chromium.org> (raw) In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..ee459d4c3b45 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + * CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 | + * ELF: | | | | + * ---------------------|------------|------------------|----------------| + * missing PT_GNU_STACK | exec-all | exec-all | exec-all | + * PT_GNU_STACK == RWX | exec-all | exec-all | exec-all | + * PT_GNU_STACK == RW | exec-none | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) -- 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Borislav Petkov <bp@alien8.de> Cc: Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>, Catalin Marinas <catalin.marinas@arm.com>, x86@kernel.org, Hector Marco-Gisbert <hecmargi@upv.es>, Russell King <linux@armlinux.org.uk>, linux-kernel@vger.kernel.org, Jason Gunthorpe <jgg@ziepe.ca>, Jason Gunthorpe <jgg@mellanox.com>, kernel-hardening@lists.openwall.com, Will Deacon <will@kernel.org>, linux-arm-kernel@lists.infradead.org Subject: [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Date: Thu, 26 Mar 2020 23:48:15 -0700 [thread overview] Message-ID: <20200327064820.12602-2-keescook@chromium.org> (raw) In-Reply-To: <20200327064820.12602-1-keescook@chromium.org> Add a table to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> --- arch/x86/include/asm/elf.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h index 69c0f892e310..ee459d4c3b45 100644 --- a/arch/x86/include/asm/elf.h +++ b/arch/x86/include/asm/elf.h @@ -281,6 +281,25 @@ extern u32 elf_hwcap2; /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. + * + * The decision process for determining the results are: + * + * CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 | + * ELF: | | | | + * ---------------------|------------|------------------|----------------| + * missing PT_GNU_STACK | exec-all | exec-all | exec-all | + * PT_GNU_STACK == RWX | exec-all | exec-all | exec-all | + * PT_GNU_STACK == RW | exec-none | exec-none | exec-none | + * + * exec-all : all PROT_READ user mappings are executable, except when + * backed by files on a noexec-filesystem. + * exec-none : only PROT_EXEC user mappings are executable. + * + * *this column has no architectural effect: NX markings are ignored by + * hardware, but may have behavioral effects when "wants X" collides with + * "cannot be X" constraints in memory permission flags, as in + * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com + * */ #define elf_read_implies_exec(ex, executable_stack) \ (executable_stack != EXSTACK_DISABLE_X) -- 2.20.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-03-27 6:48 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-03-27 6:48 [PATCH v5 0/6] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-03-27 6:48 ` Kees Cook [this message] 2020-03-27 6:48 ` [PATCH v5 1/6] x86/elf: Add table to document READ_IMPLIES_EXEC Kees Cook 2020-04-20 20:03 ` [tip: core/core] " tip-bot2 for Kees Cook 2020-03-27 6:48 ` [PATCH v5 2/6] x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-04-20 20:03 ` [tip: core/core] " tip-bot2 for Kees Cook 2020-03-27 6:48 ` [PATCH v5 3/6] x86/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-04-20 20:03 ` [tip: core/core] x86/elf: Disable automatic READ_IMPLIES_EXEC on 64-bit tip-bot2 for Kees Cook 2020-03-27 6:48 ` [PATCH v5 4/6] arm32/64, elf: Add tables to document READ_IMPLIES_EXEC Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-04-20 20:03 ` [tip: core/core] arm32/64/elf: " tip-bot2 for Kees Cook 2020-03-27 6:48 ` [PATCH v5 5/6] arm32/64, elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-04-20 20:03 ` [tip: core/core] arm32/64/elf: " tip-bot2 for Kees Cook 2020-03-27 6:48 ` [PATCH v5 6/6] arm64, elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces Kees Cook 2020-03-27 6:48 ` Kees Cook 2020-04-20 20:03 ` [tip: core/core] arm64/elf: " tip-bot2 for Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200327064820.12602-2-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=bp@alien8.de \ --cc=catalin.marinas@arm.com \ --cc=hecmargi@upv.es \ --cc=jannh@google.com \ --cc=jgg@mellanox.com \ --cc=jgg@ziepe.ca \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@armlinux.org.uk \ --cc=will@kernel.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.