1 files changed, 54 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch b/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch
new file mode 100644
index 0000000..01701a9
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch
@@ -0,0 +1,54 @@
+From b2072dba2431de0cfef3e6fb9823537a812dd90b Mon Sep 17 00:00:00 2001
+From: Adrian Calianu <adrian.calianu@enea.com>
+Date: Mon, 23 Feb 2015 16:48:43 +0100
+Subject: [PATCH 1/1] arm64: don't set READ_IMPLIES_EXEC for EM_AARCH64 ELF
+ objects
+Currently, we're accidentally ending up with executable stacks on
+AArch64 when the ABI says we shouldn't be, and relying on glibc to
+fix things up for us when we're loaded. However, SELinux will deny us
+mucking with the stack, and hit us with execmem AVCs.
+current->personality & READ_IMPLIES_EXEC is currently being set for
+AArch64 binaries, resulting in an executable stack, when no explicit
+PT_GNU_STACK header is present.
+[kmcmarti@sedition ~]$ uname -p
+aarch64
+[kmcmarti@sedition ~]$ cat /proc/$$/personality 
+00400000
+The reason for this is, without an explicit PT_GNU_STACK entry in the
+binary, stk is still set to EXSTACK_DEFAULT (which should be
+non-executable on AArch64.) As a result, elf_read_implies_exec is true,
+and we set READ_IMPLIES_EXEC in binfmt_elf.c:load_elf_binary.
+Fix this to return 0 in the native case, and parrot the logic from
+arch/arm/kernel/elf.c otherwise. With this patch, binaries correctly
+don't have READ_IMPLIES_EXEC set, and we can let PT_GNU_STACK change
+things if it's explicitly requested.
+Patch provided by:
+Signed-off-by: Kyle McMartin <kyle@redhat.com>
+Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
+---
+ arch/arm64/include/asm/elf.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
+index 1f65be3..dbc9888 100644
+--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
+@@ -114,7 +114,8 @@ typedef struct user_fpsimd_state elf_fpregset_t;
+  */
+ #define elf_check_arch(x)              ((x)->e_machine == EM_AARCH64)
+ 
+-#define elf_read_implies_exec(ex,stk)  (stk != EXSTACK_DISABLE_X)
+#define elf_read_implies_exec(ex,stk) (test_thread_flag(TIF_32BIT) \
+                                    ? (stk == EXSTACK_ENABLE_X) : 0)
+ 
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE      PAGE_SIZE
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch b/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch new file mode 100644 index 0000000..01701a9 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/03-arm64-don-t-set-READ_IMPLIES_EXEC-for-EM_AARCH64-ELF.patch
@@ -0,0 +1,54 @@
	1	From b2072dba2431de0cfef3e6fb9823537a812dd90b Mon Sep 17 00:00:00 2001
	2	From: Adrian Calianu <adrian.calianu@enea.com>
	3	Date: Mon, 23 Feb 2015 16:48:43 +0100
	4	Subject: [PATCH 1/1] arm64: don't set READ_IMPLIES_EXEC for EM_AARCH64 ELF
	5	objects
	6
	7	Currently, we're accidentally ending up with executable stacks on
	8	AArch64 when the ABI says we shouldn't be, and relying on glibc to
	9	fix things up for us when we're loaded. However, SELinux will deny us
	10	mucking with the stack, and hit us with execmem AVCs.
	11
	12	current->personality & READ_IMPLIES_EXEC is currently being set for
	13	AArch64 binaries, resulting in an executable stack, when no explicit
	14	PT_GNU_STACK header is present.
	15
	16	[kmcmarti@sedition ~]$ uname -p
	17	aarch64
	18	[kmcmarti@sedition ~]$ cat /proc/$$/personality
	19	00400000
	20	The reason for this is, without an explicit PT_GNU_STACK entry in the
	21	binary, stk is still set to EXSTACK_DEFAULT (which should be
	22	non-executable on AArch64.) As a result, elf_read_implies_exec is true,
	23	and we set READ_IMPLIES_EXEC in binfmt_elf.c:load_elf_binary.
	24
	25	Fix this to return 0 in the native case, and parrot the logic from
	26	arch/arm/kernel/elf.c otherwise. With this patch, binaries correctly
	27	don't have READ_IMPLIES_EXEC set, and we can let PT_GNU_STACK change
	28	things if it's explicitly requested.
	29
	30	Patch provided by:
	31	Signed-off-by: Kyle McMartin <kyle@redhat.com>
	32
	33	Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
	34	---
	35	arch/arm64/include/asm/elf.h \| 3 ++-
	36	1 file changed, 2 insertions(+), 1 deletion(-)
	37
	38	diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
	39	index 1f65be3..dbc9888 100644
	40	--- a/arch/arm64/include/asm/elf.h
	41	+++ b/arch/arm64/include/asm/elf.h
	42	@@ -114,7 +114,8 @@ typedef struct user_fpsimd_state elf_fpregset_t;
	43	*/
	44	#define elf_check_arch(x) ((x)->e_machine == EM_AARCH64)
	45
	46	-#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X)
	47	+#define elf_read_implies_exec(ex,stk) (test_thread_flag(TIF_32BIT) \
	48	+ ? (stk == EXSTACK_ENABLE_X) : 0)
	49
	50	#define CORE_DUMP_USE_REGSET
	51	#define ELF_EXEC_PAGESIZE PAGE_SIZE
	52	--
	53	1.9.1
	54