arm64: elf: Enable BTI at exec based on ELF program properties
For BTI protection to be as comprehensive as possible, it is desirable to have BTI enabled from process startup. If this is not done, the process must use mprotect() to enable BTI for each of its executable mappings, but this is painful to do in the libc startup code. It's simpler and more sound to have the kernel do it instead. To this end, detect BTI support in the executable (or ELF interpreter, as appropriate), via the NT_GNU_PROGRAM_PROPERTY_TYPE_0 note, and tweak the initial prot flags for the process' executable pages to include PROT_BTI as appropriate. Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Dave Martin <Dave.Martin@arm.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
This commit is contained in:
Dave Martin
committed by
Catalin Marinas
Catalin Marinas
parent
fe0f67660e
commit
ab7876a98a
@@ -114,7 +114,11 @@
|
||||
|
||||
#ifndef __ASSEMBLY__
|
||||
|
||||
#include <uapi/linux/elf.h>
|
||||
#include <linux/bug.h>
|
||||
#include <linux/errno.h>
|
||||
#include <linux/fs.h>
|
||||
#include <linux/types.h>
|
||||
#include <asm/processor.h> /* for signal_minsigstksz, used by ARCH_DLINFO */
|
||||
|
||||
typedef unsigned long elf_greg_t;
|
||||
@@ -224,6 +228,52 @@ extern int aarch32_setup_additional_pages(struct linux_binprm *bprm,
|
||||
|
||||
#endif /* CONFIG_COMPAT */
|
||||
|
||||
struct arch_elf_state {
|
||||
int flags;
|
||||
};
|
||||
|
||||
#define ARM64_ELF_BTI (1 << 0)
|
||||
|
||||
#define INIT_ARCH_ELF_STATE { \
|
||||
.flags = 0, \
|
||||
}
|
||||
|
||||
static inline int arch_parse_elf_property(u32 type, const void *data,
|
||||
size_t datasz, bool compat,
|
||||
struct arch_elf_state *arch)
|
||||
{
|
||||
/* No known properties for AArch32 yet */
|
||||
if (IS_ENABLED(CONFIG_COMPAT) && compat)
|
||||
return 0;
|
||||
|
||||
if (type == GNU_PROPERTY_AARCH64_FEATURE_1_AND) {
|
||||
const u32 *p = data;
|
||||
|
||||
if (datasz != sizeof(*p))
|
||||
return -ENOEXEC;
|
||||
|
||||
if (system_supports_bti() &&
|
||||
(*p & GNU_PROPERTY_AARCH64_FEATURE_1_BTI))
|
||||
arch->flags |= ARM64_ELF_BTI;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int arch_elf_pt_proc(void *ehdr, void *phdr,
|
||||
struct file *f, bool is_interp,
|
||||
struct arch_elf_state *state)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int arch_check_elf(void *ehdr, bool has_interp,
|
||||
void *interp_ehdr,
|
||||
struct arch_elf_state *state)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* !__ASSEMBLY__ */
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user