| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251028-uml-remove-32bit-pseudo-vdso-v1-4-e930063eff5f@weissschuh.net>
Date: Tue, 28 Oct 2025 10:15:39 +0100
From: Thomas Weißschuh <linux@...ssschuh.net>
To: Richard Weinberger <richard@....at>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Johannes Berg <johannes@...solutions.net>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Kees Cook <kees@...nel.org>
Cc: linux-um@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org,
Thomas Weißschuh <linux@...ssschuh.net>
Subject: [PATCH 04/10] x86/um: Do not inherit vDSO from host
Inheriting the vDSO from the host is problematic. The values read
from the time functions will not be correct for the UML kernel.
Furthermore the start and end of the vDSO are not stable or
detectable by userspace. Specifically the vDSO datapages start
before AT_SYSINFO_EHDR and the vDSO itself is larger than a single page.
This codepath is only used on 32bit x86 UML. In my testing with both
32bit and 64bit hosts the passthrough functionality has always been
disabled anyways due to the checks against envp in scan_elf_aux().
Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
---
arch/um/os-Linux/elf_aux.c | 27 ---------------
arch/um/os-Linux/user_syms.c | 6 ----
arch/x86/um/Kconfig | 1 -
arch/x86/um/Makefile | 1 -
arch/x86/um/asm/elf.h | 29 ++--------------
arch/x86/um/elfcore.c | 78 --------------------------------------------
6 files changed, 3 insertions(+), 139 deletions(-)
diff --git a/arch/um/os-Linux/elf_aux.c b/arch/um/os-Linux/elf_aux.c
index 9ee0e3199790..f8927a5959d8 100644
--- a/arch/um/os-Linux/elf_aux.c
+++ b/arch/um/os-Linux/elf_aux.c
@@ -20,31 +20,15 @@ typedef Elf32_auxv_t elf_auxv_t;
/* These are initialized very early in boot and never changed */
char * elf_aux_platform;
extern long elf_aux_hwcap;
-unsigned long vsyscall_ehdr;
-unsigned long vsyscall_end;
-unsigned long __kernel_vsyscall;
__init void scan_elf_aux( char **envp)
{
- long page_size = 0;
elf_auxv_t * auxv;
while ( *envp++ != NULL) ;
for ( auxv = (elf_auxv_t *)envp; auxv->a_type != AT_NULL; auxv++) {
switch ( auxv->a_type ) {
- case AT_SYSINFO:
- __kernel_vsyscall = auxv->a_un.a_val;
- /* See if the page is under TASK_SIZE */
- if (__kernel_vsyscall < (unsigned long) envp)
- __kernel_vsyscall = 0;
- break;
- case AT_SYSINFO_EHDR:
- vsyscall_ehdr = auxv->a_un.a_val;
- /* See if the page is under TASK_SIZE */
- if (vsyscall_ehdr < (unsigned long) envp)
- vsyscall_ehdr = 0;
- break;
case AT_HWCAP:
elf_aux_hwcap = auxv->a_un.a_val;
break;
@@ -56,17 +40,6 @@ __init void scan_elf_aux( char **envp)
elf_aux_platform =
(char *) (long) auxv->a_un.a_val;
break;
- case AT_PAGESZ:
- page_size = auxv->a_un.a_val;
- break;
}
}
- if ( ! __kernel_vsyscall || ! vsyscall_ehdr ||
- ! page_size || (vsyscall_ehdr % page_size) ) {
- __kernel_vsyscall = 0;
- vsyscall_ehdr = 0;
- }
- else {
- vsyscall_end = vsyscall_ehdr + page_size;
- }
}
diff --git a/arch/um/os-Linux/user_syms.c b/arch/um/os-Linux/user_syms.c
index a310ae27b479..67f6112318b6 100644
--- a/arch/um/os-Linux/user_syms.c
+++ b/arch/um/os-Linux/user_syms.c
@@ -31,12 +31,6 @@ extern void *memset(void *, int, size_t);
EXPORT_SYMBOL(memset);
#endif
-#ifdef CONFIG_ARCH_REUSE_HOST_VSYSCALL_AREA
-/* needed for __access_ok() */
-EXPORT_SYMBOL(vsyscall_ehdr);
-EXPORT_SYMBOL(vsyscall_end);
-#endif
-
#ifdef _FORTIFY_SOURCE
extern int __sprintf_chk(char *str, int flag, size_t len, const char *format);
EXPORT_SYMBOL(__sprintf_chk);
diff --git a/arch/x86/um/Kconfig b/arch/x86/um/Kconfig
index c52fb5cb8d21..798c6cc53e82 100644
--- a/arch/x86/um/Kconfig
+++ b/arch/x86/um/Kconfig
@@ -8,7 +8,6 @@ endmenu
config UML_X86
def_bool y
- select ARCH_BINFMT_ELF_EXTRA_PHDRS if X86_32
select ARCH_USE_QUEUED_RWLOCKS
select ARCH_USE_QUEUED_SPINLOCKS
select DCACHE_WORD_ACCESS
diff --git a/arch/x86/um/Makefile b/arch/x86/um/Makefile
index b42c31cd2390..1767e6061b4d 100644
--- a/arch/x86/um/Makefile
+++ b/arch/x86/um/Makefile
@@ -18,7 +18,6 @@ obj-y = bugs_$(BITS).o delay.o fault.o \
ifeq ($(CONFIG_X86_32),y)
obj-y += syscalls_32.o
-obj-$(CONFIG_ELF_CORE) += elfcore.o
subarch-y = ../lib/string_32.o ../lib/atomic64_32.o ../lib/atomic64_cx8_32.o
subarch-y += ../lib/cmpxchg8b_emu.o ../lib/atomic64_386_32.o
diff --git a/arch/x86/um/asm/elf.h b/arch/x86/um/asm/elf.h
index e7a045e01471..8d7df4684c38 100644
--- a/arch/x86/um/asm/elf.h
+++ b/arch/x86/um/asm/elf.h
@@ -72,32 +72,9 @@ extern char * elf_aux_platform;
#define ELF_PLATFORM_FALLBACK "i586"
#define ELF_PLATFORM (elf_aux_platform ?: ELF_PLATFORM_FALLBACK)
-extern unsigned long vsyscall_ehdr;
-extern unsigned long vsyscall_end;
-extern unsigned long __kernel_vsyscall;
-
-/*
- * This is the range that is readable by user mode, and things
- * acting like user mode such as get_user_pages.
- */
-#define FIXADDR_USER_START vsyscall_ehdr
-#define FIXADDR_USER_END vsyscall_end
-
-
-/*
- * Architecture-neutral AT_ values in 0-17, leave some room
- * for more of them, start the x86-specific ones at 32.
- */
-#define AT_SYSINFO 32
-#define AT_SYSINFO_EHDR 33
-
-#define ARCH_DLINFO \
-do { \
- if ( vsyscall_ehdr ) { \
- NEW_AUX_ENT(AT_SYSINFO, __kernel_vsyscall); \
- NEW_AUX_ENT(AT_SYSINFO_EHDR, vsyscall_ehdr); \
- } \
-} while (0)
+/* No user-accessible fixmap addresses, i.e. vsyscall */
+#define FIXADDR_USER_START 0
+#define FIXADDR_USER_END 0
#else
diff --git a/arch/x86/um/elfcore.c b/arch/x86/um/elfcore.c
deleted file mode 100644
index ef50662fc40d..000000000000
--- a/arch/x86/um/elfcore.c
+++ /dev/null
@@ -1,78 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#include <linux/elf.h>
-#include <linux/elfcore.h>
-#include <linux/coredump.h>
-#include <linux/fs.h>
-#include <linux/mm.h>
-
-#include <asm/elf.h>
-
-
-Elf32_Half elf_core_extra_phdrs(struct coredump_params *cprm)
-{
- return vsyscall_ehdr ? (((struct elfhdr *)vsyscall_ehdr)->e_phnum) : 0;
-}
-
-int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset)
-{
- if ( vsyscall_ehdr ) {
- const struct elfhdr *const ehdrp =
- (struct elfhdr *) vsyscall_ehdr;
- const struct elf_phdr *const phdrp =
- (const struct elf_phdr *) (vsyscall_ehdr + ehdrp->e_phoff);
- int i;
- Elf32_Off ofs = 0;
-
- for (i = 0; i < ehdrp->e_phnum; ++i) {
- struct elf_phdr phdr = phdrp[i];
-
- if (phdr.p_type == PT_LOAD) {
- ofs = phdr.p_offset = offset;
- offset += phdr.p_filesz;
- } else {
- phdr.p_offset += ofs;
- }
- phdr.p_paddr = 0; /* match other core phdrs */
- if (!dump_emit(cprm, &phdr, sizeof(phdr)))
- return 0;
- }
- }
- return 1;
-}
-
-int elf_core_write_extra_data(struct coredump_params *cprm)
-{
- if ( vsyscall_ehdr ) {
- const struct elfhdr *const ehdrp =
- (struct elfhdr *) vsyscall_ehdr;
- const struct elf_phdr *const phdrp =
- (const struct elf_phdr *) (vsyscall_ehdr + ehdrp->e_phoff);
- int i;
-
- for (i = 0; i < ehdrp->e_phnum; ++i) {
- if (phdrp[i].p_type == PT_LOAD) {
- void *addr = (void *) phdrp[i].p_vaddr;
- size_t filesz = phdrp[i].p_filesz;
- if (!dump_emit(cprm, addr, filesz))
- return 0;
- }
- }
- }
- return 1;
-}
-
-size_t elf_core_extra_data_size(struct coredump_params *cprm)
-{
- if ( vsyscall_ehdr ) {
- const struct elfhdr *const ehdrp =
- (struct elfhdr *)vsyscall_ehdr;
- const struct elf_phdr *const phdrp =
- (const struct elf_phdr *) (vsyscall_ehdr + ehdrp->e_phoff);
- int i;
-
- for (i = 0; i < ehdrp->e_phnum; ++i)
- if (phdrp[i].p_type == PT_LOAD)
- return (size_t) phdrp[i].p_filesz;
- }
- return 0;
-}
--
2.51.1.dirty
Powered by blists - more mailing lists