LKML Archive on
help / color / mirror / Atom feed
From: tip-bot for Dmitry Safonov <>
Subject: [tip:x86/urgent] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
Date: Sat, 19 May 2018 03:24:48 -0700	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Commit-ID:  5f7633ba75acd80dd1dd4ef408bc6d98f9e2b194
Author:     Dmitry Safonov <>
AuthorDate: Fri, 18 May 2018 00:35:10 +0100
Committer:  Thomas Gleixner <>
CommitDate: Sat, 19 May 2018 12:22:24 +0200

x86/mm: Drop TS_COMPAT on 64-bit exec() syscall

The x86 mmap() code selects the mmap base for an allocation depending on
the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and
for 32bit mm->mmap_compat_base.

exec() calls mmap() which in turn uses in_compat_syscall() to check whether
the mapping is for a 32bit or a 64bit task. The decision is made on the
following criteria:

  ia32    child->thread.status & TS_COMPAT
   x32    child->pt_regs.orig_ax & __X32_SYSCALL_BIT
  ia64    !ia32 && !x32

__set_personality_x32() was dropping TS_COMPAT flag, but
set_personality_64bit() has kept compat syscall flag making
in_compat_syscall() return true during the first exec() syscall.

Which in result has user-visible effects, mentioned by Alexey:
1) It breaks ASAN
$ gcc -fsanitize=address wrap.c -o wrap-asan
$ ./wrap32 ./wrap-asan true
==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range.
==1217==Process memory map follows:
        0x000000400000-0x000000401000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000600000-0x000000601000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x000000601000-0x000000602000   /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan
        0x0000f7dbd000-0x0000f7de2000   /lib64/
        0x0000f7fe2000-0x0000f7fe3000   /lib64/
        0x0000f7fe3000-0x0000f7fe4000   /lib64/
        0x7fed9af54000-0x7fed9af6b000   /lib64/

2) It doesn't seem to be great for security if an attacker always knows
that is going to be mapped into the first 4GB in this case
(the same thing happens for PIEs as well).

The testcase:
$ cat wrap.c

int main(int argc, char *argv[]) {
  execvp(argv[1], &argv[1]);
  return 127;

$ gcc wrap.c -o wrap
$ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE
AT_BASE:         0x7f63b8309000
AT_BASE:         0x7faec143c000
AT_BASE:         0x7fbdb25fa000

$ gcc -m32 wrap.c -o wrap32
$ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE
AT_BASE:         0xf7eff000
AT_BASE:         0xf7cee000
AT_BASE:         0x7f8b9774e000

Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Fixes: ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec")
Reported-by: Alexey Izbyshev <>
Bisected-by: Alexander Monakov <>
Investigated-by: Andy Lutomirski <>
Signed-off-by: Dmitry Safonov <>
Signed-off-by: Thomas Gleixner <>
Cc: Borislav Petkov <>
Cc: Alexander Monakov <>
Cc: Dmitry Safonov <>
Cc: Andy Lutomirski <>
Cc: "H. Peter Anvin" <>
Cc: Cyrill Gorcunov <>
Cc: "Kirill A. Shutemov" <>

 arch/x86/kernel/process_64.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 4b100fe0f508..12bb445fb98d 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -542,6 +542,7 @@ void set_personality_64bit(void)
 	/* Pretend that this comes from a 64bit execve */
 	task_pt_regs(current)->orig_ax = __NR_execve;
+	current_thread_info()->status &= ~TS_COMPAT;
 	/* Ensure the corresponding mm is not marked. */
 	if (current->mm)

  parent reply	other threads:[~2018-05-19 10:25 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-17 23:35 [PATCH] " Dmitry Safonov
2018-05-17 23:40 ` Dmitry Safonov
2018-05-18 22:03   ` Andy Lutomirski
2018-05-18 23:10     ` Dmitry Safonov
2018-05-18 23:16       ` Dmitry Safonov
2018-05-18 23:25         ` Dmitry Safonov
2018-05-19  2:05       ` Andy Lutomirski
2018-05-19  2:22         ` Dmitry Safonov
2018-05-19  2:25           ` Dmitry Safonov
2018-05-19  2:33             ` Dmitry Safonov
2018-05-18  7:20 ` Cyrill Gorcunov
2018-05-19 10:24 ` tip-bot for Dmitry Safonov [this message]
2018-05-19 10:34 ` [tip:x86/urgent] " tip-bot for Dmitry Safonov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: [tip:x86/urgent] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).