From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2AC6C4706C for ; Tue, 16 Jan 2024 12:37:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B0DF6B007B; Tue, 16 Jan 2024 07:37:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 760C46B007D; Tue, 16 Jan 2024 07:37:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 628596B007E; Tue, 16 Jan 2024 07:37:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 4A9D26B007B for ; Tue, 16 Jan 2024 07:37:58 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 266B51C10D8 for ; Tue, 16 Jan 2024 12:37:58 +0000 (UTC) X-FDA: 81685126236.27.885DDBB Received: from mail.astralinux.ru (mail.astralinux.ru [217.74.38.119]) by imf25.hostedemail.com (Postfix) with ESMTP id 8EFDFA000C for ; Tue, 16 Jan 2024 12:37:55 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=none; spf=pass (imf25.hostedemail.com: domain of dmastykin@astralinux.ru designates 217.74.38.119 as permitted sender) smtp.mailfrom=dmastykin@astralinux.ru; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705408676; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=w8lQCkeL+wNnf8HMYHFP73GUSuqp9ZXSqdqVjaesr+o=; b=14T6jtUafx6mi0d4XrHF6+pZP7arUtsAYjHoRiD4cDbqmDoJ4L9iHWei0DFoDYubvM0knK XL6sZ6jenTHsca3iHCHD4+PDBdRLgL7hE3EElMEaFhPAPBYcWEZyOFRqAYQbkSEQjE2cCi tb2ov6i45VLV8QXx8cRyuKs4plPmIa4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705408676; a=rsa-sha256; cv=none; b=6j0gqZuM6N7gWnzr35qLeGeTyLpxFbTfbsfRk4P2OVdFrV43JsUDATNpAHqTb+D9Y9ltc6 qczgjlxA98rfmOsYKmqDM05yb0llCviECFkjvQzctBy7DthZ67fPgNJe8G+a7ILxNG15yv NmxtdB4UtV7XUz9lmj8bZ5sEW3aQZ6c= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=none; spf=pass (imf25.hostedemail.com: domain of dmastykin@astralinux.ru designates 217.74.38.119 as permitted sender) smtp.mailfrom=dmastykin@astralinux.ru; dmarc=none Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.astralinux.ru (Postfix) with ESMTP id BA4281864EA3; Tue, 16 Jan 2024 15:37:52 +0300 (MSK) Received: from mail.astralinux.ru ([127.0.0.1]) by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 87kUh4nzQxwi; Tue, 16 Jan 2024 15:37:52 +0300 (MSK) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.astralinux.ru (Postfix) with ESMTP id 6B2F11864BCC; Tue, 16 Jan 2024 15:37:52 +0300 (MSK) X-Virus-Scanned: amavisd-new at astralinux.ru Received: from mail.astralinux.ru ([127.0.0.1]) by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3uTgjf0xa7w9; Tue, 16 Jan 2024 15:37:52 +0300 (MSK) Received: from new-mail.astralinux.ru (unknown [10.177.185.102]) by mail.astralinux.ru (Postfix) with ESMTPS id 2178F1864EA3; Tue, 16 Jan 2024 15:37:52 +0300 (MSK) Received: from [192.168.32.67] (unknown [192.168.32.67]) by new-mail.astralinux.ru (Postfix) with ESMTPA id 4TDpSb5CxMzfYlP; Tue, 16 Jan 2024 15:37:51 +0300 (MSK) Message-ID: <5eb30083-1d8f-02cf-c4bf-2560ad46243d@astralinux.ru> Date: Tue, 16 Jan 2024 15:37:45 +0300 MIME-Version: 1.0 User-Agent: RuPost Desktop Content-Language: ru To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-mm@kvack.org Cc: stephen.smalley.work@gmail.com, aaw@google.com From: Dmitry Mastykin Subject: preventing executable stack with file_mprotect hook Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 8EFDFA000C X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: uaffch68bekijx7sdhu33tjjtoeibmqu X-HE-Tag: 1705408675-446784 X-HE-Meta: U2FsdGVkX18xS2HVK+AExZNCoH0gStAi6vDoFCdSGijnV/zPAKI+Jw9qzWEatUpGYMgYTIKDVXLH5iSnsiBcnceugWlw88HBDw6UCdryK+9MIjnpyI0BXD9hli/uhfCu7JLxKAVJNa9Ll3WbqCdkjyNvsb5Af8pogtvQCbTHxhk+R0LPdf94GGlrFwGZIXR0zKhNAw+ArHqb47zsqaAO5ZuiXBt97eHbYOiXnM/8XTXRQQj5x1EserlYwsoezVSvQSDVmIxoy6scgYMbhoO98bLnPD5mU8ypiDFz6Q1juQI7xgCwm/Il6vVYgX8ERlnVDcm/QTtqKVyVCMlEGWup7Z96DWk7izRWqOdM8Rh7YKI8S5KWmF+ASn8+iW6oX8hKisM1mr+aD7ItXt6Fgi8cdbfGn4meWjeFQRnYo7V9ITm8etsc7ool9k57WRzhi9eEZhyyAZTIBqQRyqz50z87Zfvnnz5RT32uRjAwhaxrPO51QoaCZk8YpKUQO5XuqbxFQGTzO6VPXSoltyWNpJYMFLxunfAG6S0pQOPFdNZT9YkCsHiTHU1wYuj3UcNcekl9SaxvWq94odEF0i1MIgLdEe8z8HMWfuP3uw3bqJv4uGSkGcMTVmh05lSZbkmmEjWuUm7TdKt7Z2rhPjg1ikOYU18k4srBnS1SAm2LupOpvkar5cdYRO92occ594TknZkbGZkGY3SZHyxGONd/MLWczrZ/h95WthfD64SP2wv6EbepyNMTVdYpo4jg+b9DfwK2Aw1sJDSk3Wt0G4Zoq4woiVJz/hTGyBWiJQ9lVPrH0GrRUEZ+R0crb+OjSJikrwRgYlIBwqWQ5spwxXBmpfMjOnsBaroAlZrlq3yL4sRcDBIIHm2vrfnOkxxRXQch2ZUPNzYbnabaDXic2XSz7y2cskPcSl8YWgbhfDyAYNyCiPziDnZAis27tl59Hp0V4TyDM593LLR64GO5Vx48j9H xUnp92/f yhOkduWyFL6hJyteGEAoW+pdPoSdUb8/GrKqgVpVDitM3wS5swFcAfd9P7sGwuE74nxMnOi/WzkUA0Zy89B4St7BLUllZEiT/uXPdZqNPhV0qx9mRR681Sc3aIsNQ8sfuP5MRD/rXi0qrVkSrOi5reZuAgm3s/r2KVC1HCaeKnE+Knc3lPVWXq5sRsy+uyUPR12eAEFCGMT5Enw9FN6tQ58uYFivHO8kz5Ii5KOQNnRpB0W/XNC3WvmrWIZMzCVRM3echgOVLvEff5ML8lq4kkEMEStsI9D3b3uN6lVCMOfJvWU7jTRhXCRRDZOKAAPSVDaJx+YkQNWD6z96vBmi1A7/dU6vyituvm81J X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hello all, I use the file_mprotect hook to prevent executable stack. It's called from mprotect syscall and prevents linkage with execstack-flagged libraries. But I don't see it called when I execute a simple execstack-flagged binary: int main() { char shell[100] = "\xb0\x01" // mov al, 1 "\x31\xdb" // xor ebx, ebx "\xcd\x80" ; // int 0x80 ((void(*)())shell)(); return 0; } I'm thinking about a patch like one in the end of this message. I would be glad to have a feedback, if someone find this reasonable. Thank you! Kind regards Dmitry Mastykin diff --git a/fs/exec.c b/fs/exec.c index cebfe15bbad8..0288f14f11b2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -759,6 +760,7 @@ int setup_arg_pages(struct linux_binprm *bprm, struct vm_area_struct *vma = bprm->vma; struct vm_area_struct *prev = NULL; unsigned long vm_flags; + unsigned long prot = 0; unsigned long stack_base; unsigned long stack_size; unsigned long stack_expand; @@ -811,16 +813,19 @@ int setup_arg_pages(struct linux_binprm *bprm, * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone * (arch default) otherwise. */ - if (unlikely(executable_stack == EXSTACK_ENABLE_X)) + if (unlikely(executable_stack == EXSTACK_ENABLE_X)) { + prot |= PROT_EXEC; vm_flags |= VM_EXEC; - else if (executable_stack == EXSTACK_DISABLE_X) + } else if (executable_stack == EXSTACK_DISABLE_X) vm_flags &= ~VM_EXEC; vm_flags |= mm->def_flags; vm_flags |= VM_STACK_INCOMPLETE_SETUP; tlb_gather_mmu(&tlb, mm); - ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end, - vm_flags); + ret = security_file_mprotect(vma, prot, prot); + if (!ret) + ret = mprotect_fixup(&tlb, vma, &prev, + vma->vm_start, vma->vm_end, vm_flags); tlb_finish_mmu(&tlb); if (ret)