Re: [PATCH v3 0/7] binfmt_elf: Update READ_IMPLIES_EXEC logic for modern CPUs

From: Jason Gunthorpe
Date: Tue Feb 11 2020 - 12:17:44 EST


On Mon, Feb 10, 2020 at 11:30:42AM -0800, Kees Cook wrote:
> Hi,
>
> This is a refresh of my earlier attempt to fix READ_IMPLIES_EXEC. I think
> it incorporates the feedback from v2, and I've now added a selftest. This
> series is for x86, arm, and arm64; I'd like it to go via -tip, though,
> just to keep this change together with the selftest. To that end, I'd like
> to collect Acks from the respective architecture maintainers. (Note that
> most other architectures don't suffer from this problem. e.g. powerpc's
> behavior appears to already be correct. MIPS may need adjusting but the
> history of CPU features and toolchain behavior is very unclear to me.)
>
> Repeating the commit log from later in the series:
>
>
> The READ_IMPLIES_EXEC work-around was designed for old toolchains that
> lacked the ELF PT_GNU_STACK marking under the assumption that toolchains
> that couldn't specify executable permission flags for the stack may not
> know how to do it correctly for any memory region.
>
> This logic is sensible for having ancient binaries coexist in a system
> with possibly NX memory, but was implemented in a way that equated having
> a PT_GNU_STACK marked executable as being as "broken" as lacking the
> PT_GNU_STACK marking entirely. Things like unmarked assembly and stack
> trampolines may cause PT_GNU_STACK to need an executable bit, but they
> do not imply all mappings must be executable.
>
> This confusion has led to situations where modern programs with explicitly
> marked executable stack are forced into the READ_IMPLIES_EXEC state when
> no such thing is needed. (And leads to unexpected failures when mmap()ing
> regions of device driver memory that wish to disallow VM_EXEC[1].)
>
> In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann
> Horn noted that glibc thread stacks have always been marked RWX (until
> 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And
> musl doesn't support executable stacks at all[3]. As such, no breakage
> for multithreaded applications is expected from this change.
>
> [1] https://lkml.kernel.org/r/20190418055759.GA3155@xxxxxxxxxxxx
> [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882
> [3] https://lkml.kernel.org/r/20190423192534.GN23599@xxxxxxxxxxxxxxxxxxxxx

I'm happy to see this, I think it will help the situation.

While I'm not well versed in all the historical details, the general
approach makes sense to me and I've looked through the patches.

I would like to follow this up with a patch to again block VM_EXEC
from the RDMA related mmap of BAR paths..

Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>

Jason