From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-5.5 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 851961F8C8 for ; Thu, 7 Oct 2021 16:59:16 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B77E93858022 for ; Thu, 7 Oct 2021 16:59:15 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B77E93858022 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1633625955; bh=STOI4p2Y5gKLFE3z4jGM/T/wh9uOf1unVcr5QRX2ezU=; h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=cIw54m29/egrK/RmARJOwzIKysoV7LpnXzv5iKc6ohmbYOJqqnup5mCBMZjfiPIhu n8C5JRu7Uk+FRz7BYvUkmrujz0qWSoDQ83QfbM0JfTnnxKGUcsHhUESqgPv9kpR03W BsuPOsSATJfhlIekCJy+uXxjfZIZ92Bo5QkHc2I4= Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) by sourceware.org (Postfix) with ESMTPS id 5A2013858C60 for ; Thu, 7 Oct 2021 16:58:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5A2013858C60 Received: by mail-qv1-xf2d.google.com with SMTP id k3so4564448qve.10 for ; Thu, 07 Oct 2021 09:58:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=STOI4p2Y5gKLFE3z4jGM/T/wh9uOf1unVcr5QRX2ezU=; b=2Z6zFqizECbMYvUYDHFW2JSuef9Gcw8KVFIEwTWun3Ix2Ft/2PEYS/vLKooF7G4rNf YCDpLJ8DLQ6VZllmwJXzQcpFUCSvqvc/jQK0nYVtdOY9YhZ8sGvHWXmI2GUGn5tKeQ1y 0W9deeFJTDxDXsScpLMaGq/hfdrmt0a2hBlzZtBPS9h8uP0QeR/TqKrFFkiOWko9u5zc qSQKid72Q5hTkD6zcUELCzwBXJn15CIXxf74dGM0JyMDmHFaPl6Qc9wpNxYUx/JH8vJ3 IfFr7kx/79GPHI1OaS5pqrDrlt/sDutVlqhSErP6mp9e4qXUZGQAj98MAoCs8nCJ/zxW Habg== X-Gm-Message-State: AOAM533zAb88kyPrE+1DjFp5GN+8iOrHkWca5kOs4vvaxYVHE7Pm5+3g S6gtL2cel10tFXQ5hufiCNlpx8YT4uWDXw== X-Google-Smtp-Source: ABdhPJyUUdpiA+rK7JAveAEMKAlWz/9jLuxV5asW/Y7E7NFbUc+znf9/xTqrjedM9ge893BFFEI+4w== X-Received: by 2002:ad4:5c48:: with SMTP id a8mr5049964qva.20.1633625935751; Thu, 07 Oct 2021 09:58:55 -0700 (PDT) Received: from ?IPv6:2804:431:c7cb:807a:2864:3aef:e68:8698? ([2804:431:c7cb:807a:2864:3aef:e68:8698]) by smtp.gmail.com with ESMTPSA id f5sm41607qkk.96.2021.10.07.09.58.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Oct 2021 09:58:55 -0700 (PDT) Subject: Re: [PATCH 2/2] Add run-time chesk for indirect external access To: "H.J. Lu" , libc-alpha@sourceware.org References: <20210803215914.4170913-1-hjl.tools@gmail.com> <20210803215914.4170913-2-hjl.tools@gmail.com> Message-ID: <151a9b34-8247-8274-da59-cf16300d8c3b@linaro.org> Date: Thu, 7 Oct 2021 13:58:53 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <20210803215914.4170913-2-hjl.tools@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Adhemerval Zanella via Libc-alpha Reply-To: Adhemerval Zanella Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" On 03/08/2021 18:59, H.J. Lu via Libc-alpha wrote: > When performing symbol lookup for references in executable without > indirect external access: > > 1. Disallow copy relocations in executable against protected data symbols > in a shared object with indirect external access. > 2. Disallow non-zero symbol values of undefined function symbols in > executable, which are used as the function pointer, against protected > function symbols in a shared object with indirect external access. How hard would to add some testcases for both cases? To simplify we may want to build it iff binutins supports noindirect-extern-access. The rest LGTM, just a nit below due an ununsed variable. Reviewed-by: Adhemerval Zanella > --- > elf/dl-lookup.c | 5 ++++ > sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++ > 2 files changed, 59 insertions(+) > create mode 100644 sysdeps/generic/dl-protected.h > > diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c > index eea217eb28..430359af39 100644 > --- a/elf/dl-lookup.c > +++ b/elf/dl-lookup.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash, > if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym))) > goto skip; > > + if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED) > + _dl_check_protected_symbol (undef_name, undef_map, ref, map, > + type_class); > + > switch (ELFW(ST_BIND) (sym->st_info)) > { > case STB_WEAK: Ok. > diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h > new file mode 100644 > index 0000000000..244d020dc4 > --- /dev/null > +++ b/sysdeps/generic/dl-protected.h > @@ -0,0 +1,54 @@ > +/* Support for STV_PROTECTED visibility. Generic version. > + Copyright (C) 2021 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#ifndef _DL_PROTECTED_H > +#define _DL_PROTECTED_H > + > +static inline void __attribute__ ((always_inline)) > +_dl_check_protected_symbol (const char *undef_name, This argument seems unused. > + const struct link_map *undef_map, > + const ElfW(Sym) *ref, > + const struct link_map *map, > + int type_class) > +{ > + if (undef_map != NULL > + && undef_map->l_type == lt_executable > + && !(undef_map->l_1_needed > + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS) > + && (map->l_1_needed > + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)) > + { > + if ((type_class & ELF_RTYPE_CLASS_COPY)) > + /* Disallow copy relocations in executable against protected > + data symbols in a shared object which needs indirect external > + access. */ > + _dl_signal_error (0, map->l_name, undef_name, > + N_("copy relocation against non-copyable protected symbol")); > + else if (ref->st_value != 0 > + && ref->st_shndx == SHN_UNDEF > + && (type_class & ELF_RTYPE_CLASS_PLT)) > + /* Disallow non-zero symbol values of undefined symbols in > + executable, which are used as the function pointer, against > + protected function symbols in a shared object with indirect > + external access. */ > + _dl_signal_error (0, map->l_name, undef_name, > + N_("non-canonical reference to canonical protected function")); > + } > +} > + > +#endif /* _DL_PROTECTED_H */ > Ok.