On Mon, Feb 10, 2020 at 11:30:42AM -0800, Kees Cook wrote:
Hi,
This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think it incorporates the feedback from v2, and I've now added a selftest. This series is for x86, arm, and arm64; I'd like it to go via -tip, though, just to keep this change together with the selftest. To that end, I'd like to collect Acks from the respective architecture maintainers. (Note that most other architectures don't suffer from this problem. e.g. powerpc's behavior appears to already be correct. MIPS may need adjusting but the history of CPU features and toolchain behavior is very unclear to me.)
Repeating the commit log from later in the series:
The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region.
This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable.
This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].)
In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change.
[1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git%3Ba=commitdiff%3Bh=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx
I'm happy to see this, I think it will help the situation.
While I'm not well versed in all the historical details, the general approach makes sense to me and I've looked through the patches.
I would like to follow this up with a patch to again block VM_EXEC from the RDMA related mmap of BAR paths..
Reviewed-by: Jason Gunthorpe jgg@mellanox.com
Jason