mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
fbb1d4b381
I'm doing some thread necromancy of https://lore.kernel.org/lkml/202007081624.82FA0CC1EA@keescook/ x86, arm64, and arm32 adjusted their READ_IMPLIES_EXEC logic to better align with the safer defaults and the interactions with other mappings, which I illustrated with this comment on x86: /* * An executable for which elf_read_implies_exec() returns TRUE will * have the READ_IMPLIES_EXEC personality flag set automatically. * * The decision process for determining the results are: * * CPU: | lacks NX* | has NX, ia32 | has NX, x86_64 | * ELF: | | | | * ---------------------|------------|------------------|----------------| * missing PT_GNU_STACK | exec-all | exec-all | exec-none | * PT_GNU_STACK == RWX | exec-stack | exec-stack | exec-stack | * PT_GNU_STACK == RW | exec-none | exec-none | exec-none | * * exec-all : all PROT_READ user mappings are executable, except when * backed by files on a noexec-filesystem. * exec-none : only PROT_EXEC user mappings are executable. * exec-stack: only the stack and PROT_EXEC user mappings are * executable. * * *this column has no architectural effect: NX markings are ignored by * hardware, but may have behavioral effects when "wants X" collides with * "cannot be X" constraints in memory permission flags, as in * https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com * */ For MIPS, the "lacks NX" above is the "!cpu_has_rixi" check. On x86, we decided that the READ_IMPLIES_EXEC flag needed to reflect the expectations, not the architectural behavior due to bad interactions as noted above, as always returning "1" on non-NX hardware breaks some mappings. The other part of the issue is "what does the MIPS toolchain do for PT_GNU_STACK?" The answer seems to be "by default, include PT_GNU_STACK, but mark it executable" (likely due to concerns over non-NX hardware): $ mipsel-linux-gnu-gcc -o hello_world hello_world.c $ llvm-readelf -lW hellow_world | grep GNU_STACK GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10 Given that older hardware doesn't support non-executable memory, it seems safe to make the "PT_GNU_STACK is absent" logic mean "assume non-executable", but this might break very old software running on modern MIPS. This situation matches the ia32-on-x86_64 logic x86 uses (which assumes needing READ_IMPLIES_EXEC in that situation). But modern toolchains on modern MIPS hardware should follow a safer default (assume NX stack). A follow-up to this change would be to switch the MIPS toolchain to emit a non-executable PT_GNU_STACK, as this seems to be unneeded. Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Cc: Tiezhu Yang <yangtiezhu@loongson.cn> Cc: Xuefeng Li <lixuefeng@loongson.cn> Cc: Juxin Gao <gaojuxin@loongson.cn> Cc: linux-mips@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> |
||
|---|---|---|
| .. | ||
| syscalls | ||
| .gitignore | ||
| access-helper.h | ||
| asm-offsets.c | ||
| bmips_5xxx_init.S | ||
| bmips_vec.S | ||
| branch.c | ||
| cacheinfo.c | ||
| cevt-bcm1480.c | ||
| cevt-ds1287.c | ||
| cevt-gt641xx.c | ||
| cevt-r4k.c | ||
| cevt-sb1250.c | ||
| cevt-txx9.c | ||
| cmpxchg.c | ||
| cps-vec-ns16550.S | ||
| cps-vec.S | ||
| cpu-probe.c | ||
| cpu-r3k-probe.c | ||
| crash.c | ||
| crash_dump.c | ||
| csrc-bcm1480.c | ||
| csrc-ioasic.c | ||
| csrc-r4k.c | ||
| csrc-sb1250.c | ||
| early_printk.c | ||
| early_printk_8250.c | ||
| elf.c | ||
| entry.S | ||
| fpu-probe.c | ||
| fpu-probe.h | ||
| ftrace.c | ||
| genex.S | ||
| gpio_txx9.c | ||
| head.S | ||
| i8253.c | ||
| idle.c | ||
| irq-gt641xx.c | ||
| irq-msc01.c | ||
| irq.c | ||
| irq_txx9.c | ||
| jump_label.c | ||
| kgdb.c | ||
| kprobes.c | ||
| linux32.c | ||
| machine_kexec.c | ||
| Makefile | ||
| mcount.S | ||
| mips-cm.c | ||
| mips-cpc.c | ||
| mips-mt-fpaff.c | ||
| mips-mt.c | ||
| mips-r2-to-r6-emul.c | ||
| module.c | ||
| octeon_switch.S | ||
| perf_event.c | ||
| perf_event_mipsxx.c | ||
| perf_regs.c | ||
| pm-cps.c | ||
| pm.c | ||
| probes-common.h | ||
| proc.c | ||
| process.c | ||
| prom.c | ||
| ptrace.c | ||
| ptrace32.c | ||
| r4k-bugs64.c | ||
| r4k_fpu.S | ||
| r4k_switch.S | ||
| r2300_fpu.S | ||
| r2300_switch.S | ||
| relocate.c | ||
| relocate_kernel.S | ||
| reset.c | ||
| rtlx-cmp.c | ||
| rtlx-mt.c | ||
| rtlx.c | ||
| scall32-o32.S | ||
| scall64-n32.S | ||
| scall64-n64.S | ||
| scall64-o32.S | ||
| segment.c | ||
| setup.c | ||
| signal-common.h | ||
| signal.c | ||
| signal32.c | ||
| signal_n32.c | ||
| signal_o32.c | ||
| smp-bmips.c | ||
| smp-cmp.c | ||
| smp-cps.c | ||
| smp-mt.c | ||
| smp-up.c | ||
| smp.c | ||
| spinlock_test.c | ||
| spram.c | ||
| stacktrace.c | ||
| sync-r4k.c | ||
| syscall.c | ||
| sysrq.c | ||
| time.c | ||
| topology.c | ||
| traps.c | ||
| unaligned.c | ||
| uprobes.c | ||
| vdso.c | ||
| vmlinux.lds.S | ||
| vpe-cmp.c | ||
| vpe-mt.c | ||
| vpe.c | ||
| watch.c | ||