* [PATCH] MIPS: Modernize READ_IMPLIES_EXEC
@ 2021-09-01 19:42 Kees Cook
2022-02-22 23:49 ` Kees Cook
2022-02-23 15:03 ` Thomas Bogendoerfer
0 siblings, 2 replies; 3+ messages in thread
From: Kees Cook @ 2021-09-01 19:42 UTC (permalink / raw)
To: Thomas Bogendoerfer
Cc: Kees Cook, Tiezhu Yang, Xuefeng Li, Juxin Gao, linux-mips,
Nathan Chancellor, Nick Desaulniers, linux-kernel,
clang-built-linux, linux-hardening
I'm doing some thread necromancy of
https://lore.kernel.org/lkml/202007081624.82FA0CC1EA@keescook/
x86, arm64, and arm32 adjusted their READ_IMPLIES_EXEC logic to better
align with the safer defaults and the interactions with other mappings,
which I illustrated with this comment on x86:
/*
* An executable for which elf_read_implies_exec() returns TRUE will
* have the READ_IMPLIES_EXEC personality flag set automatically.
*
* The decision process for determining the results are:
*
* CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 |
* ELF: | | | |
* ---------------------|------------|------------------|----------------|
* missing PT_GNU_STACK | exec-all | exec-all | exec-none |
* PT_GNU_STACK == RWX | exec-stack | exec-stack | exec-stack |
* PT_GNU_STACK == RW | exec-none | exec-none | exec-none |
*
* exec-all : all PROT_READ user mappings are executable, except when
* backed by files on a noexec-filesystem.
* exec-none : only PROT_EXEC user mappings are executable.
* exec-stack: only the stack and PROT_EXEC user mappings are
* executable.
*
* *this column has no architectural effect: NX markings are ignored by
* hardware, but may have behavioral effects when "wants X" collides with
* "cannot be X" constraints in memory permission flags, as in
* https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com
*
*/
For MIPS, the "lacks NX" above is the "!cpu_has_rixi" check. On x86,
we decided that the READ_IMPLIES_EXEC flag needed to reflect the
expectations, not the architectural behavior due to bad interactions
as noted above, as always returning "1" on non-NX hardware breaks
some mappings.
The other part of the issue is "what does the MIPS toolchain do for
PT_GNU_STACK?" The answer seems to be "by default, include PT_GNU_STACK,
but mark it executable" (likely due to concerns over non-NX hardware):
$ mipsel-linux-gnu-gcc -o hello_world hello_world.c
$ llvm-readelf -lW hellow_world | grep GNU_STACK
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
Given that older hardware doesn't support non-executable memory, it
seems safe to make the "PT_GNU_STACK is absent" logic mean "assume
non-executable", but this might break very old software running on
modern MIPS. This situation matches the ia32-on-x86_64 logic x86
uses (which assumes needing READ_IMPLIES_EXEC in that situation). But
modern toolchains on modern MIPS hardware should follow a safer default
(assume NX stack).
A follow-up to this change would be to switch the MIPS toolchain to emit
a non-executable PT_GNU_STACK, as this seems to be unneeded.
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
Cc: Xuefeng Li <lixuefeng@loongson.cn>
Cc: Juxin Gao <gaojuxin@loongson.cn>
Cc: linux-mips@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/mips/kernel/elf.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c
index 7b045d2a0b51..5582a4ca1e9e 100644
--- a/arch/mips/kernel/elf.c
+++ b/arch/mips/kernel/elf.c
@@ -328,16 +328,10 @@ void mips_set_personality_nan(struct arch_elf_state *state)
int mips_elf_read_implies_exec(void *elf_ex, int exstack)
{
- if (exstack != EXSTACK_DISABLE_X) {
- /* The binary doesn't request a non-executable stack */
- return 1;
- }
-
- if (!cpu_has_rixi) {
- /* The CPU doesn't support non-executable memory */
- return 1;
- }
-
- return 0;
+ /*
+ * Set READ_IMPLIES_EXEC only on non-NX systems that
+ * do not request a specific state via PT_GNU_STACK.
+ */
+ return (!cpu_has_rixi && exstack == EXSTACK_DEFAULT);
}
EXPORT_SYMBOL(mips_elf_read_implies_exec);
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] MIPS: Modernize READ_IMPLIES_EXEC
2021-09-01 19:42 [PATCH] MIPS: Modernize READ_IMPLIES_EXEC Kees Cook
@ 2022-02-22 23:49 ` Kees Cook
2022-02-23 15:03 ` Thomas Bogendoerfer
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2022-02-22 23:49 UTC (permalink / raw)
To: Thomas Bogendoerfer
Cc: Tiezhu Yang, Xuefeng Li, Juxin Gao, linux-mips,
Nathan Chancellor, Nick Desaulniers, linux-kernel,
clang-built-linux, linux-hardening
Friendly ping. :)
On Wed, Sep 01, 2021 at 12:42:08PM -0700, Kees Cook wrote:
> I'm doing some thread necromancy of
> https://lore.kernel.org/lkml/202007081624.82FA0CC1EA@keescook/
>
> x86, arm64, and arm32 adjusted their READ_IMPLIES_EXEC logic to better
> align with the safer defaults and the interactions with other mappings,
> which I illustrated with this comment on x86:
>
> /*
> * An executable for which elf_read_implies_exec() returns TRUE will
> * have the READ_IMPLIES_EXEC personality flag set automatically.
> *
> * The decision process for determining the results are:
> *
> * CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 |
> * ELF: | | | |
> * ---------------------|------------|------------------|----------------|
> * missing PT_GNU_STACK | exec-all | exec-all | exec-none |
> * PT_GNU_STACK == RWX | exec-stack | exec-stack | exec-stack |
> * PT_GNU_STACK == RW | exec-none | exec-none | exec-none |
> *
> * exec-all : all PROT_READ user mappings are executable, except when
> * backed by files on a noexec-filesystem.
> * exec-none : only PROT_EXEC user mappings are executable.
> * exec-stack: only the stack and PROT_EXEC user mappings are
> * executable.
> *
> * *this column has no architectural effect: NX markings are ignored by
> * hardware, but may have behavioral effects when "wants X" collides with
> * "cannot be X" constraints in memory permission flags, as in
> * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com
> *
> */
>
> For MIPS, the "lacks NX" above is the "!cpu_has_rixi" check. On x86,
> we decided that the READ_IMPLIES_EXEC flag needed to reflect the
> expectations, not the architectural behavior due to bad interactions
> as noted above, as always returning "1" on non-NX hardware breaks
> some mappings.
>
> The other part of the issue is "what does the MIPS toolchain do for
> PT_GNU_STACK?" The answer seems to be "by default, include PT_GNU_STACK,
> but mark it executable" (likely due to concerns over non-NX hardware):
>
> $ mipsel-linux-gnu-gcc -o hello_world hello_world.c
> $ llvm-readelf -lW hellow_world | grep GNU_STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
>
> Given that older hardware doesn't support non-executable memory, it
> seems safe to make the "PT_GNU_STACK is absent" logic mean "assume
> non-executable", but this might break very old software running on
> modern MIPS. This situation matches the ia32-on-x86_64 logic x86
> uses (which assumes needing READ_IMPLIES_EXEC in that situation). But
> modern toolchains on modern MIPS hardware should follow a safer default
> (assume NX stack).
>
> A follow-up to this change would be to switch the MIPS toolchain to emit
> a non-executable PT_GNU_STACK, as this seems to be unneeded.
>
> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
> Cc: Xuefeng Li <lixuefeng@loongson.cn>
> Cc: Juxin Gao <gaojuxin@loongson.cn>
> Cc: linux-mips@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/mips/kernel/elf.c | 16 +++++-----------
> 1 file changed, 5 insertions(+), 11 deletions(-)
>
> diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c
> index 7b045d2a0b51..5582a4ca1e9e 100644
> --- a/arch/mips/kernel/elf.c
> +++ b/arch/mips/kernel/elf.c
> @@ -328,16 +328,10 @@ void mips_set_personality_nan(struct arch_elf_state *state)
>
> int mips_elf_read_implies_exec(void *elf_ex, int exstack)
> {
> - if (exstack != EXSTACK_DISABLE_X) {
> - /* The binary doesn't request a non-executable stack */
> - return 1;
> - }
> -
> - if (!cpu_has_rixi) {
> - /* The CPU doesn't support non-executable memory */
> - return 1;
> - }
> -
> - return 0;
> + /*
> + * Set READ_IMPLIES_EXEC only on non-NX systems that
> + * do not request a specific state via PT_GNU_STACK.
> + */
> + return (!cpu_has_rixi && exstack == EXSTACK_DEFAULT);
> }
> EXPORT_SYMBOL(mips_elf_read_implies_exec);
> --
> 2.30.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] MIPS: Modernize READ_IMPLIES_EXEC
2021-09-01 19:42 [PATCH] MIPS: Modernize READ_IMPLIES_EXEC Kees Cook
2022-02-22 23:49 ` Kees Cook
@ 2022-02-23 15:03 ` Thomas Bogendoerfer
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Bogendoerfer @ 2022-02-23 15:03 UTC (permalink / raw)
To: Kees Cook
Cc: Tiezhu Yang, Xuefeng Li, Juxin Gao, linux-mips,
Nathan Chancellor, Nick Desaulniers, linux-kernel,
clang-built-linux, linux-hardening
On Wed, Sep 01, 2021 at 12:42:08PM -0700, Kees Cook wrote:
> I'm doing some thread necromancy of
> https://lore.kernel.org/lkml/202007081624.82FA0CC1EA@keescook/
>
> x86, arm64, and arm32 adjusted their READ_IMPLIES_EXEC logic to better
> align with the safer defaults and the interactions with other mappings,
> which I illustrated with this comment on x86:
>
> /*
> * An executable for which elf_read_implies_exec() returns TRUE will
> * have the READ_IMPLIES_EXEC personality flag set automatically.
> *
> * The decision process for determining the results are:
> *
> * CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 |
> * ELF: | | | |
> * ---------------------|------------|------------------|----------------|
> * missing PT_GNU_STACK | exec-all | exec-all | exec-none |
> * PT_GNU_STACK == RWX | exec-stack | exec-stack | exec-stack |
> * PT_GNU_STACK == RW | exec-none | exec-none | exec-none |
> *
> * exec-all : all PROT_READ user mappings are executable, except when
> * backed by files on a noexec-filesystem.
> * exec-none : only PROT_EXEC user mappings are executable.
> * exec-stack: only the stack and PROT_EXEC user mappings are
> * executable.
> *
> * *this column has no architectural effect: NX markings are ignored by
> * hardware, but may have behavioral effects when "wants X" collides with
> * "cannot be X" constraints in memory permission flags, as in
> * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com
> *
> */
>
> For MIPS, the "lacks NX" above is the "!cpu_has_rixi" check. On x86,
> we decided that the READ_IMPLIES_EXEC flag needed to reflect the
> expectations, not the architectural behavior due to bad interactions
> as noted above, as always returning "1" on non-NX hardware breaks
> some mappings.
>
> The other part of the issue is "what does the MIPS toolchain do for
> PT_GNU_STACK?" The answer seems to be "by default, include PT_GNU_STACK,
> but mark it executable" (likely due to concerns over non-NX hardware):
>
> $ mipsel-linux-gnu-gcc -o hello_world hello_world.c
> $ llvm-readelf -lW hellow_world | grep GNU_STACK
> GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
>
> Given that older hardware doesn't support non-executable memory, it
> seems safe to make the "PT_GNU_STACK is absent" logic mean "assume
> non-executable", but this might break very old software running on
> modern MIPS. This situation matches the ia32-on-x86_64 logic x86
> uses (which assumes needing READ_IMPLIES_EXEC in that situation). But
> modern toolchains on modern MIPS hardware should follow a safer default
> (assume NX stack).
>
> A follow-up to this change would be to switch the MIPS toolchain to emit
> a non-executable PT_GNU_STACK, as this seems to be unneeded.
>
> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
> Cc: Xuefeng Li <lixuefeng@loongson.cn>
> Cc: Juxin Gao <gaojuxin@loongson.cn>
> Cc: linux-mips@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/mips/kernel/elf.c | 16 +++++-----------
> 1 file changed, 5 insertions(+), 11 deletions(-)
>
> diff --git a/arch/mips/kernel/elf.c b/arch/mips/kernel/elf.c
> index 7b045d2a0b51..5582a4ca1e9e 100644
> --- a/arch/mips/kernel/elf.c
> +++ b/arch/mips/kernel/elf.c
> @@ -328,16 +328,10 @@ void mips_set_personality_nan(struct arch_elf_state *state)
>
> int mips_elf_read_implies_exec(void *elf_ex, int exstack)
> {
> - if (exstack != EXSTACK_DISABLE_X) {
> - /* The binary doesn't request a non-executable stack */
> - return 1;
> - }
> -
> - if (!cpu_has_rixi) {
> - /* The CPU doesn't support non-executable memory */
> - return 1;
> - }
> -
> - return 0;
> + /*
> + * Set READ_IMPLIES_EXEC only on non-NX systems that
> + * do not request a specific state via PT_GNU_STACK.
> + */
> + return (!cpu_has_rixi && exstack == EXSTACK_DEFAULT);
> }
> EXPORT_SYMBOL(mips_elf_read_implies_exec);
> --
> 2.30.2
applied to mips-next.
Thomas.
--
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea. [ RFC1925, 2.3 ]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-23 15:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-01 19:42 [PATCH] MIPS: Modernize READ_IMPLIES_EXEC Kees Cook
2022-02-22 23:49 ` Kees Cook
2022-02-23 15:03 ` Thomas Bogendoerfer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).