From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Dmitry Safonov <dima@arista.com>
Cc: linux-kernel@vger.kernel.org,
Alexey Izbyshev <izbyshev@ispras.ru>,
Alexander Monakov <amonakov@ispras.ru>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Dmitry Safonov <0x7f454c46@gmail.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-mm@kvack.org, x86@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
Date: Fri, 18 May 2018 10:20:26 +0300 [thread overview]
Message-ID: <20180518072026.GY31735@uranus> (raw)
In-Reply-To: <20180517233510.24996-1-dima@arista.com>
On Fri, May 18, 2018 at 12:35:10AM +0100, Dmitry Safonov wrote:
> The x86 mmap() code selects the mmap base for an allocation depending on
> the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and
> for 32bit mm->mmap_compat_base.
>
> exec() calls mmap() which in turn uses in_compat_syscall() to check whether
> the mapping is for a 32bit or a 64bit task. The decision is made on the
> following criteria:
>
> ia32 child->thread.status & TS_COMPAT
> x32 child->pt_regs.orig_ax & __X32_SYSCALL_BIT
> ia64 !ia32 && !x32
>
> __set_personality_x32() was dropping TS_COMPAT flag, but
> set_personality_64bit() has kept compat syscall flag making
> in_compat_syscall() return true during the first exec() syscall.
>
> Which in result has user-visible effects, mentioned by Alexey:
> 1) It breaks ASAN
> $ gcc -fsanitize=address wrap.c -o wrap-asan
> $ ./wrap32 ./wrap-asan true
> ==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
> ==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range.
> ==1217==Process memory map follows:
> 0x000000400000-0x000000401000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
> 0x000000600000-0x000000601000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
> 0x000000601000-0x000000602000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
> 0x0000f7dbd000-0x0000f7de2000 /lib64/ld-2.27.so
> 0x0000f7fe2000-0x0000f7fe3000 /lib64/ld-2.27.so
> 0x0000f7fe3000-0x0000f7fe4000 /lib64/ld-2.27.so
> 0x0000f7fe4000-0x0000f7fe5000
> 0x7fed9abff000-0x7fed9af54000
> 0x7fed9af54000-0x7fed9af6b000 /lib64/libgcc_s.so.1
> [snip]
>
> 2) It doesn't seem to be great for security if an attacker always knows
> that ld.so is going to be mapped into the first 4GB in this case
> (the same thing happens for PIEs as well).
>
> The testcase:
> $ cat wrap.c
>
> int main(int argc, char *argv[]) {
> execvp(argv[1], &argv[1]);
> return 127;
> }
>
> $ gcc wrap.c -o wrap
> $ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
> AT_BASE: 0x7f63b8309000
> AT_BASE: 0x7faec143c000
> AT_BASE: 0x7fbdb25fa000
>
> $ gcc -m32 wrap.c -o wrap32
> $ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
> AT_BASE: 0xf7eff000
> AT_BASE: 0xf7cee000
> AT_BASE: 0x7f8b9774e000
>
> Fixes:
> commit 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
> commit ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec")
>
> Cc: Borislav Petkov <bp@suse.de>
> Cc: Cyrill Gorcunov <gorcunov@openvz.org>
> Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: <linux-mm@kvack.org>
> Cc: <x86@kernel.org>
> Cc: <stable@vger.kernel.org> # v4.12+
> Reported-by: Alexey Izbyshev <izbyshev@ispras.ru>
> Bisected-by: Alexander Monakov <amonakov@ispras.ru>
> Investigated-by: Andy Lutomirski <luto@kernel.org>
> Signed-off-by: Dmitry Safonov <dima@arista.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Thanks a lot! (At first I had to scratch my head for a second
to realize that the key moment is executing 64 bit application
from inside of a compat process :-)
next prev parent reply other threads:[~2018-05-18 7:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 23:35 [PATCH] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall Dmitry Safonov
2018-05-17 23:40 ` Dmitry Safonov
2018-05-18 22:03 ` Andy Lutomirski
2018-05-18 23:10 ` Dmitry Safonov
2018-05-18 23:16 ` Dmitry Safonov
2018-05-18 23:25 ` Dmitry Safonov
2018-05-19 2:05 ` Andy Lutomirski
2018-05-19 2:22 ` Dmitry Safonov
2018-05-19 2:22 ` Dmitry Safonov
2018-05-19 2:25 ` Dmitry Safonov
2018-05-19 2:33 ` Dmitry Safonov
2018-05-18 7:20 ` Cyrill Gorcunov [this message]
2018-05-19 10:24 ` [tip:x86/urgent] " tip-bot for Dmitry Safonov
2018-05-19 10:34 ` tip-bot for Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518072026.GY31735@uranus \
--to=gorcunov@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=amonakov@ispras.ru \
--cc=bp@suse.de \
--cc=dima@arista.com \
--cc=hpa@zytor.com \
--cc=izbyshev@ispras.ru \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.