From: Catalin Marinas <catalin.marinas@arm.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: "Mark Brown" <broonie@kernel.org>,
"Will Deacon" <will@kernel.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Paul Elliott" <paul.elliott@arm.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Yu-cheng Yu" <yu-cheng.yu@intel.com>,
"Amit Kachhap" <amit.kachhap@arm.com>,
"Vincenzo Frascino" <vincenzo.frascino@arm.com>,
"Marc Zyngier" <maz@kernel.org>,
"Eugene Syromiatnikov" <esyr@redhat.com>,
"H . J . Lu " <hjl.tools@gmail.com>,
"Andrew Jones" <drjones@redhat.com>,
"Kees Cook" <keescook@chromium.org>,
"Arnd Bergmann" <arnd@arndb.de>, "Jann Horn" <jannh@google.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Kristina Martšenko" <kristina.martsenko@arm.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Florian Weimer" <fweimer@redhat.com>,
"Sudakshina Das" <sudi.das@ar>
Subject: Re: [PATCH v10 00/13] arm64: Branch Target Identification support
Date: Mon, 23 Mar 2020 12:21:44 +0000 [thread overview]
Message-ID: <20200323122143.GB4892@mbp> (raw)
In-Reply-To: <20200320173945.GC27072@arm.com>
On Fri, Mar 20, 2020 at 05:39:46PM +0000, Szabolcs Nagy wrote:
> The 03/16/2020 16:50, Mark Brown wrote:
> > This patch series implements support for ARMv8.5-A Branch Target
> > Identification (BTI), which is a control flow integrity protection
> > feature introduced as part of the ARMv8.5-A extensions.
>
> i was playing with this and it seems the kernel does not add
> PROT_BTI to non-static executables (i.e. there is an interpreter).
>
> i thought any elf that the kernel maps would get PROT_BTI from the
> kernel. (i want to remove the mprotect in glibc when not necessary)
I haven't followed the early discussions but I think this makes sense.
> i tested by linking a hello world exe with -Wl,-z,force-bti (and
> verified that the property note is there) and expected it to crash
> (with SIGILL) when the dynamic linker jumps to _start in the exe,
> but it executed without errors (if i do the mprotect in glibc then
> i get SIGILL as expected).
>
> is this deliberate? does the kernel map static exe and dynamic
> linked exe differently?
I think the logic is in patch 5:
+int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state,
+ bool has_interp, bool is_interp)
+{
+ if (is_interp != has_interp)
+ return prot;
+
+ if (!(state->flags & ARM64_ELF_BTI))
+ return prot;
+
+ if (prot & PROT_EXEC)
+ prot |= PROT_BTI;
+
+ return prot;
+}
At a quick look, for dynamic binaries we have has_interp == true and
is_interp == false. I don't know why but, either way, the above code
needs a comment with some justification.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: "Mark Brown" <broonie@kernel.org>,
"Will Deacon" <will@kernel.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Paul Elliott" <paul.elliott@arm.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Yu-cheng Yu" <yu-cheng.yu@intel.com>,
"Amit Kachhap" <amit.kachhap@arm.com>,
"Vincenzo Frascino" <vincenzo.frascino@arm.com>,
"Marc Zyngier" <maz@kernel.org>,
"Eugene Syromiatnikov" <esyr@redhat.com>,
"H . J . Lu " <hjl.tools@gmail.com>,
"Andrew Jones" <drjones@redhat.com>,
"Kees Cook" <keescook@chromium.org>,
"Arnd Bergmann" <arnd@arndb.de>, "Jann Horn" <jannh@google.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Kristina Martšenko" <kristina.martsenko@arm.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Florian Weimer" <fweimer@redhat.com>,
"Sudakshina Das" <sudi.das@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-fsdevel@vger.kernel.org, nd@arm.com
Subject: Re: [PATCH v10 00/13] arm64: Branch Target Identification support
Date: Mon, 23 Mar 2020 12:21:44 +0000 [thread overview]
Message-ID: <20200323122143.GB4892@mbp> (raw)
Message-ID: <20200323122144.Ca-JJMsI1knap15yh0u624L1JhSloKpoTCESVVmexhs@z> (raw)
In-Reply-To: <20200320173945.GC27072@arm.com>
On Fri, Mar 20, 2020 at 05:39:46PM +0000, Szabolcs Nagy wrote:
> The 03/16/2020 16:50, Mark Brown wrote:
> > This patch series implements support for ARMv8.5-A Branch Target
> > Identification (BTI), which is a control flow integrity protection
> > feature introduced as part of the ARMv8.5-A extensions.
>
> i was playing with this and it seems the kernel does not add
> PROT_BTI to non-static executables (i.e. there is an interpreter).
>
> i thought any elf that the kernel maps would get PROT_BTI from the
> kernel. (i want to remove the mprotect in glibc when not necessary)
I haven't followed the early discussions but I think this makes sense.
> i tested by linking a hello world exe with -Wl,-z,force-bti (and
> verified that the property note is there) and expected it to crash
> (with SIGILL) when the dynamic linker jumps to _start in the exe,
> but it executed without errors (if i do the mprotect in glibc then
> i get SIGILL as expected).
>
> is this deliberate? does the kernel map static exe and dynamic
> linked exe differently?
I think the logic is in patch 5:
+int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state,
+ bool has_interp, bool is_interp)
+{
+ if (is_interp != has_interp)
+ return prot;
+
+ if (!(state->flags & ARM64_ELF_BTI))
+ return prot;
+
+ if (prot & PROT_EXEC)
+ prot |= PROT_BTI;
+
+ return prot;
+}
At a quick look, for dynamic binaries we have has_interp == true and
is_interp == false. I don't know why but, either way, the above code
needs a comment with some justification.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: "Paul Elliott" <paul.elliott@arm.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Andrew Jones" <drjones@redhat.com>,
"Amit Kachhap" <amit.kachhap@arm.com>,
"Vincenzo Frascino" <vincenzo.frascino@arm.com>,
"Will Deacon" <will@kernel.org>,
linux-arch@vger.kernel.org, "Marc Zyngier" <maz@kernel.org>,
"Eugene Syromiatnikov" <esyr@redhat.com>,
"H . J . Lu " <hjl.tools@gmail.com>,
"Yu-cheng Yu" <yu-cheng.yu@intel.com>,
"Kees Cook" <keescook@chromium.org>,
"Arnd Bergmann" <arnd@arndb.de>, "Jann Horn" <jannh@google.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Kristina Martšenko" <kristina.martsenko@arm.com>,
"Mark Brown" <broonie@kernel.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
nd@arm.com, linux-arm-kernel@lists.infradead.org,
"Florian Weimer" <fweimer@redhat.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
"Sudakshina Das" <sudi.das@arm.com>
Subject: Re: [PATCH v10 00/13] arm64: Branch Target Identification support
Date: Mon, 23 Mar 2020 12:21:44 +0000 [thread overview]
Message-ID: <20200323122143.GB4892@mbp> (raw)
In-Reply-To: <20200320173945.GC27072@arm.com>
On Fri, Mar 20, 2020 at 05:39:46PM +0000, Szabolcs Nagy wrote:
> The 03/16/2020 16:50, Mark Brown wrote:
> > This patch series implements support for ARMv8.5-A Branch Target
> > Identification (BTI), which is a control flow integrity protection
> > feature introduced as part of the ARMv8.5-A extensions.
>
> i was playing with this and it seems the kernel does not add
> PROT_BTI to non-static executables (i.e. there is an interpreter).
>
> i thought any elf that the kernel maps would get PROT_BTI from the
> kernel. (i want to remove the mprotect in glibc when not necessary)
I haven't followed the early discussions but I think this makes sense.
> i tested by linking a hello world exe with -Wl,-z,force-bti (and
> verified that the property note is there) and expected it to crash
> (with SIGILL) when the dynamic linker jumps to _start in the exe,
> but it executed without errors (if i do the mprotect in glibc then
> i get SIGILL as expected).
>
> is this deliberate? does the kernel map static exe and dynamic
> linked exe differently?
I think the logic is in patch 5:
+int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state,
+ bool has_interp, bool is_interp)
+{
+ if (is_interp != has_interp)
+ return prot;
+
+ if (!(state->flags & ARM64_ELF_BTI))
+ return prot;
+
+ if (prot & PROT_EXEC)
+ prot |= PROT_BTI;
+
+ return prot;
+}
At a quick look, for dynamic binaries we have has_interp == true and
is_interp == false. I don't know why but, either way, the above code
needs a comment with some justification.
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-03-23 12:21 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-16 16:50 [PATCH v10 00/13] arm64: Branch Target Identification support Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 01/13] ELF: UAPI and Kconfig additions for ELF program properties Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 02/13] ELF: Add ELF program property parsing support Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 03/13] arm64: Basic Branch Target Identification support Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 04/13] elf: Allow arch to tweak initial mmap prot flags Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 05/13] arm64: elf: Enable BTI at exec based on ELF program properties Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 06/13] arm64: BTI: Decode BYTPE bits when printing PSTATE Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 07/13] arm64: unify native/compat instruction skipping Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 08/13] arm64: traps: Shuffle code to eliminate forward declarations Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 09/13] arm64: BTI: Reset BTYPE when skipping emulated instructions Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 10/13] KVM: " Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 11/13] arm64: mm: Display guarded pages in ptdump Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 12/13] mm: smaps: Report arm64 guarded pages in smaps Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` [PATCH v10 13/13] arm64: BTI: Add Kconfig entry for userspace BTI Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-16 16:50 ` Mark Brown
2020-03-17 18:49 ` [PATCH v10 00/13] arm64: Branch Target Identification support Catalin Marinas
2020-03-17 18:49 ` Catalin Marinas
2020-03-17 18:49 ` Catalin Marinas
2020-03-20 17:39 ` Szabolcs Nagy
2020-03-20 17:39 ` Szabolcs Nagy
2020-03-20 17:39 ` Szabolcs Nagy
2020-03-23 12:21 ` Catalin Marinas [this message]
2020-03-23 12:21 ` Catalin Marinas
2020-03-23 12:21 ` Catalin Marinas
2020-03-23 13:24 ` Mark Brown
2020-03-23 13:24 ` Mark Brown
2020-03-23 13:24 ` Mark Brown
2020-03-23 13:57 ` Mark Rutland
2020-03-23 13:57 ` Mark Rutland
2020-03-23 13:57 ` Mark Rutland
2020-03-23 14:39 ` Catalin Marinas
2020-03-23 14:39 ` Catalin Marinas
2020-03-23 14:39 ` Catalin Marinas
2020-03-23 14:39 ` Catalin Marinas
2020-03-23 14:55 ` Mark Rutland
2020-03-23 14:55 ` Mark Rutland
2020-03-23 14:55 ` Mark Rutland
2020-03-23 15:32 ` Mark Brown
2020-03-23 15:32 ` Mark Brown
2020-03-23 15:32 ` Mark Brown
2020-03-23 15:32 ` Mark Brown
2020-03-24 15:43 ` Szabolcs Nagy
2020-03-24 15:43 ` Szabolcs Nagy
2020-03-24 15:43 ` Szabolcs Nagy
2020-03-24 15:43 ` Szabolcs Nagy
2020-03-23 15:02 ` Mark Rutland
2020-03-23 15:02 ` Mark Rutland
2020-03-23 15:02 ` Mark Rutland
2020-04-22 15:44 ` Mark Brown
2020-04-22 15:44 ` Mark Brown
2020-04-22 15:44 ` Mark Brown
2020-04-22 16:29 ` Catalin Marinas
2020-04-22 16:29 ` Catalin Marinas
2020-04-22 16:29 ` Catalin Marinas
2020-04-28 13:28 ` Will Deacon
2020-04-28 13:28 ` Will Deacon
2020-04-28 13:28 ` Will Deacon
2020-04-28 15:12 ` Mark Brown
2020-04-28 15:12 ` Mark Brown
2020-04-28 15:12 ` Mark Brown
2020-04-28 15:18 ` Will Deacon
2020-04-28 15:18 ` Will Deacon
2020-04-28 15:18 ` Will Deacon
2020-04-28 15:58 ` Mark Brown
2020-04-28 15:58 ` Mark Brown
2020-04-28 15:58 ` Mark Brown
2020-04-28 16:01 ` Will Deacon
2020-04-28 16:01 ` Will Deacon
2020-04-28 16:01 ` Will Deacon
2020-04-30 21:26 ` Will Deacon
2020-04-30 21:26 ` Will Deacon
2020-04-30 21:26 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200323122143.GB4892@mbp \
--to=catalin.marinas@arm.com \
--cc=amit.kachhap@arm.com \
--cc=arnd@arndb.de \
--cc=broonie@kernel.org \
--cc=drjones@redhat.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kristina.martsenko@arm.com \
--cc=maz@kernel.org \
--cc=paul.elliott@arm.com \
--cc=peterz@infradead.org \
--cc=richard.henderson@linaro.org \
--cc=sudi.das@ar \
--cc=szabolcs.nagy@arm.com \
--cc=tglx@linutronix.de \
--cc=vincenzo.frascino@arm.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.