Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.2.y 2021-08-20T10:33:06Z 2021-08-20T10:33:06Z Will Deacon will@kernel.org 2021-07-30T11:24:38Z urn:sha1:08cd8f4112dbd33bbfe1112dd6e9f0a228a8e132 When exec'ing a 32-bit task on a system with mismatched support for 32-bit EL0, try to ensure that it starts life on a CPU that can actually run it. Similarly, when exec'ing a 64-bit task on such a system, try to restore the old affinity mask if it was previously restricted. Signed-off-by: Will Deacon <will@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com> Reviewed-by: Quentin Perret <qperret@google.com> Link: https://lore.kernel.org/r/20210730112443.23245-12-will@kernel.org 2020-06-05T20:45:21Z Linus Torvalds torvalds@linux-foundation.org 2020-06-05T20:45:21Z urn:sha1:ac7b34218a0021bafd1d4c11c54217b930f516b0 Pull READ_IMPLIES_EXEC changes from Borislav Petkov: "Split the old READ_IMPLIES_EXEC workaround from executable PT_GNU_STACK now that toolchains long support PT_GNU_STACK marking and there's no need anymore to force modern programs into having all its user mappings executable instead of only the stack and the PROT_EXEC ones. Disable that automatic READ_IMPLIES_EXEC forcing on x86-64 and arm64. Add tables documenting how READ_IMPLIES_EXEC is handled on x86-64, arm and arm64. By Kees Cook" * tag 'core_core_updates_for_5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: arm64/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces arm32/64/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK arm32/64/elf: Add tables to document READ_IMPLIES_EXEC x86/elf: Disable automatic READ_IMPLIES_EXEC on 64-bit x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK x86/elf: Add table to document READ_IMPLIES_EXEC 2020-04-20T17:44:27Z Kees Cook keescook@chromium.org 2020-03-27T06:48:20Z urn:sha1:6e0d6ac5f3d9d90271899f6d340872360fe1caee With arm64 64-bit environments, there should never be a need for automatic READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware (as in, the default memory protection should be NX unless a region explicitly requests to be executable). Suggested-by: Hector Marco-Gisbert <hecmargi@upv.es> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://lkml.kernel.org/r/20200327064820.12602-7-keescook@chromium.org 2020-04-20T17:42:19Z Kees Cook keescook@chromium.org 2020-03-27T06:48:19Z urn:sha1:eaf3f9e61887332d5097dbf0b327b8377546adc5 The READ_IMPLIES_EXEC work-around was designed for old toolchains that lacked the ELF PT_GNU_STACK marking under the assumption that toolchains that couldn't specify executable permission flags for the stack may not know how to do it correctly for any memory region. This logic is sensible for having ancient binaries coexist in a system with possibly NX memory, but was implemented in a way that equated having a PT_GNU_STACK marked executable as being as "broken" as lacking the PT_GNU_STACK marking entirely. Things like unmarked assembly and stack trampolines may cause PT_GNU_STACK to need an executable bit, but they do not imply all mappings must be executable. This confusion has led to situations where modern programs with explicitly marked executable stack are forced into the READ_IMPLIES_EXEC state when no such thing is needed. (And leads to unexpected failures when mmap()ing regions of device driver memory that wish to disallow VM_EXEC[1].) In looking for other reasons for the READ_IMPLIES_EXEC behavior, Jann Horn noted that glibc thread stacks have always been marked RWX (until 2003 when they started tracking the PT_GNU_STACK flag instead[2]). And musl doesn't support executable stacks at all[3]. As such, no breakage for multithreaded applications is expected from this change. This changes arm32 and arm64 compat together, to keep behavior the same. [1] https://lkml.kernel.org/r/20190418055759.GA3155@mellanox.com [2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=54ee14b3882 [3] https://lkml.kernel.org/r/20190423192534.GN23599@brightrain.aerifal.cx Suggested-by: Hector Marco-Gisbert <hecmargi@upv.es> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://lkml.kernel.org/r/20200327064820.12602-6-keescook@chromium.org 2020-04-20T17:41:50Z Kees Cook keescook@chromium.org 2020-03-27T06:48:18Z urn:sha1:78066055b08096ed3282c027de9d9e137f9a1580 Add tables to document the current behavior of READ_IMPLIES_EXEC in preparation for changing the behavior for both arm64 and arm. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Jason Gunthorpe <jgg@mellanox.com> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Link: https://lkml.kernel.org/r/20200327064820.12602-5-keescook@chromium.org 2020-03-16T17:19:48Z Dave Martin Dave.Martin@arm.com 2020-03-16T16:50:47Z urn:sha1:ab7876a98a2160092133de4c648e94b18bc3f139 For BTI protection to be as comprehensive as possible, it is desirable to have BTI enabled from process startup. If this is not done, the process must use mprotect() to enable BTI for each of its executable mappings, but this is painful to do in the libc startup code. It's simpler and more sound to have the kernel do it instead. To this end, detect BTI support in the executable (or ELF interpreter, as appropriate), via the NT_GNU_PROGRAM_PROPERTY_TYPE_0 note, and tweak the initial prot flags for the process' executable pages to include PROT_BTI as appropriate. Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Dave Martin <Dave.Martin@arm.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> 2019-07-22T09:33:42Z Vincenzo Frascino vincenzo.frascino@arm.com 2019-07-10T14:01:19Z urn:sha1:85751e9e5b1480fc675106aeaf94fadb8028469b Prior to the introduction of Unified vDSO support and compat layer for vDSO on arm64, AT_SYSINFO_EHDR was not defined for compat tasks. In the current implementation, AT_SYSINFO_EHDR is defined even if the compat vdso layer is not built, which has been shown to break Android applications using bionic: | 01-01 01:22:14.097 755 755 F libc : Fatal signal 11 (SIGSEGV), | code 1 (SEGV_MAPERR), fault addr 0x3cf2c96c in tid 755 (cameraserver), | pid 755 (cameraserver) | 01-01 01:22:14.112 759 759 F libc : Fatal signal 11 (SIGSEGV), | code 1 (SEGV_MAPERR), fault addr 0x3cf2c96c in tid 759 | (android.hardwar), pid 759 (android.hardwar) | 01-01 01:22:14.120 756 756 F libc : Fatal signal 11 (SIGSEGV) | code 1 (SEGV_MAPERR), fault addr 0x3cf2c96c in tid 756 (drmserver), | pid 756 (drmserver) Restore the old behaviour by making sure that AT_SYSINFO_EHDR for compat tasks is defined only when CONFIG_COMPAT_VDSO is enabled. Reported-by: John Stultz <john.stultz@linaro.org> Tested-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com> Signed-off-by: Will Deacon <will@kernel.org> 2019-06-22T19:21:09Z Vincenzo Frascino vincenzo.frascino@arm.com 2019-06-21T09:52:40Z urn:sha1:1e3f17f55aec6510f88ff65dcbaae13435af0ba6 Like in normal vDSOs, when compat vDSOs are enabled the auxiliary vector symbol AT_SYSINFO_EHDR needs to point to the address of the vDSO code, to allow the dynamic linker to find it. Add the necessary code to the elf arm64 module to make this possible. Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Shijith Thotton <sthotton@marvell.com> Tested-by: Andre Przywara <andre.przywara@arm.com> Cc: linux-arch@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-mips@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Russell King <linux@armlinux.org.uk> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Paul Burton <paul.burton@mips.com> Cc: Daniel Lezcano <daniel.lezcano@linaro.org> Cc: Mark Salyzyn <salyzyn@android.com> Cc: Peter Collingbourne <pcc@google.com> Cc: Shuah Khan <shuah@kernel.org> Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Huw Davies <huw@codeweavers.com> Link: https://lkml.kernel.org/r/20190621095252.32307-14-vincenzo.frascino@arm.com 2019-06-19T15:09:07Z Thomas Gleixner tglx@linutronix.de 2019-06-03T05:44:50Z urn:sha1:caab277b1de0a22b675c4c95fc7b285ec2eb5bf5 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not see http www gnu org licenses extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 503 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Alexios Zavras <alexios.zavras@intel.com> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Enrico Weigelt <info@metux.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190602204653.811534538@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-04-23T17:01:31Z Vincenzo Frascino vincenzo.frascino@arm.com 2019-04-15T09:49:34Z urn:sha1:0d747f6585954d7285a3995058e7dfeae7236cf9 For AArch32 tasks, we install a special "[vectors]" page that contains the sigreturn trampolines and kuser helpers, which is mapped at a fixed address specified by the kuser helpers ABI. Having the sigreturn trampolines in the same page as the kuser helpers makes it impossible to disable the kuser helpers independently. Follow the Arm implementation, by moving the signal trampolines out of the "[vectors]" page and into their own "[sigpage]". Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> [will: tweaked comments and fixed sparse warning] Signed-off-by: Will Deacon <will.deacon@arm.com>