From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-bounces+e=80x24.org@sourceware.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS3215 2.6.0.0/16
X-Spam-Status: No, score=-4.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 56C801F8C8
	for <e@80x24.org>; Thu,  7 Oct 2021 17:11:47 +0000 (UTC)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 86BD3385841D
	for <e@80x24.org>; Thu,  7 Oct 2021 17:11:46 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 86BD3385841D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1633626706;
	bh=mO+a1je7VvF6cCnnCcw++DC59DeABiqPX21c7nJrV5U=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=nkIlChBT7nJzYCiYCSVOatfm6wedDXVyjOpNo8F2y0iWrA5GWjIJucR3hXPFKcZp9
	 STm9VKrKYLmScJHlpgSSIj6IFLQ2Wu4IxADst5SKjrN1Aa4kUFKDHzkckIJtW8r0JL
	 hRhqaipcKRqVtL1eKO8WSPuUU6PY+rw7FUPff3a8=
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com
 [IPv6:2607:f8b0:4864:20::1031])
 by sourceware.org (Postfix) with ESMTPS id C9D74385840C
 for <libc-alpha@sourceware.org>; Thu,  7 Oct 2021 17:11:26 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C9D74385840C
Received: by mail-pj1-x1031.google.com with SMTP id
 k23-20020a17090a591700b001976d2db364so5632193pji.2
 for <libc-alpha@sourceware.org>; Thu, 07 Oct 2021 10:11:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=mO+a1je7VvF6cCnnCcw++DC59DeABiqPX21c7nJrV5U=;
 b=mzBQqP+3J/A0oRmjq9gVW62A2a0/k+cTydcOJXWRZTSNWGegI8yUsWNCDq64Dk9lZp
 bSgY/1VpGpReOc1jV//G9hZ4VxS3UfsrP6Cbgh/mFUX8F8YMA5q3oGdLusDsgmT8vuOl
 tC3esZnW7VGHK7XyMyuCaxAKjt0Xhmb2Htz9/OWMtPCP9ZHs351O3IL3GCaREac2yLG9
 hONALLvo+sDMuN8GWGg3E/fPWPbPc7mtNjYxEusCn3S/Wm/ENMt4Gw4cbCRCYyByhBRs
 RdGAESXh83jdcc6eQFZTmQ/9P+wcm+PeXjRVpZ3RymUV9buOPyW+XDNEibzdB7Ww9Nzy
 4jsw==
X-Gm-Message-State: AOAM532RUHsVzRpERKrssB/QypFzR+dgtJ9cikhe/PaRyYrqgvaSvkSQ
 mbhM+rfeg9r3ThLJZpwiyOQmtPaxFf/LkJMeoQNOIl0MbdE=
X-Google-Smtp-Source: ABdhPJwlM0QJjN6rSyqBkcJEJyK0ft17j7ZunU1hB2Qy/eH9PmsNwrTpzJMG7cdoeRvb/F4Yn/kH88ft5FxiFp6+GDs=
X-Received: by 2002:a17:902:e80c:b0:13f:1140:8ab2 with SMTP id
 u12-20020a170902e80c00b0013f11408ab2mr218567plg.27.1633626685822; Thu, 07 Oct
 2021 10:11:25 -0700 (PDT)
MIME-Version: 1.0
References: <20210803215914.4170913-1-hjl.tools@gmail.com>
 <20210803215914.4170913-2-hjl.tools@gmail.com>
 <151a9b34-8247-8274-da59-cf16300d8c3b@linaro.org>
In-Reply-To: <151a9b34-8247-8274-da59-cf16300d8c3b@linaro.org>
Date: Thu, 7 Oct 2021 10:10:50 -0700
Message-ID: <CAMe9rOqC0eLX0qWgbi3GgCtm4Wh_pKZVjmNZ0xiBfG-8kQetGw@mail.gmail.com>
Subject: Re: [PATCH 2/2] Add run-time chesk for indirect external access
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
From: "H.J. Lu via Libc-alpha" <libc-alpha@sourceware.org>
Reply-To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: GNU C Library <libc-alpha@sourceware.org>
Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces+e=80x24.org@sourceware.org>

On Thu, Oct 7, 2021 at 9:58 AM Adhemerval Zanella
<adhemerval.zanella@linaro.org> wrote:
>
>
>
> On 03/08/2021 18:59, H.J. Lu via Libc-alpha wrote:
> > When performing symbol lookup for references in executable without
> > indirect external access:
> >
> > 1. Disallow copy relocations in executable against protected data symbols
> > in a shared object with indirect external access.
> > 2. Disallow non-zero symbol values of undefined function symbols in
> > executable, which are used as the function pointer, against protected
> > function symbols in a shared object with indirect external access.
>
> How hard would to add some testcases for both cases?  To simplify we may
> want to build it iff binutins supports noindirect-extern-access.

I will submit followup patches with testcases from
users/hjl/indirect/master branch:

https://gitlab.com/x86-glibc/glibc/-/tree/users/hjl/indirect/master

including adding LD_DEBUG=protected to check copy relocations against
protected data and non-canonical reference to protected function.

> The rest LGTM, just a nit below due an ununsed variable.
>
> Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
>
> > ---
> >  elf/dl-lookup.c                |  5 ++++
> >  sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++
> >  2 files changed, 59 insertions(+)
> >  create mode 100644 sysdeps/generic/dl-protected.h
> >
> > diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
> > index eea217eb28..430359af39 100644
> > --- a/elf/dl-lookup.c
> > +++ b/elf/dl-lookup.c
> > @@ -24,6 +24,7 @@
> >  #include <ldsodefs.h>
> >  #include <dl-hash.h>
> >  #include <dl-machine.h>
> > +#include <dl-protected.h>
> >  #include <sysdep-cancel.h>
> >  #include <libc-lock.h>
> >  #include <tls.h>
> > @@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
> >         if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym)))
> >           goto skip;
> >
> > +       if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED)
> > +         _dl_check_protected_symbol (undef_name, undef_map, ref, map,
> > +                                     type_class);
> > +
> >         switch (ELFW(ST_BIND) (sym->st_info))
> >           {
> >           case STB_WEAK:
>
> Ok.
>
> > diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h
> > new file mode 100644
> > index 0000000000..244d020dc4
> > --- /dev/null
> > +++ b/sysdeps/generic/dl-protected.h
> > @@ -0,0 +1,54 @@
> > +/* Support for STV_PROTECTED visibility.  Generic version.
> > +   Copyright (C) 2021 Free Software Foundation, Inc.
> > +   This file is part of the GNU C Library.
> > +
> > +   The GNU C Library is free software; you can redistribute it and/or
> > +   modify it under the terms of the GNU Lesser General Public
> > +   License as published by the Free Software Foundation; either
> > +   version 2.1 of the License, or (at your option) any later version.
> > +
> > +   The GNU C Library is distributed in the hope that it will be useful,
> > +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > +   Lesser General Public License for more details.
> > +
> > +   You should have received a copy of the GNU Lesser General Public
> > +   License along with the GNU C Library; if not, see
> > +   <https://www.gnu.org/licenses/>.  */
> > +
> > +#ifndef _DL_PROTECTED_H
> > +#define _DL_PROTECTED_H
> > +
> > +static inline void __attribute__ ((always_inline))
> > +_dl_check_protected_symbol (const char *undef_name,
>
> This argument seems unused.

It is used in

       _dl_signal_error (0, map->l_name, undef_name,
                          N_("non-canonical reference to canonical
protected function"));

> > +                         const struct link_map *undef_map,
> > +                         const ElfW(Sym) *ref,
> > +                         const struct link_map *map,
> > +                         int type_class)
> > +{
> > +  if (undef_map != NULL
> > +      && undef_map->l_type == lt_executable
> > +      && !(undef_map->l_1_needed
> > +        & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)
> > +      && (map->l_1_needed
> > +       & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS))
> > +    {
> > +      if ((type_class & ELF_RTYPE_CLASS_COPY))
> > +     /* Disallow copy relocations in executable against protected
> > +        data symbols in a shared object which needs indirect external
> > +        access.  */
> > +     _dl_signal_error (0, map->l_name, undef_name,
> > +                       N_("copy relocation against non-copyable protected symbol"));
> > +      else if (ref->st_value != 0
> > +            && ref->st_shndx == SHN_UNDEF
> > +            && (type_class & ELF_RTYPE_CLASS_PLT))
> > +     /* Disallow non-zero symbol values of undefined symbols in
> > +        executable, which are used as the function pointer, against
> > +        protected function symbols in a shared object with indirect
> > +        external access.  */
> > +     _dl_signal_error (0, map->l_name, undef_name,
> > +                       N_("non-canonical reference to canonical protected function"));
> > +    }
> > +}
> > +
> > +#endif /* _DL_PROTECTED_H */
> >
>
> Ok.

I will check it in ASIS.

Thanks.

-- 
H.J.