renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-26 14:14:01 +08:00
Code
acf4602001
linux-next/arch
History
Dmitry Safonov acf4602001 x86/mm: Drop TS_COMPAT on 64-bit exec() syscall 
The x86 mmap() code selects the mmap base for an allocation depending on
the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and
for 32bit mm->mmap_compat_base.

exec() calls mmap() which in turn uses in_compat_syscall() to check whether
the mapping is for a 32bit or a 64bit task. The decision is made on the
following criteria:

  ia32    child->thread.status & TS_COMPAT
   x32    child->pt_regs.orig_ax & __X32_SYSCALL_BIT
  ia64    !ia32 && !x32

__set_personality_x32() was dropping TS_COMPAT flag, but
set_personality_64bit() has kept compat syscall flag making
in_compat_syscall() return true during the first exec() syscall.

Which in result has user-visible effects, mentioned by Alexey:
1) It breaks ASAN
$ gcc -fsanitize=address wrap.c -o wrap-asan
$ ./wrap32 ./wrap-asan true
==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range.
==1217==Process memory map follows:
        0x000000400000-0x000000401000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000600000-0x000000601000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000601000-0x000000602000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x0000f7dbd000-0x0000f7de2000   /lib64/ld-2.27.so
        0x0000f7fe2000-0x0000f7fe3000   /lib64/ld-2.27.so
        0x0000f7fe3000-0x0000f7fe4000   /lib64/ld-2.27.so
        0x0000f7fe4000-0x0000f7fe5000
        0x7fed9abff000-0x7fed9af54000
        0x7fed9af54000-0x7fed9af6b000   /lib64/libgcc_s.so.1
[snip]

2) It doesn't seem to be great for security if an attacker always knows
that ld.so is going to be mapped into the first 4GB in this case
(the same thing happens for PIEs as well).

The testcase:
$ cat wrap.c

int main(int argc, char *argv[]) {
  execvp(argv[1], &argv[1]);
  return 127;
}

$ gcc wrap.c -o wrap
$ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
AT_BASE:         0x7f63b8309000
AT_BASE:         0x7faec143c000
AT_BASE:         0x7fbdb25fa000

$ gcc -m32 wrap.c -o wrap32
$ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
AT_BASE:         0xf7eff000
AT_BASE:         0xf7cee000
AT_BASE:         0x7f8b9774e000

Fixes: 1b028f784e ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Fixes: ada26481df ("x86/mm: Make in_compat_syscall() work during exec")
Reported-by: Alexey Izbyshev <izbyshev@ispras.ru>
Bisected-by: Alexander Monakov <amonakov@ispras.ru>
Investigated-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Alexander Monakov <amonakov@ispras.ru>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: stable@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Link: https://lkml.kernel.org/r/20180517233510.24996-1-dima@arista.com
2018-05-19 12:31:05 +02:00
..
alpha mm: introduce MAP_FIXED_NOREPLACE 2018-04-11 10:28:38 -07:00
arc kbuild: mark $(targets) as .SECONDARY and remove .PRECIOUS markers 2018-04-07 19:04:02 +09:00
arm arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan 2018-05-08 10:41:38 +02:00
arm64 arm64 fixes: 2018-05-11 13:09:04 -07:00
c6x c6x: pass endianness info to sparse 2018-04-10 09:58:58 -04:00
h8300 h8300: remove extraneous __BIG_ENDIAN definition 2018-03-22 17:07:01 -07:00
hexagon hexagon: export csum_partial_copy_nocheck 2018-05-01 15:49:50 -05:00
ia64 pci-v4.17-changes 2018-04-06 18:31:06 -07:00
m68k Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu 2018-04-09 09:15:46 -07:00
microblaze Microblaze patches for 4.17-rc1 2018-04-12 10:18:02 -07:00
mips MIPS fixes for 4.17-rc2 2018-04-20 08:25:31 -07:00
nds32 page cache: use xa_lock 2018-04-11 10:28:39 -07:00
nios2 nios2 update for v4.17-rc1 2018-04-11 16:02:18 -07:00
openrisc OpenRISC updates for v4.17 2018-04-15 12:27:58 -07:00
parisc parisc: Fix section mismatches 2018-05-02 21:47:35 +02:00
powerpc powerpc/pseries: Fix CONFIG_NUMA=n build 2018-05-08 14:59:56 +10:00
riscv RISC-V: build vdso-dummy.o with -no-pie 2018-04-24 10:54:46 -07:00
s390 s390: correct module section names for expoline code revert 2018-04-23 07:57:17 +02:00
sh sh: switch to NO_BOOTMEM 2018-05-11 13:35:46 -04:00
sparc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2018-04-30 13:27:16 -07:00
um Merge git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml 2018-04-11 16:36:47 -07:00
unicore32 unicore32: turn flush_dcache_mmap_lock into a no-op 2018-04-11 10:28:39 -07:00
x86 x86/mm: Drop TS_COMPAT on 64-bit exec() syscall 2018-05-19 12:31:05 +02:00
xtensa mm: introduce MAP_FIXED_NOREPLACE 2018-04-11 10:28:38 -07:00
.gitignore
Kconfig KASAN: prohibit KASAN+STRUCTLEAK combination 2018-05-11 17:28:45 -07:00