ARM: image is running with READ_IMPLIES_EXEC

21:16 < lool> kees: Around? Do you think you'd know what could cause 364290?
21:17 < kees> lool: sounds like the kernel is forcing PROT_EXEC for mmap calls.
21:17 < lool> kees: Could it be a kernel config?
21:17 < kees> lool: we faced that on i386 when init was set to have an executable stack
21:17 < kees> lool: it's likely the way in which you transition to init from the boot process.
21:18 < kees> lool: in normal Ubuntu, we use klibc to exec upstart, how does ARM do it?
21:18 < lool> kees: In theory in the same way
21:18 < lool> kees: Not quite sure we use klibc though, it could be regular libc
21:19 < lool> kees: Checking...
21:20 < lool> kees: Will take a while, will come back to you when it's booted
21:20 < lool> kees: thanks!
21:21 < kees> lool: okay, in the meantime, I'm hunting the fixes for klibc that I got upstreamed
21:22 < kees> lool: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commitdiff;h=812e2ff7e74e8c495c936981ba0a0372e50b7244
21:24 < kees> lool: what does sudo cat /proc/1/personality say ?
21:29 < lool> kees: 00c00000
21:29 < kees> lool: yeah, looks like READ_IMPLIES_EXEC is getting set (this should not be)
21:29 < kees> lool: I would have expected 00000000
21:30 < kees> lool: /proc/$pid/personality exists because I spent so long debugging this issue on ia32. ;)
21:30 < lool> kees: I can confirm that /sbin/init uses libc; /lib/vfp/libc actually
21:31 < kees> lool: /sbin/init in the boot setup, right? not upstart itself?
21:31 < kees> lool: does your local shell have 00000000 personality?
21:31 < lool> kees: Sorry, I'm just saying PID 1 uses /lib/vfp/libc
21:32 < lool> kees: Yes
21:32 < lool> kees: sudo cat /proc/self/personality returns 00c00000
21:33 < kees> lool: hrm, so all the processes have 00c00000 ? that would seem to imply that ARM architecture doesn't have NX protections
21:35 < lool> kees: Perhaps it doesn't; how could I check?
21:35 < lool> kees: In which case we should disable AA?
21:36 < kees> lool: can you paste /proc/cpuinfo somewhere for me?
21:36 < kees> lool: disabling AA on ARM seems unfortunate.
21:37 < lool> kees: we're moving to v6 next cycle
21:37 < kees> lool: I was hoping someone could run the regression tester I wrote on an ARM image: http://people.ubuntu.com/~kees/qrt-test-kernel-security.tar.gz
21:38 < lool> kees: http://pastebin.com/f147ffe7c
21:43 < kees> lool: what does readelf -l /sbin/init show ?
21:44 < kees> lool: (specifically interested in GNU_STACK item, and if it says "RW" or "RWE")
21:45 < kees> lool: okay, so the executable itself isn't marked as needing an executable stack, so it must be coming from the kernel side
21:47 < kees> lool: interesting, the personality flags map to READ_IMPLIES_EXEC and ADDR_LIMIT_32BIT
21:49 < kees> lool: so, near as I can tell, the kernel's arm_elf_read_implies_exec is returning "1", and the executable_stack is correctly set to EXSTACK_DISABLE_X (via the ELF headers)
21:50 < kees> lool: the only way that can happen is:
21:53 < kees> lool: according to your /proc/cpuinfo, you've got CPU_ARCH_ARMv5TEJ not CPU_ARCH_ARMv7
21:53 < kees> lool: "CPU architecture: 7" vs arch/arm/include/asm/system.h
21:54 < kees> lool: though I find it interesting ...

I guess this is the fix we are looking for?

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9da616fb9946c8d65387052e5a538b8f54ddb292

On Tue, Apr 21, 2009 at 08:43:07AM -0000, Amit Kucheria wrote:
> I guess this is the fix we are looking for?
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9da616fb9946c8d65387052e5a538b8f54ddb292

Hah, yes, that would be exactly what the problem was. I had missed the
logic error in the first if. Thanks for finding this!

--
Kees Cook @outflux.net

Accepted linux into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

This bug was fixed in the package linux - 2.6.28-13.44

---------------
linux (2.6.28-13.44) jaunty-proposed; urgency=low

  [ Stefan Bader ]

  * Revert "SAUCE: [jaunty] ALSA: Add retry for Intel8x0 clock measurement"
  * Revert "SAUCE: [jaunty] ALSA: Fix clock and buffer calculations for
    Intel8x0"
  * Revert "SAUCE: [jaunty] ALSA: Fix buffer positions and checks"

linux (2.6.28-12.43) jaunty-proposed; urgency=low

  [ Amit Kucheria ]

  * Enable SYN_COOKIES for iop32x and versatile flavours
    - LP: #361687
  * SAUCE: Quirk for BT USB device on MacbookPro to be reset before use
    - LP: #332443

  [ Brad Figg ]

  * [jaunty] Add missing mvsas (Marvel SAS 6440) module configuration.
    - LP: #352336

  [ Chuck Short ]

  * SAUCE: [USB] Unusual Device support for Gold MP3 Player Energy
    - LP: #125250

  [ Daniel T Chen ]

  * SAUCE: [jaunty] ALSA: Fix buffer positions and checks
    - LP: #345627
  * SAUCE: [jaunty] ALSA: Fix clock and buffer calculations for Intel8x0
    - LP: #345627
  * SAUCE: [jaunty] ALSA: Add retry for Intel8x0 clock measurement
    - LP: #345627

  [ Luke Yelavich ]

  * disable CONFIG_SND_HDA_INPUT_BEEP on amd64 and i386
    - LP: #331589

  [ Makito SHIOKAWA ]

  * [ARM] 5404/1: Fix condition in arm_elf_read_implies_exec() to set
    READ_IMPLIES_EXEC
    - LP: #364358

  [ Manoj Iyer ]

  * SAUCE: Added quirk to fix key release for Samsung NC20
    - LP: #360247

  [ Oleg Nesterov ]

  * posix timers: fix RLIMIT_CPU && fork()
    - LP: #361508

  [ Scott James Remnant ]

  * [Config] Disable libusual and the ub driver
    - LP: #364538

  [ Stefan Bader ]

  * Disable unwanted staging builds
    - LP: #366144
  * Remove prism2_usb driver from ubuntu and use the one from staging
    - LP: #325366
  * SAUCE: Make rtl8187se depend on WIRELESS_EXT
    - LP: #366144
  * Disable CONFIG_RTL8187SE for armel.versatile
    - LP: #366144

  [ Tejun Heo ]

  * libata: handle SEMB signature better
    - LP: #257790

  [ Tim Gardner ]

  * Set USB_SERIAL=m for i386/amd64
    - LP: #345002
  * SAUCE: Jaunty - aic79xx - set reset delay to 5 seconds, down from 15.
    - LP: #79542
  * SAUCE: (drop after 2.6.28) Wifi suspend/resume scan timeout fixes
    - LP: #336055
  * Sony laptop: Sony Vaio laptops do not enable wwan power by default.
    - LP: #364678

  [ Tyler Hicks ]

  * SAUCE: (drop after 2.6.28) eCryptfs: Larger buffer for encrypted
    symlink targets
    - LP: #357345

  [ Upstream Kernel Changes ]

  * V4L/DVB (9999): gspca - zc3xx: Webcam 046d:089d added.
    - LP: #326674
  * V4L/DVB (10044): gspca - pac7311: Webcam 093a:2620 added.
    - LP: #363195
  * hwmon: (it87) Add support for the ITE IT8720F
    - LP: #357766
  * vgacon: Return the upper half of 512 character fonts
    - LP: #355057
  * drm/i915: add support for G41 chipset
    - LP: #365958

 -- Stefan Bader <email address hidden> Mon, 25 May 2009 17:30:40 +0200

This was in 2.6.30; closing