From: Yu-cheng Yu <yu-cheng.yu@intel.com>
To: Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>
Cc: X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Balbir Singh <bsingharora@gmail.com>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Florian Weimer <fweimer@redhat.com>,
"H.J. Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>
Subject: Re: [RFC PATCH v4 21/27] x86/cet/shstk: ELF header parsing of Shadow Stack
Date: Tue, 16 Oct 2018 10:23:43 -0700 [thread overview]
Message-ID: <124c1c2805286c70a9b2cc8e4b0abad7ef997ed4.camel@intel.com> (raw)
In-Reply-To: <CAGXu5jKO5Ot5VAJBMHudgx40g4N2tqhLKHeCdS7rkFj1bPaHig@mail.gmail.com>
On Mon, 2018-10-15 at 16:40 -0700, Kees Cook wrote:
> On Fri, Sep 21, 2018 at 8:03 AM, Yu-cheng Yu <yu-cheng.yu@intel.com> wrote:
> > Look in .note.gnu.property of an ELF file and check if Shadow Stack needs
> > to be enabled for the task.
[...]
> > +/*
> > + * The .note.gnu.property layout:
> > + *
> > + * struct elf_note {
> > + * u32 n_namesz; --> sizeof(n_name[]); always (4)
> > + * u32 n_ndescsz;--> sizeof(property[])
> > + * u32 n_type; --> always NT_GNU_PROPERTY_TYPE_0
> > + * };
> > + * char n_name[4]; --> always 'GNU\0'
> > + *
> > + * struct {
> > + * struct property_x86 {
> > + * u32 pr_type;
> > + * u32 pr_datasz;
> > + * };
> > + * u8 pr_data[pr_datasz];
> > + * }[];
> > + */
>
> Does NT_GNU_PROPERTY_TYPE_0 only ever contain property_x86 bytes? (I
> assume not, since there is a pr_type?)
There are other property types, but we only look for NT_GNU_PROPERTY_TYPE_0.
> > +
> > +#define BUF_SIZE (PAGE_SIZE / 4)
> > +
> > +struct property_x86 {
> > + u32 pr_type;
> > + u32 pr_datasz;
> > +};
> > +
> > +typedef bool (test_fn)(void *buf, u32 *arg);
> > +typedef void *(next_fn)(void *buf, u32 *arg);
> > +
> > +static inline bool test_note_type_0(void *buf, u32 *arg)
> > +{
> > + struct elf_note *n = buf;
> > +
> > + return ((n->n_namesz == 4) && (memcmp(n + 1, "GNU", 4) == 0) &&
> > + (n->n_type == NT_GNU_PROPERTY_TYPE_0));
>
> Cheaper to test n_type first...
Yes, Thanks!
>
> > +}
> > +
> > +static inline void *next_note(void *buf, u32 *arg)
> > +{
> > + struct elf_note *n = buf;
> > + u32 align = *arg;
> > + int size;
> > +
> > + size = round_up(sizeof(*n) + n->n_namesz, align);
>
> I think this could overflow: n_namesz can be u64 for elf64_note.
>
> > + size = round_up(size + n->n_descsz, align);
>
> Same here. You may want to use check_add_overflow(), etc, an u64 types.
Note->n_namesz is always four-byte. I should have used u32.
>
> > +
> > + if (buf + size < buf)
> > + return NULL;
>
> I don't understand this. You want to check size not exceeding the
> allocation, which isn't passed into this function. Checking for a full
> unsigned address wrap around is not sufficient to detect overflow.
Here we only detect the warp around. After this returns we then check other
types of overflow in scan().
>
> > + else
> > + return (buf + size);
> > +}
> > +
> > +static inline bool test_property_x86(void *buf, u32 *arg)
> > +{
> > + struct property_x86 *pr = buf;
> > + u32 max_type = *arg;
> > +
> > + if (pr->pr_type > max_type)
> > + *arg = pr->pr_type;
>
> Why is *arg being updated? I don't see last_pr used outside of here --
> are properties required to be pr_type-ordered?
Yes, they need to be in ascending order.
>
> > +
> > + return (pr->pr_type == GNU_PROPERTY_X86_FEATURE_1_AND);
> > +}
> > +
> > +static inline void *next_property(void *buf, u32 *arg)
> > +{
> > + struct property_x86 *pr = buf;
> > + u32 max_type = *arg;
> > +
> > + if ((buf + sizeof(*pr) + pr->pr_datasz < buf) ||
>
> Again, this "< buf" test doesn't look at all correct to me.
>
> > + (pr->pr_type > GNU_PROPERTY_X86_FEATURE_1_AND) ||
> > + (pr->pr_type > max_type))
> > + return NULL;
> > + else
> > + return (buf + sizeof(*pr) + pr->pr_datasz);
> > +}
> > +
> > +/*
> > + * Scan 'buf' for a pattern; return true if found.
> > + * *pos is the distance from the beginning of buf to where
> > + * the searched item or the next item is located.
> > + */
> > +static int scan(u8 *buf, u32 buf_size, int item_size,
> > + test_fn test, next_fn next, u32 *arg, u32 *pos)
>
> I'm not a fan of the short "scan", "test" and "next" names, and I
> really don't like an arg named "arg". Something slightly more
> descriptive for all of these would be nice, please.
I need to work on that :-) What would you suggest?
>
> > +{
> > + int found = 0;
> > + u8 *p, *max;
> > +
> > + max = buf + buf_size;
> > + if (max < buf)
> > + return 0;
> > +
> > + p = buf;
> > +
> > + while ((p + item_size < max) && (p + item_size > buf)) {
>
> These comparisons are safe due to the BUF_SIZE limit of buf_size and
> the only used size of item_size, but if this becomes more generic, it
> should be more defensive on the size calculations (e.g. make sure than
> "item_size < max" and then here "p < max - item_size", etc).
>
> I'd kind of rather this code walked the base type and check each for
> the matching feature. What is the general specification for what
> NT_GNU_PROPERTY_TYPE_0 contains?
There are other property types, but the kernel does not look at most of them.
If the kernel needs to look at others, we need to rewrite this.
[...]
> > +
> > +/*
> > + * Search a PT_NOTE segment for the first NT_GNU_PROPERTY_TYPE_0.
> > + */
> > +static int find_note_type_0(struct file *file, unsigned long note_size,
> > + loff_t file_offset, u32 align, u32 *feature)
> > +{
> > + u8 *buf;
> > + u32 buf_pos;
> > + unsigned long read_size;
> > + unsigned long done;
> > + int found = 0;
> > + int ret = 0;
> > +
> > + buf = kmalloc(BUF_SIZE, GFP_KERNEL);
> > + if (!buf)
> > + return -ENOMEM;
>
> Why kmalloc over stack variable? (Or, does BUF_SIZE here really need
> to be 1024?)
BUF_SIZE can be smaller, for example 64. If it is too small, we need to do
kernel_read() too often.
>
> > +
> > + *feature = 0;
> > + buf_pos = 0;
> > +
> > + for (done = 0; done < note_size; done += buf_pos) {
> > + read_size = note_size - done;
> > + if (read_size > BUF_SIZE)
> > + read_size = BUF_SIZE;
> > +
> > + ret = kernel_read(file, buf, read_size, &file_offset);
> > +
> > + if (ret != read_size) {
> > + ret = (ret < 0) ? ret : -EIO;
> > + kfree(buf);
> > + return ret;
> > + }
> > +
> > + /*
> > + * item_size = sizeof(struct elf_note) + elf_note.n_namesz.
> > + * n_namesz is 4 for the note type we look for.
> > + */
> > + ret = 0;
> > + found += scan(buf, read_size, sizeof(struct elf_note) + 4,
> > + test_note_type_0, next_note,
> > + &align, &buf_pos);
> > +
> > + file_offset += buf_pos - read_size;
> > +
> > + if (found == 1) {
> > + struct elf_note *n =
> > + (struct elf_note *)(buf + buf_pos);
> > + u32 start = round_up(sizeof(*n) + n->n_namesz,
> > align);
> > + u32 total = round_up(start + n->n_descsz, align);
>
> Same overflow notes from earlier...
>
> > +
> > + ret = find_feature_x86(file, n->n_descsz,
> > + file_offset + start,
> > + buf, feature);
> > + file_offset += total;
> > + buf_pos += total;
> > + } else if (!buf_pos) {
> > + *feature = 0;
> > + break;
> > + }
> > + }
> > +
> > + kfree(buf);
> > + return ret;
> > +}
> > +
> > +#ifdef CONFIG_COMPAT
> > +static int check_notes_32(struct file *file, struct elf32_phdr *phdr,
> > + int phnum, u32 *feature)
> > +{
> > + int i;
> > + int err = 0;
> > +
> > + for (i = 0; i < phnum; i++, phdr++) {
> > + if ((phdr->p_type != PT_NOTE) || (phdr->p_align != 4))
> > + continue;
> > +
> > + err = find_note_type_0(file, phdr->p_filesz, phdr->p_offset,
> > + phdr->p_align, feature);
> > + if (err)
> > + return err;
> > + }
> > +
> > + return 0;
> > +}
> > +#endif
> > +
> > +#ifdef CONFIG_X86_64
> > +static int check_notes_64(struct file *file, struct elf64_phdr *phdr,
> > + int phnum, u32 *feature)
> > +{
> > + int i;
> > + int err = 0;
> > +
> > + for (i = 0; i < phnum; i++, phdr++) {
> > + if ((phdr->p_type != PT_NOTE) || (phdr->p_align != 8))
> > + continue;
>
> Instead of a separate parser here, wouldn't it be a bit nicer to
> attach this to the existing binfmt_elf program header parsing loop:
We need to wait until SET_PERSONALITY2() is done.
[...]
> > +int arch_setup_features(void *ehdr_p, void *phdr_p,
> > + struct file *file, bool interp)
> > +{
> > + int err = 0;
> > + u32 feature = 0;
> > +
> > + struct elf64_hdr *ehdr64 = ehdr_p;
> > +
> > + if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
> > + return 0;
> > +
> > + if (ehdr64->e_ident[EI_CLASS] == ELFCLASS64) {
> > + struct elf64_phdr *phdr64 = phdr_p;
> > +
> > + err = check_notes_64(file, phdr64, ehdr64->e_phnum,
> > + &feature);
> > + if (err < 0)
> > + goto out;
> > + } else {
> > +#ifdef CONFIG_COMPAT
> > + struct elf32_hdr *ehdr32 = ehdr_p;
> > +
> > + if (ehdr32->e_ident[EI_CLASS] == ELFCLASS32) {
> > + struct elf32_phdr *phdr32 = phdr_p;
> > +
> > + err = check_notes_32(file, phdr32, ehdr32->e_phnum,
> > + &feature);
> > + if (err < 0)
> > + goto out;
> > + }
> > +#endif
>
> Should there be an #else error here?
Yes, thanks.
> I'd like to be using this code for a few other cases too (not just
> x86-specific). For example, for marking KASan binaries as needing a
> "legacy" memory layouts[1]. Others might be setting things like
> no_new_privs at exec time, etc.
If the item is a bit of GNU_PROPERTY_X86_FEATURE_1_AND, then this code would
work. Has it been finalized?
Yu-cheng
next prev parent reply other threads:[~2018-10-16 17:23 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-21 15:03 [RFC PATCH v4 00/27] Control Flow Enforcement: Shadow Stack Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 01/27] x86/cpufeatures: Add CPUIDs for Control-flow Enforcement Technology (CET) Yu-cheng Yu
2018-09-25 16:27 ` Peter Zijlstra
2018-09-25 16:29 ` Yu-cheng Yu
2018-09-28 16:51 ` Borislav Petkov
2018-09-28 16:56 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 02/27] x86/fpu/xstate: Change some names to separate XSAVES system and user states Yu-cheng Yu
2018-09-25 16:37 ` Peter Zijlstra
2018-10-02 15:29 ` Borislav Petkov
2018-10-02 16:21 ` Yu-cheng Yu
2018-10-02 16:30 ` Dave Hansen
2018-10-02 16:37 ` Borislav Petkov
2018-10-02 16:39 ` Dave Hansen
2018-10-02 16:43 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 03/27] x86/fpu/xstate: Enable XSAVES system states Yu-cheng Yu
2018-09-25 17:03 ` Peter Zijlstra
2018-09-25 17:23 ` Yu-cheng Yu
2018-10-02 17:15 ` Borislav Petkov
2018-10-04 15:47 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 04/27] x86/fpu/xstate: Add XSAVES system states for shadow stack Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 05/27] Documentation/x86: Add CET description Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 06/27] x86/cet: Control protection exception handler Yu-cheng Yu
2018-10-03 10:39 ` Eugene Syromiatnikov
2018-10-03 16:11 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 07/27] x86/cet/shstk: Add Kconfig option for user-mode shadow stack Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 08/27] mm: Introduce VM_SHSTK for shadow stack memory Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 09/27] x86/mm: Change _PAGE_DIRTY to _PAGE_DIRTY_HW Yu-cheng Yu
2018-10-03 13:38 ` Matthew Wilcox
2018-10-03 14:05 ` Dave Hansen
2018-10-03 16:07 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 10/27] drm/i915/gvt: Update _PAGE_DIRTY to _PAGE_DIRTY_BITS Yu-cheng Yu
2018-10-03 13:19 ` Eugene Syromiatnikov
2018-09-21 15:03 ` [RFC PATCH v4 11/27] x86/mm: Introduce _PAGE_DIRTY_SW Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 12/27] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 13/27] x86/mm: Shadow stack page fault error checking Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 14/27] mm: Handle shadow stack page fault Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 15/27] mm: Handle THP/HugeTLB " Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 16/27] mm: Update can_follow_write_pte/pmd for shadow stack Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 17/27] mm: Introduce do_mmap_locked() Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 18/27] x86/cet/shstk: User-mode shadow stack support Yu-cheng Yu
2018-10-03 15:08 ` Eugene Syromiatnikov
2018-10-03 15:12 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 19/27] x86/cet/shstk: Introduce WRUSS instruction Yu-cheng Yu
2018-10-03 4:15 ` Eugene Syromiatnikov
2018-09-21 15:03 ` [RFC PATCH v4 20/27] x86/cet/shstk: Signal handling for shadow stack Yu-cheng Yu
2018-10-03 14:36 ` Eugene Syromiatnikov
2018-10-03 16:46 ` Jann Horn
2018-09-21 15:03 ` [RFC PATCH v4 21/27] x86/cet/shstk: ELF header parsing of Shadow Stack Yu-cheng Yu
2018-10-03 23:27 ` Eugene Syromiatnikov
2018-10-09 21:15 ` Yu-cheng Yu
2018-10-15 23:40 ` Kees Cook
2018-10-16 17:23 ` Yu-cheng Yu [this message]
2018-09-21 15:03 ` [RFC PATCH v4 22/27] x86/cet/shstk: Handle thread shadow stack Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 23/27] mm/map: Add Shadow stack pages to memory accounting Yu-cheng Yu
2018-09-21 16:55 ` Randy Dunlap
2018-09-21 17:21 ` Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 24/27] mm/mmap: Create a guard area between VMAs Yu-cheng Yu
2018-10-03 4:56 ` Eugene Syromiatnikov
2018-10-03 5:36 ` Andy Lutomirski
2018-10-03 16:00 ` Yu-cheng Yu
2018-10-03 16:18 ` Andy Lutomirski
2018-10-03 16:32 ` Eugene Syromiatnikov
2018-10-03 16:40 ` Yu-cheng Yu
2018-10-03 16:52 ` Jann Horn
2018-10-03 21:21 ` Eugene Syromiatnikov
2018-09-21 15:03 ` [RFC PATCH v4 25/27] mm/mmap: Prevent Shadow Stack VMA merges Yu-cheng Yu
2018-09-21 15:03 ` [RFC PATCH v4 26/27] x86/cet/shstk: Add arch_prctl functions for Shadow Stack Yu-cheng Yu
2018-10-03 17:57 ` Eugene Syromiatnikov
2018-09-21 15:03 ` [RFC PATCH v4 27/27] x86/cet/shstk: Add Shadow Stack instructions to opcode map Yu-cheng Yu
2018-09-21 22:53 ` [RFC PATCH v4 00/27] Control Flow Enforcement: Shadow Stack Dave Hansen
2018-09-24 15:25 ` Yu-cheng Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=124c1c2805286c70a9b2cc8e4b0abad7ef997ed4.camel@intel.com \
--to=yu-cheng.yu@intel.com \
--cc=arnd@arndb.de \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).