From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER,SPF_HELO_PASS,SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 9035C1F55B for ; Tue, 26 May 2020 11:20:39 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 47F453851C34; Tue, 26 May 2020 11:20:38 +0000 (GMT) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80078.outbound.protection.outlook.com [40.107.8.78]) by sourceware.org (Postfix) with ESMTPS id 3B2903851C08 for ; Tue, 26 May 2020 11:20:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3B2903851C08 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=Szabolcs.Nagy@arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fswLjG/TAIuagPS73KMN+aaIGWYp1xicxAKb3cVE3OE=; b=8N/1ynzocxAiaW9j20MJ4UCdDdLkLaSlr7VO+uF4Ugh40cw+8HBjhDLxOnrml9iy4bzmui/e6oFK0JfM4wjj2UCnSIASAtlrAx+c5LpR0d5/wVjerB8Dd0CBZ6rO2djauusS/n3SgjIwNtC7f8wD6ISRstUiCgsFkhO+po5jAV8= Received: from AM6P193CA0130.EURP193.PROD.OUTLOOK.COM (2603:10a6:209:85::35) by HE1PR0802MB2251.eurprd08.prod.outlook.com (2603:10a6:3:cc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.27; Tue, 26 May 2020 11:20:33 +0000 Received: from VE1EUR03FT058.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:85:cafe::92) by AM6P193CA0130.outlook.office365.com (2603:10a6:209:85::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.24 via Frontend Transport; Tue, 26 May 2020 11:20:32 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; sourceware.org; dmarc=bestguesspass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT058.mail.protection.outlook.com (10.152.19.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend Transport; Tue, 26 May 2020 11:20:32 +0000 Received: ("Tessian outbound facc38080784:v57"); Tue, 26 May 2020 11:20:32 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b0d77a66908cb819 X-CR-MTA-TID: 64aa7808 Received: from 065603b293db.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 785CECB8-C23B-4D4A-8B6A-82ED24CBC8AF.1; Tue, 26 May 2020 11:20:26 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 065603b293db.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 26 May 2020 11:20:26 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cuZ+NUdSaf+1/ANKEpr8sBuej+m28Iz3pjV6l//x3O/xLaG1ZjA5XvCtQSBa15wMtgfAHAZ4RoLmOswpAQehPhb/2WXuHPEHx8zo6PQ9u5mada4n8BdUh1oB666D2sUzgUOcZYfSUUSirmMVz3trJRXQTGfee5Nv+Q6gk4iKvLQBTcDZ31c/DMZiTXEFisBKQ1GizyF9HV2B0ZwG7mAiiYOdZS42DBbXkA6S5IgXy13pqzmBaLhlUfMXBHGBRNXNq0p2NEQLdltAIak/iiZ2DOR5BaftqogBy8OGxZYpF4MNHkgwalP4yhUeLfJnzRnWD+YWXHIXEfZdp0mimJg/HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fswLjG/TAIuagPS73KMN+aaIGWYp1xicxAKb3cVE3OE=; b=HRTLEREbSRXjwQKeYIpdOn/ABoxqsf//kHJ54BEMb5Lvf5EYfZOkDT9QzHaPms4IDLQE9pbTPkEXQAX31hiqHQYChuxklhcQ+RqVzMqQj9SyCCeTvGBSfASBsCHxIVCYX8bFtK4HJGtUnfqZcYvpCkPmrHiA8J0aEZIMtQcJMKhu6qJ57qK6NPxfY1SmWLCJxShXpmpZpJsiNPUphANLDfcjh00zj1x3INuWQPS1nrRcT24XSVgHvT5RQqIVbqsW9aAlWv4USq6LNbYqBiBNElT1XoFpOqftCvjGPc6EjinRNoetqSNxPsKv5y5iJbxlf+kFfBAFpKYt7AFFerOmpQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fswLjG/TAIuagPS73KMN+aaIGWYp1xicxAKb3cVE3OE=; b=8N/1ynzocxAiaW9j20MJ4UCdDdLkLaSlr7VO+uF4Ugh40cw+8HBjhDLxOnrml9iy4bzmui/e6oFK0JfM4wjj2UCnSIASAtlrAx+c5LpR0d5/wVjerB8Dd0CBZ6rO2djauusS/n3SgjIwNtC7f8wD6ISRstUiCgsFkhO+po5jAV8= Authentication-Results-Original: linaro.org; dkim=none (message not signed) header.d=none;linaro.org; dmarc=none action=none header.from=arm.com; Received: from AM6PR08MB3047.eurprd08.prod.outlook.com (2603:10a6:209:4c::23) by AM6PR08MB4769.eurprd08.prod.outlook.com (2603:10a6:20b:d0::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.27; Tue, 26 May 2020 11:20:25 +0000 Received: from AM6PR08MB3047.eurprd08.prod.outlook.com ([fe80::49fd:6ded:4da7:8862]) by AM6PR08MB3047.eurprd08.prod.outlook.com ([fe80::49fd:6ded:4da7:8862%7]) with mapi id 15.20.3021.029; Tue, 26 May 2020 11:20:25 +0000 Date: Tue, 26 May 2020 12:20:22 +0100 From: Szabolcs Nagy To: Adhemerval Zanella Subject: Re: [PATCH v3 09/13] aarch64: enable BTI at runtime Message-ID: <20200526112022.GA15501@arm.com> References: <7b32d3a81141aad6c52187d959ecf82d125a513c.1589552055.git.szabolcs.nagy@arm.com> <0302684a-59d1-1364-27da-9df34732de1c@linaro.org> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <0302684a-59d1-1364-27da-9df34732de1c@linaro.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: LNXP265CA0048.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::36) To AM6PR08MB3047.eurprd08.prod.outlook.com (2603:10a6:209:4c::23) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from arm.com (217.140.106.55) by LNXP265CA0048.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.17 via Frontend Transport; Tue, 26 May 2020 11:20:24 +0000 X-Originating-IP: [217.140.106.55] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: d3b91fb8-2242-4d77-60b3-08d80166ce02 X-MS-TrafficTypeDiagnostic: AM6PR08MB4769:|HE1PR0802MB2251: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-Forefront-PRVS: 041517DFAB X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: U0k2Qs94oOz+oAmF+BDAf/AuwKK+OttmBJb18BZVUoX6XZdAZUnJT/xPrbTYx7DizcptR8oGYmKeN38KLvCq4KVzNBvvQRMwUXHok6qJhaNhalBXlrmpdRH+r51vgwBHZzHt5VfqZNMGQd93/I35JIjEL+fXhwAtUQhNiioZaLCe3V2AmNcS4DKq8aZS5n8FR+PFtx7sV8UvPYiH9rVB6BumDANKv20lPawyCSyOQfl7DmLK8/MdLtRgAdqzY66hwRA6hvgf65O7Ta1Bo53b3BTQeisGxD6+fMHMhqmYyaiLihAk9Gy6U1zmLtVGhJWV/Tv+67z19/PWxhSAPXAChw== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3047.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(346002)(366004)(376002)(136003)(66946007)(8676002)(16526019)(956004)(55016002)(186003)(44832011)(6916009)(2616005)(33656002)(66476007)(4326008)(7696005)(66556008)(2906002)(86362001)(8886007)(36756003)(316002)(53546011)(5660300002)(52116002)(26005)(8936002)(478600001)(1076003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: piKdMvqqGCrNYiV2gLOuDK4692AXPCjwMllfU5lTzmBZCoNpLzPHUGqZgDYpZNxKSCMmV0hZ9wzR0ru0EKlhTt4o3J8KV9nczN20+YtUalRrzKP1Gj6qGl54fEx5hmy4OlAgN+Xh763p/zjeNpWGub1NLUaSWwPHB0oc6eROQ7GOwCZ53+R3gCsHd90E7QL4ydeIKtoIevrq7Ln08qlpEXgg2PFJ2bS7HZuXJCSgown/nrUGfGJQfeE8h9p0JyE/VYF6uJYmiOGDyKhSpTo8r9boMNC3P80pItC3vdAdhAOIL5FybTQqjp7Gni5e8eNNh+fZiE42lfn8eVsjMuabVcQLGf2ZzNZXvpl5YivEtLdvw8HitobcYqlbrVhFtWHxmgEN4kQTV0cVF8yn3j5YCGIMZ3hzwlvczjxF0D/OpJhzHKhjnbvf7uJ3tQDuIF78yO06zTuSYiWu+zIy5E/TlcvxNXySh65NtX3R63ktf0o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4769 Original-Authentication-Results: linaro.org; dkim=none (message not signed) header.d=none;linaro.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT058.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(376002)(396003)(136003)(346002)(39860400002)(46966005)(8936002)(36906005)(82310400002)(81166007)(55016002)(8676002)(26005)(356005)(956004)(2616005)(70206006)(1076003)(33656002)(7696005)(2906002)(70586007)(478600001)(44832011)(316002)(5660300002)(53546011)(336012)(4326008)(6862004)(36756003)(16526019)(82740400003)(8886007)(47076004)(86362001)(186003); DIR:OUT; SFP:1101; X-MS-Office365-Filtering-Correlation-Id-Prvs: bf13ae4d-b053-4f2f-87f4-08d80166c946 X-Forefront-PRVS: 041517DFAB X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ufeYi5cNRa9DVChrlHvAWzbZ/Z8BwHw3QIcRUsXztVoOWe9NCla1ocn4JbLeYs5axAitOb42VfesQFWGH/hKcBODF9lIg4492J8blxosPJF8HruaCTQtceCSGXIuOTEdND+Kq4sYJujcob6DgesAdw1FzDV9ezbqaUk/CLjQasiTvuwaNBl5eeddI2NRUrM3HgOrJB8qPUrTgKDaZG0zUOjYLDejpIry6WD5EFYMbnwTrOnz6dfpGblAgFFkcR/ec/ZGNBqh4yP0KO5hEg/a2tAe/sGj1+I4paC2WiNUSQ1tLY4++sD+58WMjkzyHVYCkA2d7zPr4KqJYJq0Jin6UECHdi7UQum27D2ZQzOwZnEaZ+ncHg03fw9V0xmObK/0fteyBzjQgCoxjFceeXRbCw== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2020 11:20:32.6409 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d3b91fb8-2242-4d77-60b3-08d80166ce02 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2251 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" The 05/25/2020 16:53, Adhemerval Zanella wrote: > On 15/05/2020 11:40, Szabolcs Nagy wrote: > > From: Sudakshina Das > > > > Binaries can opt-in to using BTI via an ELF object file marking. > > The dynamic linker has to then mprotect the executable segments > > with PROT_BTI. In case of static linked executables or in case > > of the dynamic linker itself, PROT_BTI protection is done by the > > operating system. > > > > On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check > > the properties of a binary because PT_NOTE can be unreliable with > > old linkers (old linkers just append the notes of input objects > > together and add them to the output without checking them for > > consistency which means multiple incompatible GNU property notes > > can be present in PT_NOTE). A new _dl_process_pt_gnu_property > > hook is introduced in dl-prop.h and to keep it maintainable the > > rtld and dlopen code paths use the same function (if the main > > map needs special treatment, that should be inferred by the hook > > from the link map). Unlike the _dt_process_pt_note hook this one > > is called after segments are mapped to avoid unbounded allocation > > and additional read syscall. Otherwise the AArch64 logic follows > > the x86 logic for handling GNU properties (but the code is not > > shared because x86 needs to manage internal CET state and look > > out for multiple property notes). > > > > BTI property is handled in the loader even if glibc is not built > > with BTI support, so in theory user code can be BTI protected > > independently of glibc. In practice though user binaries are not > > marked with the BTI property if glibc has no support because the > > static linked libc objects (crt files, libc_nonshared.a) are > > unmarked. > > > > This patch relies on Linux userspace API that is scheduled to be > > merged in Linux 5.8 and now it is in the for-next/bti-user branch > > of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git. > > > > Co-authored-by: Szabolcs Nagy > > LGTM with a just a nit below. > > Reviewed-by: Adhemerval Zanella thanks for the review. > > @@ -1188,6 +1188,19 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, > > maplength, has_holes, loader); > > if (__glibc_unlikely (errstring != NULL)) > > goto call_lose; > > + > > + /* Process program headers again after load segments are mapped. */ > > Maybe add a brief explanation of why it is done after load segment mapping? > > > + for (ph = phdr; ph < &phdr[l->l_phnum]; ++ph) > > + switch (ph->p_type) > > + { > > + case PT_GNU_PROPERTY: > > + if (_dl_process_pt_gnu_property (l, ph)) > > + { > > + errstring = N_("cannot process GNU property segment"); > > + goto call_lose; > > + } > > + break; > > + } btw i think the _dl_process_pt_note callback should be done here too and x86 fixed up accordingly so it does not need unbounded allocation + pread_nocancel to process the notes. > > +static int > > +enable_bti (struct link_map *map, const char *program) > > +{ > > + const ElfW(Phdr) *phdr; > > + unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI; > > + > > + for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr) > > + if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X)) > > + { > > + ElfW(Addr) start = phdr->p_vaddr + map->l_addr; > > + ElfW(Addr) len = phdr->p_memsz; > > + if (__mprotect ((void *) start, len, prot) < 0) > > + { > > + if (program) > > + _dl_fatal_printf ("%s: mprotect failed to turn on BTI\n", > > + map->l_name); > > + else > > + _dl_signal_error (EINVAL, map->l_name, "dlopen", > > + N_("mprotect failed to turn on BTI")); > > Is EINVAL the only possible error here (EACCES or ENOMEM might be still > possible)? no, i think passing errno makes more sense here. i'll fix it.