lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BD3A5F1946F2E540A31AF2CE969BAEEE298ED6CE@MIPSMAIL01.mipstec.com>
Date:   Tue, 13 Feb 2018 16:06:22 +0000
From:   Aleksandar Markovic <Aleksandar.Markovic@...s.com>
To:     James Hogan <jhogan@...nel.org>,
        Miodrag Dinic <Miodrag.Dinic@...s.com>
CC:     Paul Burton <Paul.Burton@...s.com>,
        Maciej Rozycki <Maciej.Rozycki@...s.com>,
        Aleksandar Markovic <aleksandar.markovic@...rk.com>,
        David Daney <ddaney@...iumnetworks.com>,
        "linux-mips@...ux-mips.org" <linux-mips@...ux-mips.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        DengCheng Zhu <DengCheng.Zhu@...s.com>,
        "Ding Tianhong" <dingtianhong@...wei.com>,
        Douglas Leung <Douglas.Leung@...s.com>,
        Frederic Weisbecker <frederic@...nel.org>,
        Goran Ferenc <Goran.Ferenc@...s.com>,
        Ingo Molnar <mingo@...nel.org>,
        James Cowgill <James.Cowgill@...tec.com>,
        Jonathan Corbet <corbet@....net>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Marc Zyngier <marc.zyngier@....com>,
        Matt Redfearn <Matt.Redfearn@...s.com>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Petar Jovanovic <Petar.Jovanovic@...s.com>,
        Raghu Gandham <Raghu.Gandham@...s.com>,
        Ralf Baechle <ralf@...ux-mips.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Tom Saeger <tom.saeger@...cle.com>
Subject: RE: [PATCH v2] MIPS: Add nonxstack=on|off kernel parameter

> 
> ________________________________________
> From: James Hogan [jhogan@...nel.org]
> Sent: Thursday, February 8, 2018 12:55 PM
> 
> Hi,
> 
> On Thu, Dec 07, 2017 at 11:33:47AM +0000, Miodrag Dinic wrote:
> > > On Wed, Dec 06, 2017 at 05:50:52PM +0000, Maciej W. Rozycki wrote:
> > > >  What problem are you trying to solve anyway?  Is it not something that
> > > > can be handled with the `execstack' utility?
> > >
> > > The commit message states that for Android "non-exec stack is required".
> > > Is Android checking that then Aleksandar? If so, how?
> >
> > Android is using SELinux configured to disallow NX mappings by handling
> > the following sepolicy rules :
> > * Executable stack (execstack)
> > * Executable heap (execheap)
> > * File-based executable code which has been modified (execmod)
> > * All other executable memory (execmem)
> 
> ...
> 
> > The effect of not having some workaround like this in the kernel, would
> > be to run Android only in SELinux permissive mode.
> 
> So you want to override the lack of RIXI so that SELinux sees an
> RX->RW->RX transition as execmod instead of execmem (since without RIXI
> its effectively RX->RWX->RX which is execmem)?
> 

That is correct.

> 
> Looking at file_map_prot_check(), it does the execmem check on this
> condition:
> 
> if (default_noexec &&
>     (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
>                            (!shared && (prot & PROT_WRITE)))) {
>         /*
>          * We are making executable an anonymous mapping or a
>          * private file mapping that will also be writable.
>          * This has an additional check.
>          */
> 
> default_noexec is set if VM_DATA_DEFAULT_FLAGS doesn't have the exec
> flag set, and that flag depends on current->personality &
> READ_IMPLIES_EXEC, which depends on elf_read_implies_exec(), i.e.
> mips_elf_read_implies_exec(), and that should already return 1 if RIXI
> is unavailable.
> 
> I.e.
> 
> mips_elf_read_implies_exec() == 1
> 
> elf_read_implies_exec() == 1
> 
> READ_IMPLIES_EXEC will be set in current->personality
> 
> VM_DATA_DEFAULT_FLAGS will have VM_EXEC set
> 
> default_noexec will be set to 0 in selinux_init()
> 
> none of the execmem, execheap, execstack, execmod permission
> checks should take place.
> 
> So whats the problem exactly? Perhaps I misinterpreted something.

Thanks, James, for the analysis of this scenario! Hope the additional
info below will be useful for clarifying this matter.

-------------------

Let me rephrase the scenario (for configurations where cpu_has_rixi
equals to 0) that you described: (line numbers may be approximate)


1. mips_elf_read_implies_exec() will return 1
    (arch/mips/kernel/elf.c:336)

2. elf_read_implies_exec() will return 1
    (arch/mips/include/asm/elf.h:513)

3. READ_IMPLIES_EXEC will be set in current->personality
    (fs/binfmt_elf_fdpic.c:357)

4. VM_DATA_DEFAULT_FLAGS will have VM_EXEC set
    (while execiting selinux_init() in security/selinux/hooks.c:6644)

5. default_noexec will be set to 0 in selinux_init()
    (security/selinux/hooks.c:6644)

6. none of the execmem, execstack permission checks should take place.

-------------------

However, in reality, these steps are not executed in this order, but in the following one:


4a. VM_DATA_DEFAULT_FLAGS will *NOT* have VM_EXEC set
    (while execiting selinux_init() in security/selinux/hooks.c:6644)

5a. default_noexec will be set to *1* in selinux_init()
    (security/selinux/hooks.c:6644)

1. mips_elf_read_implies_exec() will return 1
    (arch/mips/kernel/elf.c:336)

2. elf_read_implies_exec() will return 1
    (arch/mips/include/asm/elf.h:513)

3. READ_IMPLIES_EXEC will be set in current->personality
    (fs/binfmt_elf_fdpic.c:357)

6a. both the execmem, execstack permission checks *do* take place.

------------------

The proposed change does affect the kernel in the sense that it indeed
hides the executable vulnerability of the system without RIXI support.
But we have made it unambiguous in the comments what are the
consequences of using this option.

------------------


Regards,

Aleksandar

> 
> Cheers
> James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ