Re: [PATCH] MIPS: Prevent READ_IMPLIES_EXEC propagation

From: Tiezhu Yang
Date: Wed Jul 08 2020 - 03:51:51 EST

Next message: Alexey Budankov: "[PATCH v10 08/15] perf stat: factor out body of event handling loop for fork case"
Previous message: Alexey Budankov: "[PATCH v10 07/15] perf stat: move target check to loop control statement"
Next in thread: Kees Cook: "Re: [PATCH] MIPS: Prevent READ_IMPLIES_EXEC propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07/08/2020 03:45 AM, Maciej W. Rozycki wrote:

On Tue, 7 Jul 2020, Tiezhu Yang wrote:

In the MIPS architecture, we should clear the security-relevant
flag READ_IMPLIES_EXEC in the function SET_PERSONALITY2() of the
file arch/mips/include/asm/elf.h.

Otherwise, with this flag set, PROT_READ implies PROT_EXEC for
mmap to make memory executable that is not safe, because this
condition allows an attacker to simply jump to and execute bytes
that are considered to be just data [1].

Why isn't the arrangement made with `mips_elf_read_implies_exec'
sufficient?

We inherit the READ_IMPLIES_EXEC personality flag across fork().
If we do not explicitly clear this flag in SET_PERSONALITY2(),
PROT_READ implies PROT_EXEC for mmap to make memory executable
even if used with the GCC option "-z noexecstack" when compile.

By the way, we can see some other reasons in the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=48f99c8ec0b2

Maciej

Next message: Alexey Budankov: "[PATCH v10 08/15] perf stat: factor out body of event handling loop for fork case"
Previous message: Alexey Budankov: "[PATCH v10 07/15] perf stat: move target check to loop control statement"
Next in thread: Kees Cook: "Re: [PATCH] MIPS: Prevent READ_IMPLIES_EXEC propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]