arm64/elf: Disable automatic READ_IMPLIES_EXEC for 64-bit address spaces

With arm64 64-bit environments, there should never be a need for automatic
READ_IMPLIES_EXEC, as the architecture has always been execute-bit aware
(as in, the default memory protection should be NX unless a region
explicitly requests to be executable).

Suggested-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lkml.kernel.org/r/20200327064820.12602-7-keescook@chromium.org
This commit is contained in:
Kees Cook 2020-03-26 23:48:20 -07:00 committed by Borislav Petkov
parent eaf3f9e618
commit 6e0d6ac5f3
2 changed files with 7 additions and 2 deletions

View File

@ -105,7 +105,7 @@
*              CPU*: | arm32    | arm64 | *              CPU*: | arm32    | arm64 |
* ELF:              |            |            | * ELF:              |            |            |
* ---------------------|------------|------------| * ---------------------|------------|------------|
* missing PT_GNU_STACK | exec-all   | exec-all   | * missing PT_GNU_STACK | exec-all   | exec-none  |
* PT_GNU_STACK == RWX  | exec-stack | exec-stack | * PT_GNU_STACK == RWX  | exec-stack | exec-stack |
* PT_GNU_STACK == RW   | exec-none | exec-none | * PT_GNU_STACK == RW   | exec-none | exec-none |
* *
@ -117,7 +117,7 @@
* *all arm64 CPUs support NX, so there is no "lacks NX" column. * *all arm64 CPUs support NX, so there is no "lacks NX" column.
* *
*/ */
#define elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT) #define compat_elf_read_implies_exec(ex, stk) (stk == EXSTACK_DEFAULT)
#define CORE_DUMP_USE_REGSET #define CORE_DUMP_USE_REGSET
#define ELF_EXEC_PAGESIZE PAGE_SIZE #define ELF_EXEC_PAGESIZE PAGE_SIZE

View File

@ -113,6 +113,11 @@
#define arch_setup_additional_pages compat_arch_setup_additional_pages #define arch_setup_additional_pages compat_arch_setup_additional_pages
#endif #endif
#ifdef compat_elf_read_implies_exec
#undef elf_read_implies_exec
#define elf_read_implies_exec compat_elf_read_implies_exec
#endif
/* /*
* Rename a few of the symbols that binfmt_elf.c will define. * Rename a few of the symbols that binfmt_elf.c will define.
* These are all local so the names don't really matter, but it * These are all local so the names don't really matter, but it