ARM: image is running with READ_IMPLIES_EXEC
Bug #364358 reported by
Kees Cook
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Amit Kucheria | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU justification:
Impact:
- Was (incorrectly) setting READ_IMPLIES_EXEC when stack execution was disabled
- Was (incorrectly) setting READ_IMPLIES_EXEC for ARMv6 processors. They
support the XN bit.
Fix: Toggle the incorrect logic in arm_elf_
Testcase: /proc/self/
---
The ARM images appear to have the READ_IMPLIES_EXEC personality bit set (cat /proc/self/
tags: | added: arm armel |
Changed in linux (Ubuntu): | |
status: | Confirmed → Fix Committed |
tags: |
added: jaunty regression-release removed: regression-potential |
description: | updated |
tags: | removed: arm |
tags: | added: hw-specific |
tags: | added: iso-testing |
To post a comment you must log in.
21:16 < lool> kees: Around? Do you think you'd know what could cause 364290? git.kernel. org/?p= libs/klibc/ klibc.git; a=commitdiff; h=812e2ff7e74e8 c495c936981ba0a 0372e50b7244 pid/personality exists because I spent so long debugging this issue on ia32. ;) personality returns 00c00000 people. ubuntu. com/~kees/ qrt-test- kernel- security. tar.gz pastebin. com/f147ffe7c read_implies_ exec is returning "1", and the executable_stack is correctly set to EXSTACK_DISABLE_X (via the ELF headers) include/ asm/system. h
21:17 < kees> lool: sounds like the kernel is forcing PROT_EXEC for mmap calls.
21:17 < lool> kees: Could it be a kernel config?
21:17 < kees> lool: we faced that on i386 when init was set to have an executable stack
21:17 < kees> lool: it's likely the way in which you transition to init from the boot process.
21:18 < kees> lool: in normal Ubuntu, we use klibc to exec upstart, how does ARM do it?
21:18 < lool> kees: In theory in the same way
21:18 < lool> kees: Not quite sure we use klibc though, it could be regular libc
21:19 < lool> kees: Checking...
21:20 < lool> kees: Will take a while, will come back to you when it's booted
21:20 < lool> kees: thanks!
21:21 < kees> lool: okay, in the meantime, I'm hunting the fixes for klibc that I got upstreamed
21:22 < kees> lool: http://
21:24 < kees> lool: what does sudo cat /proc/1/personality say ?
21:29 < lool> kees: 00c00000
21:29 < kees> lool: yeah, looks like READ_IMPLIES_EXEC is getting set (this should not be)
21:29 < kees> lool: I would have expected 00000000
21:30 < kees> lool: /proc/$
21:30 < lool> kees: I can confirm that /sbin/init uses libc; /lib/vfp/libc actually
21:31 < kees> lool: /sbin/init in the boot setup, right? not upstart itself?
21:31 < kees> lool: does your local shell have 00000000 personality?
21:31 < lool> kees: Sorry, I'm just saying PID 1 uses /lib/vfp/libc
21:32 < lool> kees: Yes
21:32 < lool> kees: sudo cat /proc/self/
21:33 < kees> lool: hrm, so all the processes have 00c00000 ? that would seem to imply that ARM architecture doesn't have NX protections
21:35 < lool> kees: Perhaps it doesn't; how could I check?
21:35 < lool> kees: In which case we should disable AA?
21:36 < kees> lool: can you paste /proc/cpuinfo somewhere for me?
21:36 < kees> lool: disabling AA on ARM seems unfortunate.
21:37 < lool> kees: we're moving to v6 next cycle
21:37 < kees> lool: I was hoping someone could run the regression tester I wrote on an ARM image: http://
21:38 < lool> kees: http://
21:43 < kees> lool: what does readelf -l /sbin/init show ?
21:44 < kees> lool: (specifically interested in GNU_STACK item, and if it says "RW" or "RWE")
21:45 < kees> lool: okay, so the executable itself isn't marked as needing an executable stack, so it must be coming from the kernel side
21:47 < kees> lool: interesting, the personality flags map to READ_IMPLIES_EXEC and ADDR_LIMIT_32BIT
21:49 < kees> lool: so, near as I can tell, the kernel's arm_elf_
21:50 < kees> lool: the only way that can happen is:
21:53 < kees> lool: according to your /proc/cpuinfo, you've got CPU_ARCH_ARMv5TEJ not CPU_ARCH_ARMv7
21:53 < kees> lool: "CPU architecture: 7" vs arch/arm/
21:54 < kees> lool: though I find it interesting ...