[v5,07/12] aarch64: enable BTI at runtime
Commit Message
The 06/12/2020 08:18, H.J. Lu wrote:
> On Fri, Jun 12, 2020 at 8:08 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> > The 06/12/2020 06:43, H.J. Lu wrote:
> > > Can you make _dl_process_pt_gnu_property more generic so that it
> > > can be shared with x86? If there is PT_GNU_PROPERTY, we don't
> > > need to check for multiple property notes. Thanks.
> >
> > it can use a hook for NT_GNU_PROPERTY_TYPE_0 notes
> > that is called for each property, e.g.
> >
> > int
> > _dl_process_gnu_property_note0(uint32_t type, uint32_t datasz, const void *data);
i also had to pass the link_map.
> > however this only helps on x86 if PT_GNU_PROPERTY
> > processing is before PT_NOTE processing otherwise
> > you cannot skip handling the notes.
>
> On x86-64, there are
>
> Program Headers:
> Type Offset VirtAddr PhysAddr
> FileSiz MemSiz Flags Align
...
> NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
> 0x0000000000000020 0x0000000000000020 R 0x8
> NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
> 0x0000000000000044 0x0000000000000044 R 0x4
> GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
> 0x0000000000000020 0x0000000000000020 R 0x8
...
> Only the PT_NOTE segment with the correct alignment may contain property.
> In the first pass, we record such PT_NOTE segment, but don't process it.
> After all segments have been processed, we process the saved PT_NOTE segment
> if there is no GNU_PROPERTY segment.
i refactored the code but didn't change the x86 side.
note: in rtld there is only one pass (load segments
are already mapped) while dlopen does the property
handling in the second pass over program headers.
attaching v5 of the patch:
- moved _dl_process_pt_gnu_property to generic code
(into dl-load.c), this assumes PT_GNU_PROPERTY
is a gnu platform abi and the integer types used
for accessing it work on all targets.
- made _dl_process_pt_gnu_property return type void
and remove all failure handling (invalid notes
are ignored).
- only handle one NT_GNU_PROPERTY_TYPE_0.
- added _dl_process_gnu_property target hook.
- removed reviewed-by because of significant changes.
tested on aarch64.
Comments
On Thu, Jun 18, 2020 at 8:38 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
>
> The 06/12/2020 08:18, H.J. Lu wrote:
> > On Fri, Jun 12, 2020 at 8:08 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> > > The 06/12/2020 06:43, H.J. Lu wrote:
> > > > Can you make _dl_process_pt_gnu_property more generic so that it
> > > > can be shared with x86? If there is PT_GNU_PROPERTY, we don't
> > > > need to check for multiple property notes. Thanks.
> > >
> > > it can use a hook for NT_GNU_PROPERTY_TYPE_0 notes
> > > that is called for each property, e.g.
> > >
> > > int
> > > _dl_process_gnu_property_note0(uint32_t type, uint32_t datasz, const void *data);
>
> i also had to pass the link_map.
>
> > > however this only helps on x86 if PT_GNU_PROPERTY
> > > processing is before PT_NOTE processing otherwise
> > > you cannot skip handling the notes.
> >
> > On x86-64, there are
> >
> > Program Headers:
> > Type Offset VirtAddr PhysAddr
> > FileSiz MemSiz Flags Align
> ...
> > NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > 0x0000000000000020 0x0000000000000020 R 0x8
> > NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
> > 0x0000000000000044 0x0000000000000044 R 0x4
> > GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > 0x0000000000000020 0x0000000000000020 R 0x8
> ...
> > Only the PT_NOTE segment with the correct alignment may contain property.
> > In the first pass, we record such PT_NOTE segment, but don't process it.
> > After all segments have been processed, we process the saved PT_NOTE segment
> > if there is no GNU_PROPERTY segment.
>
> i refactored the code but didn't change the x86 side.
>
> note: in rtld there is only one pass (load segments
> are already mapped) while dlopen does the property
> handling in the second pass over program headers.
>
> attaching v5 of the patch:
>
> - moved _dl_process_pt_gnu_property to generic code
> (into dl-load.c), this assumes PT_GNU_PROPERTY
> is a gnu platform abi and the integer types used
> for accessing it work on all targets.
>
> - made _dl_process_pt_gnu_property return type void
> and remove all failure handling (invalid notes
> are ignored).
>
> - only handle one NT_GNU_PROPERTY_TYPE_0.
>
> - added _dl_process_gnu_property target hook.
>
> - removed reviewed-by because of significant changes.
>
> tested on aarch64.
>
Can you incorporate this patch into yours?
The old _dl_process_pt_note and _rtld_process_pt_note differ in how
the program header is read. The old _dl_process_pt_note is called
before PT_LOAD segments are mapped and _rtld_process_pt_note is called
after PT_LOAD segments are mapped. Since PT_GNU_PROPERTY is processed
after PT_LOAD segments are mapped, we can process PT_NOTE together with
PT_GNU_PROPERTY. We can remove the old _dl_process_pt_note and rename
_rtld_process_pt_note to _dl_process_pt_note.
NOTE: We scan program headers backward so that PT_NOTE can be skipped
if PT_GNU_PROPERTY exits.
Thanks.
The 06/18/2020 13:16, H.J. Lu wrote:
> On Thu, Jun 18, 2020 at 8:38 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> >
> > The 06/12/2020 08:18, H.J. Lu wrote:
> > > On Fri, Jun 12, 2020 at 8:08 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> > > > The 06/12/2020 06:43, H.J. Lu wrote:
> > > > > Can you make _dl_process_pt_gnu_property more generic so that it
> > > > > can be shared with x86? If there is PT_GNU_PROPERTY, we don't
> > > > > need to check for multiple property notes. Thanks.
> > > >
> > > > it can use a hook for NT_GNU_PROPERTY_TYPE_0 notes
> > > > that is called for each property, e.g.
> > > >
> > > > int
> > > > _dl_process_gnu_property_note0(uint32_t type, uint32_t datasz, const void *data);
> >
> > i also had to pass the link_map.
> >
> > > > however this only helps on x86 if PT_GNU_PROPERTY
> > > > processing is before PT_NOTE processing otherwise
> > > > you cannot skip handling the notes.
> > >
> > > On x86-64, there are
> > >
> > > Program Headers:
> > > Type Offset VirtAddr PhysAddr
> > > FileSiz MemSiz Flags Align
> > ...
> > > NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > > 0x0000000000000020 0x0000000000000020 R 0x8
> > > NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
> > > 0x0000000000000044 0x0000000000000044 R 0x4
> > > GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > > 0x0000000000000020 0x0000000000000020 R 0x8
> > ...
> > > Only the PT_NOTE segment with the correct alignment may contain property.
> > > In the first pass, we record such PT_NOTE segment, but don't process it.
> > > After all segments have been processed, we process the saved PT_NOTE segment
> > > if there is no GNU_PROPERTY segment.
> >
> > i refactored the code but didn't change the x86 side.
> >
> > note: in rtld there is only one pass (load segments
> > are already mapped) while dlopen does the property
> > handling in the second pass over program headers.
> >
> > attaching v5 of the patch:
> >
> > - moved _dl_process_pt_gnu_property to generic code
> > (into dl-load.c), this assumes PT_GNU_PROPERTY
> > is a gnu platform abi and the integer types used
> > for accessing it work on all targets.
> >
> > - made _dl_process_pt_gnu_property return type void
> > and remove all failure handling (invalid notes
> > are ignored).
> >
> > - only handle one NT_GNU_PROPERTY_TYPE_0.
> >
> > - added _dl_process_gnu_property target hook.
> >
> > - removed reviewed-by because of significant changes.
> >
> > tested on aarch64.
> >
>
> Can you incorporate this patch into yours?
>
> The old _dl_process_pt_note and _rtld_process_pt_note differ in how
> the program header is read. The old _dl_process_pt_note is called
> before PT_LOAD segments are mapped and _rtld_process_pt_note is called
> after PT_LOAD segments are mapped. Since PT_GNU_PROPERTY is processed
> after PT_LOAD segments are mapped, we can process PT_NOTE together with
> PT_GNU_PROPERTY. We can remove the old _dl_process_pt_note and rename
> _rtld_process_pt_note to _dl_process_pt_note.
>
> NOTE: We scan program headers backward so that PT_NOTE can be skipped
> if PT_GNU_PROPERTY exits.
this makes sense to me and it can be a follow up
patch on top of my PT_GNU_PROPERTY patch, it
does not have to be integrated. (it's not ideal
to intergate it with the bti enablement, so i
would have to split that patch to do the property
things and bti things separately)
i think you didn't change the order of the phdr
processing, i'd expect a backward iteration in both
rtld.c and dl-load.c for that to work.
>
> Thanks.
>
> --
> H.J.
> From 53fb2346572a456f1a07a3a14c6b0859b556fab8 Mon Sep 17 00:00:00 2001
> From: "H.J. Lu" <hjl.tools@gmail.com>
> Date: Thu, 18 Jun 2020 10:28:39 -0700
> Subject: [PATCH] Rename _rtld_process_pt_note to _dl_process_pt_note
>
> The old _dl_process_pt_note and _rtld_process_pt_note differ in how
> the program header is read. The old _dl_process_pt_note is called
> before PT_LOAD segments are mapped and _rtld_process_pt_note is called
> after PT_LOAD segments are mapped. Since PT_GNU_PROPERTY is processed
> after PT_LOAD segments are mapped, we can process PT_NOTE together with
> PT_GNU_PROPERTY. We can remove the old _dl_process_pt_note and rename
> _rtld_process_pt_note to _dl_process_pt_note.
>
> NOTE: We scan program headers backward so that PT_NOTE can be skipped
> if PT_GNU_PROPERTY exits.
> ---
> elf/dl-load.c | 15 ++++++-------
> elf/rtld.c | 4 +---
> sysdeps/aarch64/dl-prop.h | 16 ++------------
> sysdeps/generic/dl-prop.h | 14 ++-----------
> sysdeps/x86/dl-prop.h | 44 ++-------------------------------------
> 5 files changed, 13 insertions(+), 80 deletions(-)
>
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 66bd0ca0a3..b04dff559c 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -1216,14 +1216,6 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> l->l_relro_addr = ph->p_vaddr;
> l->l_relro_size = ph->p_memsz;
> break;
> -
> - case PT_NOTE:
> - if (_dl_process_pt_note (l, ph, fd, fbp))
> - {
> - errstring = N_("cannot process note segment");
> - goto call_lose;
> - }
> - break;
> }
>
> if (__glibc_unlikely (nloadcmds == 0))
> @@ -1261,10 +1253,15 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> goto call_lose;
>
> /* Process program headers again after load segments are mapped in
> - case processing requires accessing those segments. */
> + case processing requires accessing those segments. Scan program
> + headers backward so that PT_NOTE can be skipped if PT_GNU_PROPERTY
> + exits. */
> for (ph = phdr; ph < &phdr[l->l_phnum]; ++ph)
> switch (ph->p_type)
> {
> + case PT_NOTE:
> + _dl_process_pt_note (l, ph);
> + break;
> case PT_GNU_PROPERTY:
> _dl_process_pt_gnu_property (l, ph);
> break;
> diff --git a/elf/rtld.c b/elf/rtld.c
> index 3ad2bf5079..ea68fea3e6 100644
> --- a/elf/rtld.c
> +++ b/elf/rtld.c
> @@ -1513,9 +1513,7 @@ of this helper program; chances are you did not intend to run this program.\n\
> break;
>
> case PT_NOTE:
> - if (_rtld_process_pt_note (main_map, ph))
> - _dl_error_printf ("\
> -ERROR: '%s': cannot process note segment.\n", _dl_argv[0]);
> + _dl_process_pt_note (main_map, ph);
> break;
> }
>
> diff --git a/sysdeps/aarch64/dl-prop.h b/sysdeps/aarch64/dl-prop.h
> index 70edc52145..b0785bda83 100644
> --- a/sysdeps/aarch64/dl-prop.h
> +++ b/sysdeps/aarch64/dl-prop.h
> @@ -19,8 +19,6 @@
> #ifndef _DL_PROP_H
> #define _DL_PROP_H
>
> -#include <not-cancel.h>
> -
> extern void _dl_bti_check (struct link_map *, const char *)
> attribute_hidden;
>
> @@ -36,19 +34,9 @@ _dl_open_check (struct link_map *m)
> _dl_bti_check (m, NULL);
> }
>
> -#ifdef FILEBUF_SIZE
> -static inline int __attribute__ ((always_inline))
> -_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph,
> - int fd, struct filebuf *fbp)
> -{
> - return 0;
> -}
> -#endif
> -
> -static inline int __attribute__ ((always_inline))
> -_rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> +static inline void __attribute__ ((always_inline))
> +_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> {
> - return 0;
> }
>
> static inline int
> diff --git a/sysdeps/generic/dl-prop.h b/sysdeps/generic/dl-prop.h
> index ceb6f623ee..f1cf576fe3 100644
> --- a/sysdeps/generic/dl-prop.h
> +++ b/sysdeps/generic/dl-prop.h
> @@ -36,19 +36,9 @@ _dl_open_check (struct link_map *m)
> {
> }
>
> -#ifdef FILEBUF_SIZE
> -static inline int __attribute__ ((always_inline))
> -_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph,
> - int fd, struct filebuf *fbp)
> -{
> - return 0;
> -}
> -#endif
> -
> -static inline int __attribute__ ((always_inline))
> -_rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> +static inline void __attribute__ ((always_inline))
> +_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> {
> - return 0;
> }
>
> /* Called for each property in the NT_GNU_PROPERTY_TYPE_0 note of L,
> diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
> index 4a8ebc573e..89911e19e2 100644
> --- a/sysdeps/x86/dl-prop.h
> +++ b/sysdeps/x86/dl-prop.h
> @@ -19,8 +19,6 @@
> #ifndef _DL_PROP_H
> #define _DL_PROP_H
>
> -#include <not-cancel.h>
> -
> extern void _dl_cet_check (struct link_map *, const char *)
> attribute_hidden;
> extern void _dl_cet_open_check (struct link_map *)
> @@ -146,49 +144,11 @@ _dl_process_cet_property_note (struct link_map *l,
> #endif
> }
>
> -#ifdef FILEBUF_SIZE
> -static inline int __attribute__ ((unused))
> -_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph,
> - int fd, struct filebuf *fbp)
> -{
> -# if CET_ENABLED
> - const ElfW(Nhdr) *note;
> - ElfW(Nhdr) *note_malloced = NULL;
> - ElfW(Addr) size = ph->p_filesz;
> -
> - if (ph->p_offset + size <= (size_t) fbp->len)
> - note = (const void *) (fbp->buf + ph->p_offset);
> - else
> - {
> - if (size < __MAX_ALLOCA_CUTOFF)
> - note = alloca (size);
> - else
> - {
> - note_malloced = malloc (size);
> - note = note_malloced;
> - }
> - if (__pread64_nocancel (fd, (void *) note, size, ph->p_offset) != size)
> - {
> - if (note_malloced)
> - free (note_malloced);
> - return -1;
> - }
> - }
> -
> - _dl_process_cet_property_note (l, note, size, ph->p_align);
> - if (note_malloced)
> - free (note_malloced);
> -# endif
> - return 0;
> -}
> -#endif
> -
> -static inline int __attribute__ ((unused))
> -_rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> +static inline void __attribute__ ((unused))
> +_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> {
> const ElfW(Nhdr) *note = (const void *) (ph->p_vaddr + l->l_addr);
> _dl_process_cet_property_note (l, note, ph->p_memsz, ph->p_align);
> - return 0;
> }
>
> static inline int __attribute__ ((always_inline))
> --
> 2.26.2
>
--
On Fri, Jun 19, 2020 at 5:32 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
>
> The 06/18/2020 13:16, H.J. Lu wrote:
> > On Thu, Jun 18, 2020 at 8:38 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> > >
> > > The 06/12/2020 08:18, H.J. Lu wrote:
> > > > On Fri, Jun 12, 2020 at 8:08 AM Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> > > > > The 06/12/2020 06:43, H.J. Lu wrote:
> > > > > > Can you make _dl_process_pt_gnu_property more generic so that it
> > > > > > can be shared with x86? If there is PT_GNU_PROPERTY, we don't
> > > > > > need to check for multiple property notes. Thanks.
> > > > >
> > > > > it can use a hook for NT_GNU_PROPERTY_TYPE_0 notes
> > > > > that is called for each property, e.g.
> > > > >
> > > > > int
> > > > > _dl_process_gnu_property_note0(uint32_t type, uint32_t datasz, const void *data);
> > >
> > > i also had to pass the link_map.
> > >
> > > > > however this only helps on x86 if PT_GNU_PROPERTY
> > > > > processing is before PT_NOTE processing otherwise
> > > > > you cannot skip handling the notes.
> > > >
> > > > On x86-64, there are
> > > >
> > > > Program Headers:
> > > > Type Offset VirtAddr PhysAddr
> > > > FileSiz MemSiz Flags Align
> > > ...
> > > > NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > > > 0x0000000000000020 0x0000000000000020 R 0x8
> > > > NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
> > > > 0x0000000000000044 0x0000000000000044 R 0x4
> > > > GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
> > > > 0x0000000000000020 0x0000000000000020 R 0x8
> > > ...
> > > > Only the PT_NOTE segment with the correct alignment may contain property.
> > > > In the first pass, we record such PT_NOTE segment, but don't process it.
> > > > After all segments have been processed, we process the saved PT_NOTE segment
> > > > if there is no GNU_PROPERTY segment.
> > >
> > > i refactored the code but didn't change the x86 side.
> > >
> > > note: in rtld there is only one pass (load segments
> > > are already mapped) while dlopen does the property
> > > handling in the second pass over program headers.
> > >
> > > attaching v5 of the patch:
> > >
> > > - moved _dl_process_pt_gnu_property to generic code
> > > (into dl-load.c), this assumes PT_GNU_PROPERTY
> > > is a gnu platform abi and the integer types used
> > > for accessing it work on all targets.
> > >
> > > - made _dl_process_pt_gnu_property return type void
> > > and remove all failure handling (invalid notes
> > > are ignored).
> > >
> > > - only handle one NT_GNU_PROPERTY_TYPE_0.
> > >
> > > - added _dl_process_gnu_property target hook.
> > >
> > > - removed reviewed-by because of significant changes.
> > >
> > > tested on aarch64.
> > >
> >
> > Can you incorporate this patch into yours?
> >
> > The old _dl_process_pt_note and _rtld_process_pt_note differ in how
> > the program header is read. The old _dl_process_pt_note is called
> > before PT_LOAD segments are mapped and _rtld_process_pt_note is called
> > after PT_LOAD segments are mapped. Since PT_GNU_PROPERTY is processed
> > after PT_LOAD segments are mapped, we can process PT_NOTE together with
> > PT_GNU_PROPERTY. We can remove the old _dl_process_pt_note and rename
> > _rtld_process_pt_note to _dl_process_pt_note.
> >
> > NOTE: We scan program headers backward so that PT_NOTE can be skipped
> > if PT_GNU_PROPERTY exits.
>
> this makes sense to me and it can be a follow up
> patch on top of my PT_GNU_PROPERTY patch, it
> does not have to be integrated. (it's not ideal
> to intergate it with the bti enablement, so i
> would have to split that patch to do the property
> things and bti things separately)
>
My patch deletes/renames codes just added by your patch.
Can you split your patch into 2 and incorporate my patch with
the first one?
Thanks.
From f03a3dfaa7e497b4413e59d2ab42942e25dcaeef Mon Sep 17 00:00:00 2001
From: Sudakshina Das <sudi.das@arm.com>
Date: Tue, 17 Mar 2020 15:54:12 +0000
Subject: [PATCH v5 07/12] aarch64: enable BTI at runtime
Binaries can opt-in to using BTI via an ELF object file marking.
The dynamic linker has to then mprotect the executable segments
with PROT_BTI. In case of static linked executables or in case
of the dynamic linker itself, PROT_BTI protection is done by the
operating system.
On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
the properties of a binary because PT_NOTE can be unreliable with
old linkers (old linkers just append the notes of input objects
together and add them to the output without checking them for
consistency which means multiple incompatible GNU property notes
can be present in PT_NOTE). The PT_GNU_PROPERTY handling is generic
and shared between rtld and dlopen and largely follows the logic
of the existing x86_64 note processing code, but only handles a
single NT_GNU_PROPERTY_TYPE_0 note. A new _dl_process_gnu_property
target hook is introduced in dl-prop.h which is called for each
property, this happens after PT_LOAD segments are mapped.
PT_GNU_PROPERTY handling has no failure mode, invalid content is
ignored.
BTI property is handled in the loader even if glibc is not built
with BTI support, so in theory user code can be BTI protected
independently of glibc. In practice though user binaries are not
marked with the BTI property if glibc has no support because the
static linked libc objects (crt files, libc_nonshared.a) are
unmarked.
This patch relies on Linux userspace API that is merged before
the v5.8-rc1 tag and scheduled to be in Linux 5.8.
Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
---
elf/dl-load.c | 81 +++++++++++++++++++
elf/rtld.c | 4 +
sysdeps/aarch64/Makefile | 4 +
sysdeps/aarch64/dl-bti.c | 54 +++++++++++++
sysdeps/aarch64/dl-prop.h | 75 +++++++++++++++++
sysdeps/aarch64/linkmap.h | 3 +
sysdeps/generic/dl-prop.h | 19 +++--
sysdeps/generic/ldsodefs.h | 4 +
sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h | 1 +
sysdeps/unix/sysv/linux/aarch64/bits/mman.h | 31 +++++++
.../unix/sysv/linux/aarch64/cpu-features.c | 3 +
.../unix/sysv/linux/aarch64/cpu-features.h | 2 +
sysdeps/x86/dl-prop.h | 7 ++
13 files changed, 283 insertions(+), 5 deletions(-)
create mode 100644 sysdeps/aarch64/dl-bti.c
create mode 100644 sysdeps/aarch64/dl-prop.h
create mode 100644 sysdeps/unix/sysv/linux/aarch64/bits/mman.h
@@ -853,6 +853,77 @@ lose (int code, int fd, const char *name, char *realname, struct link_map *l,
}
+/* Process PT_GNU_PROPERTY program header PH in module L after
+ PT_LOAD segments are mapped. Only one NT_GNU_PROPERTY_TYPE_0
+ note is handled which contains processor specific properties. */
+
+void
+_dl_process_pt_gnu_property (struct link_map *l, const ElfW(Phdr) *ph)
+{
+ const ElfW(Nhdr) *note = (const void *) (ph->p_vaddr + l->l_addr);
+ const ElfW(Addr) size = ph->p_memsz;
+ const ElfW(Addr) align = ph->p_align;
+
+ /* The NT_GNU_PROPERTY_TYPE_0 note must be aligned to 4 bytes in
+ 32-bit objects and to 8 bytes in 64-bit objects. Skip notes
+ with incorrect alignment. */
+ if (align != (__ELF_NATIVE_CLASS / 8))
+ return;
+
+ const ElfW(Addr) start = (ElfW(Addr)) note;
+ unsigned int last_type = 0;
+
+ while ((ElfW(Addr)) (note + 1) - start < size)
+ {
+ /* Find the NT_GNU_PROPERTY_TYPE_0 note. */
+ if (note->n_namesz == 4
+ && note->n_type == NT_GNU_PROPERTY_TYPE_0
+ && memcmp (note + 1, "GNU", 4) == 0)
+ {
+ /* Check for invalid property. */
+ if (note->n_descsz < 8
+ || (note->n_descsz % sizeof (ElfW(Addr))) != 0)
+ return;
+
+ /* Start and end of property array. */
+ unsigned char *ptr = (unsigned char *) (note + 1) + 4;
+ unsigned char *ptr_end = ptr + note->n_descsz;
+
+ do
+ {
+ unsigned int type = *(unsigned int *) ptr;
+ unsigned int datasz = *(unsigned int *) (ptr + 4);
+
+ /* Property type must be in ascending order. */
+ if (type < last_type)
+ return;
+
+ ptr += 8;
+ if ((ptr + datasz) > ptr_end)
+ return;
+
+ last_type = type;
+
+ /* Target specific property processing. */
+ if (_dl_process_gnu_property(l, type, datasz, ptr) == 0)
+ return;
+
+ /* Check the next property item. */
+ ptr += ALIGN_UP (datasz, sizeof (ElfW(Addr)));
+ }
+ while ((ptr_end - ptr) >= 8);
+
+ /* Only handle one NT_GNU_PROPERTY_TYPE_0. */
+ return;
+ }
+
+ note = ((const void *) note
+ + ELF_NOTE_NEXT_OFFSET (note->n_namesz, note->n_descsz,
+ align));
+ }
+}
+
+
/* Map in the shared object NAME, actually located in REALNAME, and already
opened on FD. */
@@ -1188,6 +1259,16 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
maplength, has_holes, loader);
if (__glibc_unlikely (errstring != NULL))
goto call_lose;
+
+ /* Process program headers again after load segments are mapped in
+ case processing requires accessing those segments. */
+ for (ph = phdr; ph < &phdr[l->l_phnum]; ++ph)
+ switch (ph->p_type)
+ {
+ case PT_GNU_PROPERTY:
+ _dl_process_pt_gnu_property (l, ph);
+ break;
+ }
}
if (l->l_ld == 0)
@@ -1508,6 +1508,10 @@ of this helper program; chances are you did not intend to run this program.\n\
main_map->l_relro_size = ph->p_memsz;
break;
+ case PT_GNU_PROPERTY:
+ _dl_process_pt_gnu_property (main_map, ph);
+ break;
+
case PT_NOTE:
if (_rtld_process_pt_note (main_map, ph))
_dl_error_printf ("\
@@ -1,5 +1,9 @@
long-double-fcts = yes
+ifeq ($(subdir),elf)
+sysdep-dl-routines += dl-bti
+endif
+
ifeq ($(subdir),elf)
sysdep-dl-routines += tlsdesc dl-tlsdesc
gen-as-const-headers += dl-link.sym
new file mode 100644
@@ -0,0 +1,54 @@
+/* AArch64 BTI functions.
+ Copyright (C) 2020 Free Software Foundation, Inc.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <unistd.h>
+#include <errno.h>
+#include <libintl.h>
+#include <ldsodefs.h>
+
+static int
+enable_bti (struct link_map *map, const char *program)
+{
+ const ElfW(Phdr) *phdr;
+ unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
+
+ for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
+ if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
+ {
+ ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
+ ElfW(Addr) len = phdr->p_memsz;
+ if (__mprotect ((void *) start, len, prot) < 0)
+ {
+ if (program)
+ _dl_fatal_printf ("%s: mprotect failed to turn on BTI\n",
+ map->l_name);
+ else
+ _dl_signal_error (errno, map->l_name, "dlopen",
+ N_("mprotect failed to turn on BTI"));
+ }
+ }
+ return 0;
+}
+
+/* Enable BTI for L if required. */
+
+void
+_dl_bti_check (struct link_map *l, const char *program)
+{
+ if (GLRO(dl_aarch64_cpu_features).bti && l->l_mach.bti)
+ enable_bti (l, program);
+}
new file mode 100644
@@ -0,0 +1,75 @@
+/* Support for GNU properties. AArch64 version.
+ Copyright (C) 2018-2020 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#ifndef _DL_PROP_H
+#define _DL_PROP_H
+
+#include <not-cancel.h>
+
+extern void _dl_bti_check (struct link_map *, const char *)
+ attribute_hidden;
+
+static inline void __attribute__ ((always_inline))
+_rtld_main_check (struct link_map *m, const char *program)
+{
+ _dl_bti_check (m, program);
+}
+
+static inline void __attribute__ ((always_inline))
+_dl_open_check (struct link_map *m)
+{
+ _dl_bti_check (m, NULL);
+}
+
+#ifdef FILEBUF_SIZE
+static inline int __attribute__ ((always_inline))
+_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph,
+ int fd, struct filebuf *fbp)
+{
+ return 0;
+}
+#endif
+
+static inline int __attribute__ ((always_inline))
+_rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
+{
+ return 0;
+}
+
+static inline int
+_dl_process_gnu_property (struct link_map *l, uint32_t type, uint32_t datasz,
+ void *data)
+{
+ if (type == GNU_PROPERTY_AARCH64_FEATURE_1_AND)
+ {
+ /* Stop if the property note is ill-formed. */
+ if (datasz != 4)
+ return 0;
+
+ unsigned int feature_1 = *(unsigned int *) data;
+ if (feature_1 & GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
+ l->l_mach.bti = true;
+
+ /* Stop if we processed the property note. */
+ return 0;
+ }
+ /* Continue. */
+ return 1;
+}
+
+#endif /* _DL_PROP_H */
@@ -16,8 +16,11 @@
License along with the GNU C Library; if not, see
<https://www.gnu.org/licenses/>. */
+#include <stdbool.h>
+
struct link_map_machine
{
ElfW(Addr) plt; /* Address of .plt */
void *tlsdesc_table; /* Address of TLS descriptor hash table. */
+ bool bti; /* Branch Target Identification is enabled. */
};
@@ -20,11 +20,11 @@
#define _DL_PROP_H
/* The following functions are used by the dynamic loader and the
- dlopen machinery to process PT_NOTE entries in the binary or
- shared object. The notes can be used to change the behaviour of
- the loader, and as such offer a flexible mechanism for hooking in
- various checks related to ABI tags or implementing "flag day" ABI
- transitions. */
+ dlopen machinery to process PT_NOTE and PT_GNU_PROPERTY entries in
+ the binary or shared object. The notes can be used to change the
+ behaviour of the loader, and as such offer a flexible mechanism
+ for hooking in various checks related to ABI tags or implementing
+ "flag day" ABI transitions. */
static inline void __attribute__ ((always_inline))
_rtld_main_check (struct link_map *m, const char *program)
@@ -51,4 +51,13 @@ _rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
return 0;
}
+/* Called for each property in the NT_GNU_PROPERTY_TYPE_0 note of L,
+ processing of the properties continues until this returns 0. */
+static inline int __attribute__ ((always_inline))
+_dl_process_gnu_property (struct link_map *l, uint32_t type, uint32_t datasz,
+ void *data)
+{
+ return 0;
+}
+
#endif /* _DL_PROP_H */
@@ -910,6 +910,10 @@ extern void _dl_setup_hash (struct link_map *map) attribute_hidden;
extern void _dl_rtld_di_serinfo (struct link_map *loader,
Dl_serinfo *si, bool counting);
+/* Process PT_GNU_PROPERTY program header PH in module L after
+ PT_LOAD segments are mapped. */
+void _dl_process_pt_gnu_property (struct link_map *l, const ElfW(Phdr) *ph);
+
/* Search loaded objects' symbol tables for a definition of the symbol
referred to by UNDEF. *SYM is the symbol table entry containing the
@@ -72,3 +72,4 @@
#define HWCAP2_BF16 (1 << 14)
#define HWCAP2_DGH (1 << 15)
#define HWCAP2_RNG (1 << 16)
+#define HWCAP2_BTI (1 << 17)
new file mode 100644
@@ -0,0 +1,31 @@
+/* Definitions for POSIX memory map interface. Linux/AArch64 version.
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#ifndef _SYS_MMAN_H
+# error "Never use <bits/mman.h> directly; include <sys/mman.h> instead."
+#endif
+
+/* AArch64 specific definitions, should be in sync with
+ arch/arm64/include/uapi/asm/mman.h. */
+
+#define PROT_BTI 0x10
+
+#include <bits/mman-map-flags-generic.h>
+
+/* Include generic Linux declarations. */
+#include <bits/mman-linux.h>
@@ -83,4 +83,7 @@ init_cpu_features (struct cpu_features *cpu_features)
if ((dczid & DCZID_DZP_MASK) == 0)
cpu_features->zva_size = 4 << (dczid & DCZID_BS_MASK);
+
+ /* Check if BTI is supported. */
+ cpu_features->bti = GLRO (dl_hwcap2) & HWCAP2_BTI;
}
@@ -20,6 +20,7 @@
#define _CPU_FEATURES_AARCH64_H
#include <stdint.h>
+#include <stdbool.h>
#define MIDR_PARTNUM_SHIFT 4
#define MIDR_PARTNUM_MASK (0xfff << MIDR_PARTNUM_SHIFT)
@@ -64,6 +65,7 @@ struct cpu_features
{
uint64_t midr_el1;
unsigned zva_size;
+ bool bti;
};
#endif /* _CPU_FEATURES_AARCH64_H */
@@ -191,4 +191,11 @@ _rtld_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
return 0;
}
+static inline int __attribute__ ((always_inline))
+_dl_process_gnu_property (struct link_map *l, uint32_t type, uint32_t datasz,
+ void *data)
+{
+ return 0;
+}
+
#endif /* _DL_PROP_H */
--
2.17.1