From: Jann Horn <jannh@google.com>
To: yu-cheng.yu@intel.com
Cc: the arch/x86 maintainers <x86@kernel.org>,
"H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-doc@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@amacapital.net>,
bsingharora@gmail.com, Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Florian Weimer <fweimer@redhat.com>,
hjl.tools@gmail.com, Jonathan Corbet <corbet@lwn.net>,
keescook@chromiun.org, Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com
Subject: Re: [RFC PATCH v2 20/27] x86/cet/shstk: ELF header parsing of CET
Date: Wed, 11 Jul 2018 12:37:00 -0700 [thread overview]
Message-ID: <CAG48ez3DYQtgk_WfOwbFFeuWJmzwZhH-DkDT1UKYVZaYi6V_Pg@mail.gmail.com> (raw)
In-Reply-To: <20180710222639.8241-21-yu-cheng.yu@intel.com>
On Tue, Jul 10, 2018 at 3:31 PM Yu-cheng Yu <yu-cheng.yu@intel.com> wrote:
>
> Look in .note.gnu.property of an ELF file and check if shadow stack needs
> to be enabled for the task.
>
> Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
[...]
> diff --git a/arch/x86/kernel/elf.c b/arch/x86/kernel/elf.c
> new file mode 100644
> index 000000000000..233f6dad9c1f
> --- /dev/null
> +++ b/arch/x86/kernel/elf.c
[...]
> +#define NOTE_SIZE_BAD(n, align, max) \
> + ((n->n_descsz < 8) || ((n->n_descsz % align) != 0) || \
> + (((u8 *)(n + 1) + 4 + n->n_descsz) > (max)))
Please do not compute out-of-bounds pointers and then compare them
against an expected maximum pointer. Computing an out-of-bounds
pointer is undefined behavior according to the C99 specification,
section "6.5.6 Additive operators", paragraph 8; and in this case,
n->n_descsz is 32 bits wide, which means that even if the compiler
isn't doing anything funny, if you're operating on addresses in the
last 4GiB of virtual memory and the pointer wraps around, this could
break.
In particular, if anyone ever uses this code in a 32-bit kernel, this
is going to blow up.
Please use size comparisons instead of pointer comparisons.
> +
> +/*
> + * Go through the property array and look for the one
> + * with pr_type of GNU_PROPERTY_X86_FEATURE_1_AND.
> + */
> +static u32 find_x86_feature_1(u8 *buf, u32 size, u32 align)
> +{
> + u8 *end = buf + size;
> + u8 *ptr = buf;
> +
> + while (1) {
> + u32 pr_type, pr_datasz;
> +
> + if ((ptr + 4) >= end)
> + break;
Theoretical UB.
> + pr_type = *(u32 *)ptr;
> + pr_datasz = *(u32 *)(ptr + 4);
> + ptr += 8;
> +
> + if ((ptr + pr_datasz) >= end)
> + break;
UB, like in NOTE_SIZE_BAD().
> + if (pr_type == GNU_PROPERTY_X86_FEATURE_1_AND &&
> + pr_datasz == 4)
> + return *(u32 *)ptr;
> +
> + ptr += pr_datasz;
> + }
> + return 0;
> +}
[...]
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 0ac456b52bdd..3395f6a631d5 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -1081,6 +1081,22 @@ static int load_elf_binary(struct linux_binprm *bprm)
> goto out_free_dentry;
> }
>
> +#ifdef CONFIG_ARCH_HAS_PROGRAM_PROPERTIES
> +
> + if (interpreter) {
> + retval = arch_setup_features(&loc->interp_elf_ex,
> + interp_elf_phdata,
> + interpreter, true);
> + } else {
> + retval = arch_setup_features(&loc->elf_ex,
> + elf_phdata,
> + bprm->file, false);
> + }
So for non-static binaries, the ELF headers of ld.so determine whether
CET will be on or off for the entire system, right? Is the intent here
that ld.so should start with CET enabled, and then either use the
compatibility bitmap or turn CET off at runtime if the executable or
one of the libraries doesn't actually work with CET?
next prev parent reply other threads:[~2018-07-11 19:37 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-10 22:26 [RFC PATCH v2 00/27] Control Flow Enforcement (CET) Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 01/27] x86/cpufeatures: Add CPUIDs for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 02/27] x86/fpu/xstate: Change some names to separate XSAVES system and user states Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 03/27] x86/fpu/xstate: Enable XSAVES system states Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 04/27] x86/fpu/xstate: Add XSAVES system states for shadow stack Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 05/27] Documentation/x86: Add CET description Yu-cheng Yu
2018-07-11 8:27 ` Pavel Machek
2018-07-11 15:25 ` Yu-cheng Yu
2018-07-11 9:57 ` Florian Weimer
2018-07-11 13:47 ` H.J. Lu
2018-07-11 14:53 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 06/27] x86/cet: Control protection exception handler Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 07/27] x86/cet/shstk: Add Kconfig option for user-mode shadow stack Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 08/27] mm: Introduce VM_SHSTK for shadow stack memory Yu-cheng Yu
2018-07-11 8:34 ` Peter Zijlstra
2018-07-11 16:15 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 09/27] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 10/27] x86/mm: Introduce _PAGE_DIRTY_SW Yu-cheng Yu
2018-07-11 8:45 ` Peter Zijlstra
2018-07-11 9:21 ` Peter Zijlstra
2018-07-10 22:26 ` [RFC PATCH v2 11/27] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW Yu-cheng Yu
2018-07-10 22:44 ` Dave Hansen
2018-07-10 23:23 ` Nadav Amit
2018-07-10 23:52 ` Dave Hansen
2018-07-11 8:48 ` Peter Zijlstra
2018-07-10 22:26 ` [RFC PATCH v2 12/27] x86/mm: Shadow stack page fault error checking Yu-cheng Yu
2018-07-10 22:52 ` Dave Hansen
2018-07-11 17:28 ` Yu-cheng Yu
2018-07-10 23:24 ` Dave Hansen
2018-07-10 22:26 ` [RFC PATCH v2 13/27] mm: Handle shadow stack page fault Yu-cheng Yu
2018-07-10 23:06 ` Dave Hansen
2018-07-11 9:06 ` Peter Zijlstra
2018-08-14 21:28 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 14/27] mm: Handle THP/HugeTLB " Yu-cheng Yu
2018-07-10 23:08 ` Dave Hansen
2018-07-11 9:10 ` Peter Zijlstra
2018-07-11 16:11 ` Yu-cheng Yu
2018-07-20 14:20 ` Dave Hansen
2018-07-20 14:58 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 15/27] mm/mprotect: Prevent mprotect from changing shadow stack Yu-cheng Yu
2018-07-10 23:10 ` Dave Hansen
2018-07-11 9:12 ` Peter Zijlstra
2018-07-11 16:07 ` Yu-cheng Yu
2018-07-11 16:22 ` Dave Hansen
2018-07-10 22:26 ` [RFC PATCH v2 16/27] mm: Modify can_follow_write_pte/pmd for " Yu-cheng Yu
2018-07-10 23:37 ` Dave Hansen
2018-07-11 17:05 ` Yu-cheng Yu
2018-07-13 18:26 ` Dave Hansen
2018-07-17 23:03 ` Yu-cheng Yu
2018-07-17 23:11 ` Dave Hansen
2018-07-17 23:15 ` Dave Hansen
2018-07-18 20:14 ` Yu-cheng Yu
2018-07-18 21:45 ` Dave Hansen
2018-07-18 23:10 ` Yu-cheng Yu
2018-07-19 0:06 ` Dave Hansen
2018-07-19 17:06 ` Yu-cheng Yu
2018-07-19 19:31 ` Dave Hansen
2018-07-11 9:29 ` Peter Zijlstra
2018-07-17 23:00 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 17/27] x86/cet/shstk: User-mode shadow stack support Yu-cheng Yu
2018-07-10 23:40 ` Dave Hansen
2018-07-11 9:34 ` Peter Zijlstra
2018-07-11 15:45 ` Yu-cheng Yu
2018-07-11 9:36 ` Peter Zijlstra
2018-07-11 21:10 ` Jann Horn
2018-07-11 21:34 ` Andy Lutomirski
2018-07-11 21:51 ` Jann Horn
2018-07-11 22:21 ` Andy Lutomirski
2018-07-13 18:03 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 18/27] x86/cet/shstk: Introduce WRUSS instruction Yu-cheng Yu
2018-07-10 23:48 ` Dave Hansen
2018-07-12 22:59 ` Yu-cheng Yu
2018-07-12 23:49 ` Dave Hansen
2018-07-13 1:50 ` Dave Hansen
2018-07-13 2:21 ` Andy Lutomirski
2018-07-13 4:16 ` Dave Hansen
2018-07-13 4:18 ` Dave Hansen
2018-07-13 17:39 ` Yu-cheng Yu
2018-07-13 5:55 ` Andy Lutomirski
2018-07-11 9:44 ` Peter Zijlstra
2018-07-11 15:06 ` Yu-cheng Yu
2018-07-11 15:30 ` Peter Zijlstra
2018-07-11 9:45 ` Peter Zijlstra
2018-07-11 14:58 ` Yu-cheng Yu
2018-07-11 15:27 ` Peter Zijlstra
2018-07-11 15:41 ` Yu-cheng Yu
2018-07-13 12:12 ` Dave Hansen
2018-07-13 17:37 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 19/27] x86/cet/shstk: Signal handling for shadow stack Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 20/27] x86/cet/shstk: ELF header parsing of CET Yu-cheng Yu
2018-07-11 11:12 ` Florian Weimer
2018-07-11 19:37 ` Jann Horn [this message]
2018-07-11 20:53 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 21/27] x86/cet/ibt: Add Kconfig option for user-mode Indirect Branch Tracking Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 22/27] x86/cet/ibt: User-mode indirect branch tracking support Yu-cheng Yu
2018-07-11 0:11 ` Dave Hansen
2018-07-11 22:10 ` Yu-cheng Yu
2018-07-11 22:40 ` Dave Hansen
2018-07-11 23:00 ` Yu-cheng Yu
2018-07-11 23:16 ` Dave Hansen
2018-07-13 17:56 ` Yu-cheng Yu
2018-07-13 18:05 ` Dave Hansen
2018-07-11 21:07 ` Jann Horn
2018-07-10 22:26 ` [RFC PATCH v2 23/27] mm/mmap: Add IBT bitmap size to address space limit check Yu-cheng Yu
2018-07-10 23:57 ` Dave Hansen
2018-07-11 16:56 ` Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 24/27] x86: Insert endbr32/endbr64 to vDSO Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 25/27] x86/cet: Add PTRACE interface for CET Yu-cheng Yu
2018-07-11 10:20 ` Ingo Molnar
2018-07-11 15:40 ` Yu-cheng Yu
2018-07-12 14:03 ` Ingo Molnar
2018-07-12 22:37 ` Yu-cheng Yu
2018-07-12 23:08 ` Thomas Gleixner
2018-07-13 16:07 ` Yu-cheng Yu
2018-07-13 6:28 ` Pavel Machek
2018-07-13 13:33 ` Ingo Molnar
2018-07-14 6:27 ` Pavel Machek
2018-07-10 22:26 ` [RFC PATCH v2 26/27] x86/cet/shstk: Handle thread shadow stack Yu-cheng Yu
2018-07-10 22:26 ` [RFC PATCH v2 27/27] x86/cet: Add arch_prctl functions for CET Yu-cheng Yu
2018-07-11 12:19 ` Florian Weimer
2018-07-11 21:02 ` Yu-cheng Yu
2018-07-11 19:45 ` Jann Horn
2018-07-11 20:55 ` Yu-cheng Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez3DYQtgk_WfOwbFFeuWJmzwZhH-DkDT1UKYVZaYi6V_Pg@mail.gmail.com \
--to=jannh@google.com \
--cc=arnd@arndb.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=keescook@chromiun.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=tglx@linutronix.de \
--cc=vedvyas.shanbhogue@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox