V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Message ID CAMe9rOp1MQZM27q1fvF7_6otPDH_LYhpbdc25trwTGDsuBtp3g@mail.gmail.com
State New, archived
Headers

Commit Message

H.J. Lu Nov. 7, 2018, 8:34 p.m. UTC
  On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > The older linker treats .note.gnu.property section as a generic note
> > section and just concatenates all .note.gnu.property sections from the
> > inputs to the output.  When the older linker is used to created the
> > program on CET-enabled OS, the generated output has .note.gnu.property
> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> > enable bits are set even if the program isn't CET enabled.  Such program
> > will crash on CET-enabled machines.  This patch updates the note parser:
> >
> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >
> >       [BZ #23509]
> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> >       lc_unknown.
>
> I would like to move this forward.
>
> I think the code is okay, as long as we are confident that older linkers
> will not produce multiple PT_NOTE segments, each containing one
> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
> commit message (assuming that you agree that my understanding of the
> code is correct).
>

Like this?
  

Comments

Florian Weimer Nov. 8, 2018, 10:52 a.m. UTC | #1
* H. J. Lu:

> On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu:
>>
>> > The older linker treats .note.gnu.property section as a generic note
>> > section and just concatenates all .note.gnu.property sections from the
>> > inputs to the output.  When the older linker is used to created the
>> > program on CET-enabled OS, the generated output has .note.gnu.property
>> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
>> > enable bits are set even if the program isn't CET enabled.  Such program
>> > will crash on CET-enabled machines.  This patch updates the note parser:
>> >
>> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>> >
>> >       [BZ #23509]
>> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
>> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
>> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
>> >       lc_unknown.
>>
>> I would like to move this forward.
>>
>> I think the code is okay, as long as we are confident that older linkers
>> will not produce multiple PT_NOTE segments, each containing one
>> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
>> commit message (assuming that you agree that my understanding of the
>> code is correct).
>>
>
> Like this?

Sorry, let me rephrase:

The commit message talks about sections, not segments.  The code deals
with PT_NOTE segments, obviously.

Old linkers produce multiple PT_NOTE segments for the *same* alignment
if they process multiple note sections with differing alignment in a
certain order.  (It does not happen always.)

Based on reading the code, I think that if the first PT_NOTE segment it
encounters contains one NT_GNU_PROPERTY_TYPE_0 note that enables CET, it
will enable CET even if the loader produced multiple PT_NOTE segments,
and there is another (unmerged) NT_GNU_PROPERTY_TYPE_0 note in a
subsequent PT_NOTE segment.  This means that the current code can still
incorrectly enable CET in cases where an old linker produced a multitude
of PT_NOTE sections.

Based on the patch and the discussion so far it is unclear to me whether
you have analyzed the issue and concluded that split PT_NOTE segments of
the same alignment (as generated by old linkers in some cases) are not
relevant, or if it is an accidental omission in the patch.  The
explaination in the patch itself does not help because of the
section/segment discrepancy I mentioned first.

Thanks,
Florian
  
H.J. Lu Nov. 8, 2018, 1:15 p.m. UTC | #2
On Thu, Nov 8, 2018 at 2:52 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu:
> >>
> >> > The older linker treats .note.gnu.property section as a generic note
> >> > section and just concatenates all .note.gnu.property sections from the
> >> > inputs to the output.  When the older linker is used to created the
> >> > program on CET-enabled OS, the generated output has .note.gnu.property
> >> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> >> > enable bits are set even if the program isn't CET enabled.  Such program
> >> > will crash on CET-enabled machines.  This patch updates the note parser:
> >> >
> >> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >> >
> >> >       [BZ #23509]
> >> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> >> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> >> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> >> >       lc_unknown.
> >>
> >> I would like to move this forward.
> >>
> >> I think the code is okay, as long as we are confident that older linkers
> >> will not produce multiple PT_NOTE segments, each containing one
> >> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
> >> commit message (assuming that you agree that my understanding of the
> >> code is correct).
> >>
> >
> > Like this?
>
> Sorry, let me rephrase:
>
> The commit message talks about sections, not segments.  The code deals
> with PT_NOTE segments, obviously.

See my reply before.

> Old linkers produce multiple PT_NOTE segments for the *same* alignment
> if they process multiple note sections with differing alignment in a
> certain order.  (It does not happen always.)

True.

> Based on reading the code, I think that if the first PT_NOTE segment it
> encounters contains one NT_GNU_PROPERTY_TYPE_0 note that enables CET, it
> will enable CET even if the loader produced multiple PT_NOTE segments,
> and there is another (unmerged) NT_GNU_PROPERTY_TYPE_0 note in a
> subsequent PT_NOTE segment.  This means that the current code can still
> incorrectly enable CET in cases where an old linker produced a multitude
> of PT_NOTE sections.

Linkers group input note sections with the same name into a single output note
section with the same name.  One output note section is placed in one PT_NOTE
segment.  There won't be "another (unmerged) NT_GNU_PROPERTY_TYPE_0
note in a subsequent PT_NOTE segment."

> Based on the patch and the discussion so far it is unclear to me whether
> you have analyzed the issue and concluded that split PT_NOTE segments of
> the same alignment (as generated by old linkers in some cases) are not
> relevant, or if it is an accidental omission in the patch.  The
> explaination in the patch itself does not help because of the
> section/segment discrepancy I mentioned first.
>
  

Patch

From b3d82373cb499ceaceafe10b07dd1492c18484c2 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 10 Aug 2018 18:43:22 -0700
Subject: [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

The older linker treats .note.gnu.property section as a generic note
section and just concatenates all input .note.gnu.property sections
into a single output .note.gnu.property section without merging them.
When the older linker is used to created the program on CET-enabled OS,
the linker output has a single .note.gnu.property section with multiple
NT_GNU_PROPERTY_TYPE_0 notes, some of which have IBT and SHSTK enable
bits set even if the program isn't CET enabled.  Such programs will
crash on CET-enabled machines.  This patch updates the note parser:

1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.

	[BZ #23509]
	* sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
	note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
	Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
	Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
	* sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
	lc_unknown.
---
 sysdeps/x86/dl-prop.h  | 51 +++++++++++++++++++++++++++++++++---------
 sysdeps/x86/link_map.h |  9 ++++----
 2 files changed, 46 insertions(+), 14 deletions(-)

diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
index 26c3131ac5..9ab890d12b 100644
--- a/sysdeps/x86/dl-prop.h
+++ b/sysdeps/x86/dl-prop.h
@@ -49,6 +49,10 @@  _dl_process_cet_property_note (struct link_map *l,
 			      const ElfW(Addr) align)
 {
 #if CET_ENABLED
+  /* Skip if we have seen a NT_GNU_PROPERTY_TYPE_0 note before.  */
+  if (l->l_cet != lc_unknown)
+    return;
+
   /* The NT_GNU_PROPERTY_TYPE_0 note must be aliged to 4 bytes in
      32-bit objects and to 8 bytes in 64-bit objects.  Skip notes
      with incorrect alignment.  */
@@ -57,6 +61,9 @@  _dl_process_cet_property_note (struct link_map *l,
 
   const ElfW(Addr) start = (ElfW(Addr)) note;
 
+  unsigned int feature_1 = 0;
+  unsigned int last_type = 0;
+
   while ((ElfW(Addr)) (note + 1) - start < size)
     {
       /* Find the NT_GNU_PROPERTY_TYPE_0 note.  */
@@ -64,10 +71,18 @@  _dl_process_cet_property_note (struct link_map *l,
 	  && note->n_type == NT_GNU_PROPERTY_TYPE_0
 	  && memcmp (note + 1, "GNU", 4) == 0)
 	{
+	  /* Stop if we see more than one GNU property note which may
+	     be generated by the older linker.  */
+	  if (l->l_cet != lc_unknown)
+	    return;
+
+	  /* Check CET status now.  */
+	  l->l_cet = lc_none;
+
 	  /* Check for invalid property.  */
 	  if (note->n_descsz < 8
 	      || (note->n_descsz % sizeof (ElfW(Addr))) != 0)
-	    break;
+	    return;
 
 	  /* Start and end of property array.  */
 	  unsigned char *ptr = (unsigned char *) (note + 1) + 4;
@@ -78,9 +93,15 @@  _dl_process_cet_property_note (struct link_map *l,
 	      unsigned int type = *(unsigned int *) ptr;
 	      unsigned int datasz = *(unsigned int *) (ptr + 4);
 
+	      /* Property type must be in ascending order.  */
+	      if (type < last_type)
+		return;
+
 	      ptr += 8;
 	      if ((ptr + datasz) > ptr_end)
-		break;
+		return;
+
+	      last_type = type;
 
 	      if (type == GNU_PROPERTY_X86_FEATURE_1_AND)
 		{
@@ -89,14 +110,18 @@  _dl_process_cet_property_note (struct link_map *l,
 		     we stop the search regardless if its size is correct
 		     or not.  There is no point to continue if this note
 		     is ill-formed.  */
-		  if (datasz == 4)
-		    {
-		      unsigned int feature_1 = *(unsigned int *) ptr;
-		      if ((feature_1 & GNU_PROPERTY_X86_FEATURE_1_IBT))
-			l->l_cet |= lc_ibt;
-		      if ((feature_1 & GNU_PROPERTY_X86_FEATURE_1_SHSTK))
-			l->l_cet |= lc_shstk;
-		    }
+		  if (datasz != 4)
+		    return;
+
+		  feature_1 = *(unsigned int *) ptr;
+
+		  /* Keep searching for the next GNU property note
+		     generated by the older linker.  */
+		  break;
+		}
+	      else if (type > GNU_PROPERTY_X86_FEATURE_1_AND)
+		{
+		  /* Stop since property type is in ascending order.  */
 		  return;
 		}
 
@@ -112,6 +137,12 @@  _dl_process_cet_property_note (struct link_map *l,
 	      + ELF_NOTE_NEXT_OFFSET (note->n_namesz, note->n_descsz,
 				      align));
     }
+
+  /* We get here only if there is one or no GNU property note.  */
+  if ((feature_1 & GNU_PROPERTY_X86_FEATURE_1_IBT))
+    l->l_cet |= lc_ibt;
+  if ((feature_1 & GNU_PROPERTY_X86_FEATURE_1_SHSTK))
+    l->l_cet |= lc_shstk;
 #endif
 }
 
diff --git a/sysdeps/x86/link_map.h b/sysdeps/x86/link_map.h
index ef1206a9d2..9367ed0889 100644
--- a/sysdeps/x86/link_map.h
+++ b/sysdeps/x86/link_map.h
@@ -19,8 +19,9 @@ 
 /* If this object is enabled with CET.  */
 enum
   {
-    lc_none = 0,			 /* Not enabled with CET.  */
-    lc_ibt = 1 << 0,			 /* Enabled with IBT.  */
-    lc_shstk = 1 << 1,			 /* Enabled with STSHK.  */
+    lc_unknown = 0,			 /* Unknown CET status.  */
+    lc_none = 1 << 0,			 /* Not enabled with CET.  */
+    lc_ibt = 1 << 1,			 /* Enabled with IBT.  */
+    lc_shstk = 1 << 2,			 /* Enabled with STSHK.  */
     lc_ibt_and_shstk = lc_ibt | lc_shstk /* Enabled with both.  */
-  } l_cet:2;
+  } l_cet:3;
-- 
2.19.1