From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-5.5 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id BC7BA1F8C8 for ; Thu, 7 Oct 2021 17:45:57 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9DC073858431 for ; Thu, 7 Oct 2021 17:45:56 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9DC073858431 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1633628756; bh=zS1ItLdnMUR+1uZMHioASGlvkvIjkdN0BOGGaIlAbzU=; h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=dakWfNgOrLFwg7oqwIKuNWJqtY1FMCdDhCxeHzZ7Z2FQCfYyE4f5HpWb2E5j+O5W8 /ozjv9yYlDqcXRFAYZc+yhYUbs4cp5kMXDzyM8oupuoDa3pYLlGFXbtaDs3X//Knq3 7eBpRRq9lWrrGC49YccEe09ZrQ3cdFZdvGgA80vg= Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by sourceware.org (Postfix) with ESMTPS id 410C7385840C for ; Thu, 7 Oct 2021 17:45:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 410C7385840C Received: by mail-qt1-x832.google.com with SMTP id t2so6973081qtx.8 for ; Thu, 07 Oct 2021 10:45:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=zS1ItLdnMUR+1uZMHioASGlvkvIjkdN0BOGGaIlAbzU=; b=bTQECeB3XS2lN5+BPwUGP8DZHU4pojsuO1H04U3NZiTMCgszrPSdTs8o28V5NjgMZf azEYHn2DX2nOs0JSGe3M6Uhme3V6NW3DREn3ZavQ8OAgJsflcESEuK2m1VPFXYuocyKm HzVqniXqvsW/9SrAxKafApmw8MpQL5cw3j50UAAknHyMpV3YYYJzcSePZcWHCJu1J4C6 lzCf5ziMosIilFZ2SUo2fnxqxK9VelUiuB7icz/+l3SLQorFFjn/vTYgKXoI57rlVbbN 2w0K7PV8JsCmQmqgHoTxjCwJPQ03A+P2ok5JzvfN6y3F9rDwbXdAxLzloBToIgDMFhPs SXXg== X-Gm-Message-State: AOAM533vRU0rmKHY2EFrKND6BQpB4Z7IHCjIzPPsA8UdV5dtiyQsIdsb aGAv3C4njIU5Ok6I+USoc0jfnlB6kvEirQ== X-Google-Smtp-Source: ABdhPJyEdbegNQ6onv6ech6SN7GkDMbv8sarCcle2WXub+nBpiQBN016KXO8XBHAD6y4DtmfKLxJVQ== X-Received: by 2002:ac8:6b45:: with SMTP id x5mr6746840qts.72.1633628736477; Thu, 07 Oct 2021 10:45:36 -0700 (PDT) Received: from ?IPv6:2804:431:c7cb:807a:2864:3aef:e68:8698? ([2804:431:c7cb:807a:2864:3aef:e68:8698]) by smtp.gmail.com with ESMTPSA id o22sm32375qkk.132.2021.10.07.10.45.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Oct 2021 10:45:36 -0700 (PDT) Subject: Re: [PATCH 2/2] Add run-time chesk for indirect external access To: "H.J. Lu" References: <20210803215914.4170913-1-hjl.tools@gmail.com> <20210803215914.4170913-2-hjl.tools@gmail.com> <151a9b34-8247-8274-da59-cf16300d8c3b@linaro.org> Message-ID: <1cbf0fda-9241-a349-7a34-40043e63351d@linaro.org> Date: Thu, 7 Oct 2021 14:45:34 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Adhemerval Zanella via Libc-alpha Reply-To: Adhemerval Zanella Cc: GNU C Library Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" On 07/10/2021 14:10, H.J. Lu wrote: > On Thu, Oct 7, 2021 at 9:58 AM Adhemerval Zanella > wrote: >> >> >> >> On 03/08/2021 18:59, H.J. Lu via Libc-alpha wrote: >>> When performing symbol lookup for references in executable without >>> indirect external access: >>> >>> 1. Disallow copy relocations in executable against protected data symbols >>> in a shared object with indirect external access. >>> 2. Disallow non-zero symbol values of undefined function symbols in >>> executable, which are used as the function pointer, against protected >>> function symbols in a shared object with indirect external access. >> >> How hard would to add some testcases for both cases? To simplify we may >> want to build it iff binutins supports noindirect-extern-access. > > I will submit followup patches with testcases from > users/hjl/indirect/master branch: > > https://gitlab.com/x86-glibc/glibc/-/tree/users/hjl/indirect/master > > including adding LD_DEBUG=protected to check copy relocations against > protected data and non-canonical reference to protected function. > >> The rest LGTM, just a nit below due an ununsed variable. >> >> Reviewed-by: Adhemerval Zanella >> >>> --- >>> elf/dl-lookup.c | 5 ++++ >>> sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++ >>> 2 files changed, 59 insertions(+) >>> create mode 100644 sysdeps/generic/dl-protected.h >>> >>> diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c >>> index eea217eb28..430359af39 100644 >>> --- a/elf/dl-lookup.c >>> +++ b/elf/dl-lookup.c >>> @@ -24,6 +24,7 @@ >>> #include >>> #include >>> #include >>> +#include >>> #include >>> #include >>> #include >>> @@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash, >>> if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym))) >>> goto skip; >>> >>> + if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED) >>> + _dl_check_protected_symbol (undef_name, undef_map, ref, map, >>> + type_class); >>> + >>> switch (ELFW(ST_BIND) (sym->st_info)) >>> { >>> case STB_WEAK: >> >> Ok. >> >>> diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h >>> new file mode 100644 >>> index 0000000000..244d020dc4 >>> --- /dev/null >>> +++ b/sysdeps/generic/dl-protected.h >>> @@ -0,0 +1,54 @@ >>> +/* Support for STV_PROTECTED visibility. Generic version. >>> + Copyright (C) 2021 Free Software Foundation, Inc. >>> + This file is part of the GNU C Library. >>> + >>> + The GNU C Library is free software; you can redistribute it and/or >>> + modify it under the terms of the GNU Lesser General Public >>> + License as published by the Free Software Foundation; either >>> + version 2.1 of the License, or (at your option) any later version. >>> + >>> + The GNU C Library is distributed in the hope that it will be useful, >>> + but WITHOUT ANY WARRANTY; without even the implied warranty of >>> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> + Lesser General Public License for more details. >>> + >>> + You should have received a copy of the GNU Lesser General Public >>> + License along with the GNU C Library; if not, see >>> + . */ >>> + >>> +#ifndef _DL_PROTECTED_H >>> +#define _DL_PROTECTED_H >>> + >>> +static inline void __attribute__ ((always_inline)) >>> +_dl_check_protected_symbol (const char *undef_name, >> >> This argument seems unused. > > It is used in > > _dl_signal_error (0, map->l_name, undef_name, > N_("non-canonical reference to canonical > protected function")); Indeed, you are right. > >>> + const struct link_map *undef_map, >>> + const ElfW(Sym) *ref, >>> + const struct link_map *map, >>> + int type_class) >>> +{ >>> + if (undef_map != NULL >>> + && undef_map->l_type == lt_executable >>> + && !(undef_map->l_1_needed >>> + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS) >>> + && (map->l_1_needed >>> + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)) >>> + { >>> + if ((type_class & ELF_RTYPE_CLASS_COPY)) >>> + /* Disallow copy relocations in executable against protected >>> + data symbols in a shared object which needs indirect external >>> + access. */ >>> + _dl_signal_error (0, map->l_name, undef_name, >>> + N_("copy relocation against non-copyable protected symbol")); >>> + else if (ref->st_value != 0 >>> + && ref->st_shndx == SHN_UNDEF >>> + && (type_class & ELF_RTYPE_CLASS_PLT)) >>> + /* Disallow non-zero symbol values of undefined symbols in >>> + executable, which are used as the function pointer, against >>> + protected function symbols in a shared object with indirect >>> + external access. */ >>> + _dl_signal_error (0, map->l_name, undef_name, >>> + N_("non-canonical reference to canonical protected function")); >>> + } >>> +} >>> + >>> +#endif /* _DL_PROTECTED_H */ >>> >> >> Ok. > > I will check it in ASIS. > > Thanks. >