From: Kurt Garloff A patch to parse the elf binaries for a PT_GNU_STACK section to set the stack non-executable if possible. Most parts have been shamelessly stolen from Ingo Molnar's more ambitious stackshield http://people.redhat.com/mingo/exec-shield/exec-shield-2.6.4-C9 The toolchain has meanwhile support for marking the binaries with a PT_GNU_STACK section wwithout x bit as needed. If no such section is found, we leave the stack to whatever the arch defaults to. If there is one, we explicitly disabled the VM_EXEC bit if no x bit is found, otherwise explicitly enable. --- 25-akpm/arch/ia64/ia32/binfmt_elf32.c | 16 +++++++++++----- 25-akpm/arch/ia64/ia32/ia32priv.h | 2 +- 25-akpm/arch/mips/kernel/irixelf.c | 2 +- 25-akpm/arch/s390/kernel/binfmt_elf32.c | 4 ++-- 25-akpm/arch/s390/kernel/compat_exec.c | 3 ++- 25-akpm/arch/sparc64/kernel/binfmt_aout32.c | 2 +- 25-akpm/arch/x86_64/ia32/ia32_aout.c | 4 ++-- 25-akpm/arch/x86_64/ia32/ia32_binfmt.c | 15 ++++++++++----- 25-akpm/fs/binfmt_aout.c | 2 +- 25-akpm/fs/binfmt_elf.c | 12 +++++++++++- 25-akpm/fs/binfmt_som.c | 2 +- 25-akpm/fs/exec.c | 14 +++++++++++--- 25-akpm/include/linux/binfmts.h | 8 +++++++- 25-akpm/include/linux/elf.h | 2 ++ 14 files changed, 63 insertions(+), 25 deletions(-) diff -puN arch/ia64/ia32/binfmt_elf32.c~noexec-stack arch/ia64/ia32/binfmt_elf32.c --- 25/arch/ia64/ia32/binfmt_elf32.c~noexec-stack 2004-03-24 03:00:19.270872776 -0800 +++ 25-akpm/arch/ia64/ia32/binfmt_elf32.c 2004-03-24 03:00:19.289869888 -0800 @@ -35,7 +35,7 @@ extern void ia64_elf32_init (struct pt_r static void elf32_set_personality (void); -#define setup_arg_pages(bprm) ia32_setup_arg_pages(bprm) +#define setup_arg_pages(bprm,exec) ia32_setup_arg_pages(bprm,exec) #define elf_map elf32_map #undef SET_PERSONALITY @@ -149,7 +149,7 @@ ia64_elf32_init (struct pt_regs *regs) } int -ia32_setup_arg_pages (struct linux_binprm *bprm) +ia32_setup_arg_pages (struct linux_binprm *bprm, int executable_stack) { unsigned long stack_base; struct vm_area_struct *mpnt; @@ -178,8 +178,14 @@ ia32_setup_arg_pages (struct linux_binpr mpnt->vm_mm = current->mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; mpnt->vm_end = IA32_STACK_TOP; - mpnt->vm_page_prot = PAGE_COPY; - mpnt->vm_flags = VM_STACK_FLAGS; + if (executable_stack == EXSTACK_ENABLE_X) + mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC; + else if (executable_stack == EXSTACK_DISABLE_X) + mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC; + else + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC)? + PAGE_COPY_EXEC: PAGE_COPY; mpnt->vm_ops = NULL; mpnt->vm_pgoff = 0; mpnt->vm_file = NULL; @@ -192,7 +198,7 @@ ia32_setup_arg_pages (struct linux_binpr struct page *page = bprm->page[i]; if (page) { bprm->page[i] = NULL; - put_dirty_page(current, page, stack_base, PAGE_COPY); + put_dirty_page(current, page, stack_base, mpnt->vm_page_prot); } stack_base += PAGE_SIZE; } diff -puN arch/ia64/ia32/ia32priv.h~noexec-stack arch/ia64/ia32/ia32priv.h --- 25/arch/ia64/ia32/ia32priv.h~noexec-stack 2004-03-24 03:00:19.271872624 -0800 +++ 25-akpm/arch/ia64/ia32/ia32priv.h 2004-03-24 03:00:19.290869736 -0800 @@ -494,7 +494,7 @@ struct ia32_user_desc { struct linux_binprm; extern void ia32_init_addr_space (struct pt_regs *regs); -extern int ia32_setup_arg_pages (struct linux_binprm *bprm); +extern int ia32_setup_arg_pages (struct linux_binprm *bprm, int exec_stack); extern unsigned long ia32_do_mmap (struct file *, unsigned long, unsigned long, int, int, loff_t); extern void ia32_load_segment_descriptors (struct task_struct *task); diff -puN arch/mips/kernel/irixelf.c~noexec-stack arch/mips/kernel/irixelf.c --- 25/arch/mips/kernel/irixelf.c~noexec-stack 2004-03-24 03:00:19.273872320 -0800 +++ 25-akpm/arch/mips/kernel/irixelf.c 2004-03-24 03:00:19.291869584 -0800 @@ -688,7 +688,7 @@ static int load_irix_binary(struct linux * change some of these later. */ current->mm->rss = 0; - setup_arg_pages(bprm); + setup_arg_pages(bprm, EXSTACK_DEFAULT); current->mm->start_stack = bprm->p; /* At this point, we assume that the image should be loaded at diff -puN arch/s390/kernel/binfmt_elf32.c~noexec-stack arch/s390/kernel/binfmt_elf32.c --- 25/arch/s390/kernel/binfmt_elf32.c~noexec-stack 2004-03-24 03:00:19.274872168 -0800 +++ 25-akpm/arch/s390/kernel/binfmt_elf32.c 2004-03-24 03:00:19.291869584 -0800 @@ -114,7 +114,7 @@ typedef s390_regs32 elf_gregset_t; #include #include -int setup_arg_pages32(struct linux_binprm *bprm); +int setup_arg_pages32(struct linux_binprm *bprm, int executable_stack); #define elf_prstatus elf_prstatus32 struct elf_prstatus32 @@ -165,7 +165,7 @@ struct elf_prpsinfo32 #undef start_thread #define start_thread start_thread31 -#define setup_arg_pages(bprm) setup_arg_pages32(bprm) +#define setup_arg_pages(bprm, exec) setup_arg_pages32(bprm, exec) #define elf_map elf_map32 MODULE_DESCRIPTION("Binary format loader for compatibility with 32bit Linux for S390 binaries," diff -puN arch/s390/kernel/compat_exec.c~noexec-stack arch/s390/kernel/compat_exec.c --- 25/arch/s390/kernel/compat_exec.c~noexec-stack 2004-03-24 03:00:19.275872016 -0800 +++ 25-akpm/arch/s390/kernel/compat_exec.c 2004-03-24 03:00:19.292869432 -0800 @@ -37,7 +37,7 @@ #undef STACK_TOP #define STACK_TOP TASK31_SIZE -int setup_arg_pages32(struct linux_binprm *bprm) +int setup_arg_pages32(struct linux_binprm *bprm, int executable_stack) { unsigned long stack_base; struct vm_area_struct *mpnt; @@ -66,6 +66,7 @@ int setup_arg_pages32(struct linux_binpr mpnt->vm_mm = mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; mpnt->vm_end = STACK_TOP; + /* executable stack setting would be applied here */ mpnt->vm_page_prot = PAGE_COPY; mpnt->vm_flags = VM_STACK_FLAGS; mpnt->vm_ops = NULL; diff -puN arch/sparc64/kernel/binfmt_aout32.c~noexec-stack arch/sparc64/kernel/binfmt_aout32.c --- 25/arch/sparc64/kernel/binfmt_aout32.c~noexec-stack 2004-03-24 03:00:19.277871712 -0800 +++ 25-akpm/arch/sparc64/kernel/binfmt_aout32.c 2004-03-24 03:00:19.292869432 -0800 @@ -310,7 +310,7 @@ beyond_if: orig_thr_flags = current_thread_info()->flags; current_thread_info()->flags |= _TIF_32BIT; - retval = setup_arg_pages(bprm); + retval = setup_arg_pages(bprm, EXSTACK_DEFAULT); if (retval < 0) { current_thread_info()->flags = orig_thr_flags; diff -puN arch/x86_64/ia32/ia32_aout.c~noexec-stack arch/x86_64/ia32/ia32_aout.c --- 25/arch/x86_64/ia32/ia32_aout.c~noexec-stack 2004-03-24 03:00:19.278871560 -0800 +++ 25-akpm/arch/x86_64/ia32/ia32_aout.c 2004-03-24 03:00:19.293869280 -0800 @@ -35,7 +35,7 @@ #undef WARN_OLD #undef CORE_DUMP /* probably broken */ -extern int ia32_setup_arg_pages(struct linux_binprm *bprm); +extern int ia32_setup_arg_pages(struct linux_binprm *bprm, int exec_stack); static int load_aout_binary(struct linux_binprm *, struct pt_regs * regs); static int load_aout_library(struct file*); @@ -395,7 +395,7 @@ beyond_if: set_brk(current->mm->start_brk, current->mm->brk); - retval = ia32_setup_arg_pages(bprm); + retval = ia32_setup_arg_pages(bprm, EXSTACK_DEFAULT); if (retval < 0) { /* Someone check-me: is this error path enough? */ send_sig(SIGKILL, current, 0); diff -puN arch/x86_64/ia32/ia32_binfmt.c~noexec-stack arch/x86_64/ia32/ia32_binfmt.c --- 25/arch/x86_64/ia32/ia32_binfmt.c~noexec-stack 2004-03-24 03:00:19.279871408 -0800 +++ 25-akpm/arch/x86_64/ia32/ia32_binfmt.c 2004-03-24 03:00:19.294869128 -0800 @@ -272,8 +272,8 @@ do { \ #define load_elf_binary load_elf32_binary #define ELF_PLAT_INIT(r, load_addr) elf32_init(r) -#define setup_arg_pages(bprm) ia32_setup_arg_pages(bprm) -int ia32_setup_arg_pages(struct linux_binprm *bprm); +#define setup_arg_pages(bprm, exec_stack) ia32_setup_arg_pages(bprm, exec_stack) +int ia32_setup_arg_pages(struct linux_binprm *bprm, int executable_stack); #undef start_thread #define start_thread(regs,new_rip,new_rsp) do { \ @@ -325,7 +325,7 @@ static void elf32_init(struct pt_regs *r me->thread.es = __USER_DS; } -int setup_arg_pages(struct linux_binprm *bprm) +int setup_arg_pages(struct linux_binprm *bprm, int executable_stack) { unsigned long stack_base; struct vm_area_struct *mpnt; @@ -354,7 +354,12 @@ int setup_arg_pages(struct linux_binprm mpnt->vm_mm = mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; mpnt->vm_end = IA32_STACK_TOP; - mpnt->vm_flags = vm_stack_flags32; + if (executable_stack == EXSTACK_ENABLE_X) + mpnt->vm_flags = vm_stack_flags32 | VM_EXEC; + else if (executable_stack == EXSTACK_DISABLE_X) + mpnt->vm_flags = vm_stack_flags32 & ~VM_EXEC; + else + mpnt->vm_flags = vm_stack_flags32; mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC) ? PAGE_COPY_EXEC : PAGE_COPY; mpnt->vm_ops = NULL; @@ -370,7 +375,7 @@ int setup_arg_pages(struct linux_binprm struct page *page = bprm->page[i]; if (page) { bprm->page[i] = NULL; - put_dirty_page(current,page,stack_base,PAGE_COPY_EXEC); + put_dirty_page(current,page,stack_base,mpnt->vm_page_prot); } stack_base += PAGE_SIZE; } diff -puN fs/binfmt_aout.c~noexec-stack fs/binfmt_aout.c --- 25/fs/binfmt_aout.c~noexec-stack 2004-03-24 03:00:19.280871256 -0800 +++ 25-akpm/fs/binfmt_aout.c 2004-03-24 03:00:19.294869128 -0800 @@ -413,7 +413,7 @@ beyond_if: set_brk(current->mm->start_brk, current->mm->brk); - retval = setup_arg_pages(bprm); + retval = setup_arg_pages(bprm, EXSTACK_DEFAULT); if (retval < 0) { /* Someone check-me: is this error path enough? */ send_sig(SIGKILL, current, 0); diff -puN fs/binfmt_elf.c~noexec-stack fs/binfmt_elf.c --- 25/fs/binfmt_elf.c~noexec-stack 2004-03-24 03:00:19.282870952 -0800 +++ 25-akpm/fs/binfmt_elf.c 2004-03-24 03:00:19.296868824 -0800 @@ -476,6 +476,7 @@ static int load_elf_binary(struct linux_ struct exec interp_ex; char passed_fileno[6]; struct files_struct *files; + int executable_stack = EXSTACK_DEFAULT; /* Get the exec-header */ elf_ex = *((struct elfhdr *) bprm->buf); @@ -599,6 +600,15 @@ static int load_elf_binary(struct linux_ elf_ppnt++; } + elf_ppnt = elf_phdata; + for (i = 0; i < elf_ex.e_phnum; i++, elf_ppnt++) + if (elf_ppnt->p_type == PT_GNU_STACK) { + if (elf_ppnt->p_flags & PF_X) + executable_stack = EXSTACK_ENABLE_X; + else + executable_stack = EXSTACK_DISABLE_X; + } + /* Some simple consistency checks for the interpreter */ if (elf_interpreter) { interpreter_type = INTERPRETER_ELF | INTERPRETER_AOUT; @@ -674,7 +684,7 @@ static int load_elf_binary(struct linux_ change some of these later */ zero_rss(current->mm); current->mm->free_area_cache = TASK_UNMAPPED_BASE; - retval = setup_arg_pages(bprm); + retval = setup_arg_pages(bprm, executable_stack); if (retval < 0) { send_sig(SIGKILL, current, 0); goto out_free_dentry; diff -puN fs/binfmt_som.c~noexec-stack fs/binfmt_som.c --- 25/fs/binfmt_som.c~noexec-stack 2004-03-24 03:00:19.283870800 -0800 +++ 25-akpm/fs/binfmt_som.c 2004-03-24 03:00:19.296868824 -0800 @@ -254,7 +254,7 @@ load_som_binary(struct linux_binprm * bp set_binfmt(&som_format); compute_creds(bprm); - setup_arg_pages(bprm); + setup_arg_pages(bprm, EXSTACK_DEFAULT); create_som_tables(bprm); diff -puN fs/exec.c~noexec-stack fs/exec.c --- 25/fs/exec.c~noexec-stack 2004-03-24 03:00:19.284870648 -0800 +++ 25-akpm/fs/exec.c 2004-03-24 03:00:19.297868672 -0800 @@ -342,7 +342,7 @@ out_sig: return; } -int setup_arg_pages(struct linux_binprm *bprm) +int setup_arg_pages(struct linux_binprm *bprm, int executable_stack) { unsigned long stack_base; struct vm_area_struct *mpnt; @@ -425,8 +425,16 @@ int setup_arg_pages(struct linux_binprm mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; mpnt->vm_end = STACK_TOP; #endif - mpnt->vm_page_prot = protection_map[VM_STACK_FLAGS & 0x7]; - mpnt->vm_flags = VM_STACK_FLAGS; + /* Adjust stack execute permissions; explicitly enable + * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X + * and leave alone (arch default) otherwise. */ + if (unlikely(executable_stack == EXSTACK_ENABLE_X)) + mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC; + else if (executable_stack == EXSTACK_DISABLE_X) + mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC; + else + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; mpnt->vm_ops = NULL; mpnt->vm_pgoff = 0; mpnt->vm_file = NULL; diff -puN include/linux/binfmts.h~noexec-stack include/linux/binfmts.h --- 25/include/linux/binfmts.h~noexec-stack 2004-03-24 03:00:19.285870496 -0800 +++ 25-akpm/include/linux/binfmts.h 2004-03-24 03:00:19.298868520 -0800 @@ -62,7 +62,13 @@ extern int prepare_binprm(struct linux_b extern void remove_arg_zero(struct linux_binprm *); extern int search_binary_handler(struct linux_binprm *,struct pt_regs *); extern int flush_old_exec(struct linux_binprm * bprm); -extern int setup_arg_pages(struct linux_binprm * bprm); + +/* Stack area protections */ +#define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ +#define EXSTACK_DISABLE_X 1 /* Disable executable stacks */ +#define EXSTACK_ENABLE_X 2 /* Enable executable stacks */ + +extern int setup_arg_pages(struct linux_binprm * bprm, int executable_stack); extern int copy_strings(int argc,char __user * __user * argv,struct linux_binprm *bprm); extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm); extern void compute_creds(struct linux_binprm *binprm); diff -puN include/linux/elf.h~noexec-stack include/linux/elf.h --- 25/include/linux/elf.h~noexec-stack 2004-03-24 03:00:19.287870192 -0800 +++ 25-akpm/include/linux/elf.h 2004-03-24 03:00:19.298868520 -0800 @@ -35,6 +35,8 @@ typedef __s64 Elf64_Sxword; #define PT_HIPROC 0x7fffffff #define PT_GNU_EH_FRAME 0x6474e550 +#define PT_GNU_STACK (PT_LOOS + 0x474e551) + /* These constants define the different elf file types */ #define ET_NONE 0 #define ET_REL 1 _