<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 22, 2019 at 4:44 AM Daniel Mentz <<a href="mailto:danielmentz@google.com">danielmentz@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">On Thu, Feb 21, 2019 at 7:01 AM Will Deacon <<a href="mailto:will.deacon@arm.com" target="_blank">will.deacon@arm.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Feb 20, 2019 at 03:59:57PM +0800, Li Wang wrote:<br>
> On Wed, Feb 20, 2019 at 8:21 AM Daniel Mentz <<a href="mailto:danielmentz@google.com" target="_blank">danielmentz@google.com</a>> wrote:<br>
> No, execute-only page access permissions don't need any special<br>
> configuration. They have been introduced by the following commit:<br>
> <br>
> "arm64: Introduce execute-only page access permissions"<br>
> <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/" rel="noreferrer" target="_blank">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/</a>?<br>
> id=cab15ce604e550020bb7115b779013b91bcdbc21<br>
> <br>
> /proc//maps for my mprotect04 executable looks as follows:<br>
> <br>
> 6458f5e000-6458f62000 r--p 00000000 fd:06 11691 /<br>
> data/local/tmp/mprotect04<br>
> 6458f62000-6458f67000 --xp 00004000 fd:06 11691 /<br>
> data/local/tmp/mprotect04<br>
> 6458f67000-6458f6a000 rw-p 00009000 fd:06 11691 /<br>
> data/local/tmp/mprotect04<br>
> 6458f6a000-6458f6d000 rw-p 00000000 00:00 0 <br>
> 70c5cc0000-70c5d11000 ---p 00000000 00:00 0 <br>
> <br>
> The notable difference are the access permissions of the second VMA which<br>
> are "--xp". In your case, the permissions were "r-xp", hence reading was<br>
> allowed in addition to execution. I should also note that most other<br>
> binaries on my device like /system/bin/sh don't have the execute-only<br>
> mapping "--xp". Instead, they only have an "r-xp" VMA like your mprotect04.<br>
> In the end, I couldn't find out why there's a difference. Objdump and<br>
> readelf both show that the respective segment is execute-only, but it's<br>
> somehow still mapped readable and executable:<br>
> <br>
> <br>
> Not sure if that's a issue or intentional in design, Cc'ing Deacon and Catalin<br>
> to have look.<br>
<br>
I suspect this depends on the flags that are emitted in the program header<br>
by your compiler. What does objdump -p say for your binary?<br></blockquote></div></div></div></div></div></div></div></blockquote><div><br></div><div class="gmail_default" style="font-size:small"><div class="gmail_quote" style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div class="gmail_default" style="font-size:small">My situation is different with Daniel's,<span> </span><span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">on my </span><span style="text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline">aarch64 platform with upstream kernel-v5.0-rc7, </span>mprotect04 binary code segment has "r-x" flag and maped as "r-x" permission in VMA, but with the "<span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">execute-only page access permissions" patch shouldn't it map with execute only permission? </span></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><div class="gmail_default"># grep CONFIG_ARM64_UAO /boot/config-5.0.0-rc7</div><div class="gmail_default">CONFIG_ARM64_UAO=y</div><div class="gmail_default"><br></div><div class="gmail_default"># lscpu </div><div class="gmail_default">Architecture: aarch64</div><div class="gmail_default">Byte Order: Little Endian</div><div class="gmail_default">CPU(s): 32</div><div class="gmail_default">On-line CPU(s) list: 0-31</div><div class="gmail_default">Thread(s) per core: 1</div><div class="gmail_default">Core(s) per socket: 32</div><div class="gmail_default">Socket(s): 1</div><div class="gmail_default">NUMA node(s): 1</div><div class="gmail_default">Vendor ID: APM</div><div class="gmail_default">Model: 1</div><div class="gmail_default">Model name: X-Gene</div><div class="gmail_default">Stepping: 0x3</div><div class="gmail_default">CPU max MHz: 3000.0000</div><div class="gmail_default">CPU min MHz: 375.0000</div><div class="gmail_default">BogoMIPS: 100.00</div><div class="gmail_default">L1d cache: 32K</div><div class="gmail_default">L1i cache: 32K</div><div class="gmail_default">L2 cache: 256K</div><div class="gmail_default">NUMA node0 CPU(s): 0-31</div><div class="gmail_default">Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid</div><div><br></div></div></div><div class="gmail_default" style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"># gcc -g -O2 -g -O2 -fno-strict-aliasing -pipe -Wall -W -Wold-style-definition -D_FORTIFY_SOURCE=2 -I../../../../include -I../../../../include -I../../../../include/old/ -L../../../../lib mprotect04.c -lltp -o mprotect04</div><div dir="ltr" style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div class="gmail_default"><span style="font-size:small"></span># objdump -p mprotect04</div><div class="gmail_default"><br></div><div class="gmail_default">mprotect04: file format elf64-littleaarch64</div><div class="gmail_default"><br></div><div class="gmail_default">Program Header:</div><div class="gmail_default"> PHDR off 0x0000000000000040 vaddr 0x0000000000400040 paddr 0x0000000000400040 align 2**3</div><div class="gmail_default"> filesz 0x00000000000001f8 memsz 0x00000000000001f8 flags r--</div><div class="gmail_default"> INTERP off 0x0000000000000238 vaddr 0x0000000000400238 paddr 0x0000000000400238 align 2**0</div><div class="gmail_default"> filesz 0x000000000000001b memsz 0x000000000000001b flags r--</div><div class="gmail_default"> LOAD off 0x0000000000000000 vaddr 0x0000000000400000 paddr 0x0000000000400000 align 2**16</div><div class="gmail_default"> filesz 0x000000000001a98c memsz 0x000000000001a98c flags r-x</div><div class="gmail_default"> LOAD off 0x000000000001fde8 vaddr 0x000000000042fde8 paddr 0x000000000042fde8 align 2**16</div><div class="gmail_default"> filesz 0x00000000000007fc memsz 0x0000000000003858 flags rw-</div><div class="gmail_default"> DYNAMIC off 0x000000000001fdf8 vaddr 0x000000000042fdf8 paddr 0x000000000042fdf8 align 2**3</div><div class="gmail_default"> filesz 0x00000000000001d0 memsz 0x00000000000001d0 flags rw-</div><div class="gmail_default"> NOTE off 0x0000000000000254 vaddr 0x0000000000400254 paddr 0x0000000000400254 align 2**2</div><div class="gmail_default"> filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--</div><div class="gmail_default">EH_FRAME off 0x00000000000171b0 vaddr 0x00000000004171b0 paddr 0x00000000004171b0 align 2**2</div><div class="gmail_default"> filesz 0x00000000000006d4 memsz 0x00000000000006d4 flags r--</div><div class="gmail_default"> STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4</div><div class="gmail_default"> filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-</div><div class="gmail_default"> RELRO off 0x000000000001fde8 vaddr 0x000000000042fde8 paddr 0x000000000042fde8 align 2**0</div><div class="gmail_default"> filesz 0x0000000000000218 memsz 0x0000000000000218 flags r--</div><div class="gmail_default" style="font-size:small"></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br></blockquote><div><br></div><div>Not sure if this question was meant for Li or me.</div><div>On my system, the objdump output looks as follows:</div><div><br></div><div><div>$ objdump -p out/target/product/crosshatch/system/bin/sh</div><div><br></div><div>out/target/product/crosshatch/system/bin/sh: file format elf64-littleaarch64</div><div><br></div><div>Program Header:</div><div> PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3</div><div> filesz 0x0000000000000230 memsz 0x0000000000000230 flags r--</div><div> INTERP off 0x0000000000000270 vaddr 0x0000000000000270 paddr 0x0000000000000270 align 2**0</div><div> filesz 0x0000000000000015 memsz 0x0000000000000015 flags r--</div><div> LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12</div><div> filesz 0x0000000000009f94 memsz 0x0000000000009f94 flags r--</div><div> LOAD off 0x000000000000a000 vaddr 0x000000000000a000 paddr 0x000000000000a000 align 2**12</div><div> filesz 0x000000000003a450 memsz 0x000000000003a450 flags --x</div><div> LOAD off 0x0000000000045000 vaddr 0x0000000000045000 paddr 0x0000000000045000 align 2**12</div><div> filesz 0x00000000000025f0 memsz 0x0000000000004cc8 flags rw-</div><div> DYNAMIC off 0x0000000000046e80 vaddr 0x0000000000046e80 paddr 0x0000000000046e80 align 2**3</div><div> filesz 0x0000000000000200 memsz 0x0000000000000200 flags rw-</div><div> RELRO off 0x0000000000046000 vaddr 0x0000000000046000 paddr 0x0000000000046000 align 2**0</div><div> filesz 0x00000000000015f0 memsz 0x0000000000002000 flags r--</div><div>EH_FRAME off 0x0000000000005498 vaddr 0x0000000000005498 paddr 0x0000000000005498 align 2**2</div><div> filesz 0x0000000000000d64 memsz 0x0000000000000d64 flags r--</div><div> STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**0</div><div> filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-</div><div> NOTE off 0x0000000000000288 vaddr 0x0000000000000288 paddr 0x0000000000000288 align 2**2</div><div> filesz 0x0000000000000038 memsz 0x0000000000000038 flags r--</div><div><br></div></div><div>The second "LOAD" segment is defined with "flags --x". After looking at the kernel source file fs/binfmt_elf.c, my understanding is that this should translate into a VMA that is mapped execute-only. However, when looking at /proc//maps, the corresponding VMA is mapped "read and execute". I couldn't find out why there's a discrepancy. A different binary i.e. mprotect04 looked similar in "objdump -p", but its code segment got indeed mapped execute-only. I currently don't have the objdump output for that binary, but I can get it if needed. To conclude, I noticed that ELF segments marked as "--x" are sometimes mapped execute-only and sometimes read-and-execute.</div><div>We are using an Android kernel based on Linux 4.9.153</div></div></div></div></div></div></div></div></blockquote></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Regards,<br></div><div>Li Wang<br></div></div></div></div></div></div></div></div>