Re: [PATCH v4] powerpc: Do not make the entire heap executable

From: Denys Vlasenko
Date: Fri Aug 19 2016 - 08:33:15 EST

Next message: Peter Zijlstra: "Re: Context switch latency in tickless isolated CPU"
Previous message: Matt Fleming: "Re: [PATCH] efi: fix handling error value in fdt_find_uefi_params"
Next in thread: Aneesh Kumar K.V: "Re: [PATCH v4] powerpc: Do not make the entire heap executable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/10/2016 03:00 PM, Denys Vlasenko wrote:

On 32-bit powerpc the ELF PLT sections of binaries (built with --bss-plt,
or with a toolchain which defaults to it) look like this:

[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4

Which results in an ELF load header:

Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000

This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping ends at
0002aff8, so the PLT falls in the 0 fill section described by the load header,
and after a page boundary.

Unfortunately the generic ELF loader ignores the X bit in the load headers
when it creates the 0 filled non-file backed mappings. It assumes all of these
mappings are RW BSS sections, which is not the case for PPC.

gcc/ld has an option (--secure-plt) to not do this, this is said to incur
a small performance penalty.

Currently, to support 32-bit binaries with PLT in BSS kernel maps *entire
brk area* with executable rights for all binaries, even --secure-plt ones.

Stop doing that.

Teach the ELF loader to check the X bit in the relevant load header
and create 0 filled anonymous mappings that are executable
if the load header requests that.

The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:

https://lkml.org/lkml/2012/9/30/138

Lightly run-tested.

Ping powerpc/mm people.
How does this patch look? Are you taking it?

-static int do_brk(unsigned long addr, unsigned long request)
+static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma, *prev;
- unsigned long flags, len;
+ unsigned long len;
struct rb_node **rb_link, *rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -2668,7 +2668,7 @@ static int do_brk(unsigned long addr, unsigned long request)
if (!len)
return 0;

- flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+ flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;

error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);

Regarding "maybe VM_LOCKED needs to be masked out of flags?"
in the fragment above.

I agree. In a sense that "Yes, maybe. I don't really know
whether mm people feel it is worth the cost."
I'd be happy to send a new version if someone will express
a definite request to add that.

Next message: Peter Zijlstra: "Re: Context switch latency in tickless isolated CPU"
Previous message: Matt Fleming: "Re: [PATCH] efi: fix handling error value in fdt_find_uefi_params"
Next in thread: Aneesh Kumar K.V: "Re: [PATCH v4] powerpc: Do not make the entire heap executable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]