RFC: Shadow Stack support in glibc
Commit Message
On Fri, Jun 9, 2017 at 8:58 AM, Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
> On 09/06/17 16:39, H.J. Lu wrote:
>> Since the __saved_mask field in jmp_buf is unused for x86, replace
>> __saved_mask with a union to save save shadow stack pointer while
>> keeping the size of jmp_buf unchanged.
>>
>> * sysdeps/x86/setjmp.h: New file.
>
> sigsetjmp/siglongjmp has to save/restore the signal mask
> but the signal mask size on linux is at most 16bytes (?)
> and glibc uses 128 byte sigset_t.
>
> so instead of the union below, i'd expect a solution where
> if !HURD then the first 16bytes of __saved_mask and the rest
> can be accessed separately and the tail bytes are usable
> for target specific data.
>
How about this? I allocated32 bytes for signal mask:
/* The biggest signal number + 1 */
#define _JUMP_BUF_SIGSET_NSIG 257
/* Number of longs to hold all signals. */
#define _JUMP_BUF_SIGSET_NWORDS \
((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
typedef struct
{
unsigned long int __val[_JUMP_BUF_SIGSET_NWORDS];
} __jmp_buf_sigset_t;
typedef union
{
__sigset_t __saved_mask_compat;
struct
{
__jmp_buf_sigset_t __saved_mask;
void *__padding[12];
} __saved;
} __jmpbuf_target_t;
/* Saved signal mask. */
#define __saved_mask __target.__saved.__saved_mask
and used
#if _JUMP_BUF_SIGSET_NSIG < _NSIG
# error _JUMP_BUF_SIGSET_NSIG < _NSIG
#endif
_Static_assert (sizeof (env[0].__target) == sizeof (__sigset_t),
"__jmpbuf_target_t == __sigset_t");
to catch any future issues.
From 10fdcdb92c73bcbf170d764ee86196e8999d3357 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Sat, 10 Jun 2017 17:23:06 -0700
Subject: [PATCH] Add bits/setjmp3.h
---
include/bits/setjmp3.h | 1 +
setjmp/Makefile | 2 +-
setjmp/bits/setjmp3.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++
setjmp/longjmp.c | 13 ++++++++++---
setjmp/setjmp.h | 3 ++-
setjmp/sigjmp.c | 9 ++++++++-
6 files changed, 69 insertions(+), 6 deletions(-)
create mode 100644 include/bits/setjmp3.h
create mode 100644 setjmp/bits/setjmp3.h
new file mode 100644
@@ -0,0 +1 @@
+#include <setjmp/bits/setjmp3.h>
@@ -22,7 +22,7 @@ subdir := setjmp
include ../Makeconfig
-headers := setjmp.h bits/setjmp.h bits/setjmp2.h
+headers := setjmp.h bits/setjmp.h bits/setjmp2.h bits/setjmp3.h
routines := setjmp sigjmp bsd-setjmp bsd-_setjmp \
longjmp __longjmp jmp-unwind
new file mode 100644
@@ -0,0 +1,47 @@
+/* __jmpbuf_target_t defition.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#ifndef _SETJMP_H
+# error "Never include <bits/setjmp3.h> directly; use <setjmp.h> instead."
+#endif
+
+#include <bits/types/__sigset_t.h>
+
+/* The biggest signal number + 1 */
+#define _JUMP_BUF_SIGSET_NSIG 257
+/* Number of longs to hold all signals. */
+#define _JUMP_BUF_SIGSET_NWORDS \
+ ((_JUMP_BUF_SIGSET_NSIG - 1 + 7) / (8 * sizeof (unsigned long int)))
+
+typedef struct
+ {
+ unsigned long int __val[_JUMP_BUF_SIGSET_NWORDS];
+ } __jmp_buf_sigset_t;
+
+typedef union
+ {
+ __sigset_t __saved_mask_compat;
+ struct
+ {
+ __jmp_buf_sigset_t __saved_mask;
+ void *__padding[12];
+ } __saved;
+ } __jmpbuf_target_t;
+
+/* Saved signal mask. */
+#define __saved_mask __target.__saved.__saved_mask
@@ -19,6 +19,9 @@
#include <setjmp.h>
#include <signal.h>
+#if _JUMP_BUF_SIGSET_NSIG < _NSIG
+# error _JUMP_BUF_SIGSET_NSIG < _NSIG
+#endif
/* Set the signal mask to the one specified in ENV, and jump
to the position specified in ENV, causing the setjmp
@@ -30,9 +33,13 @@ __libc_siglongjmp (sigjmp_buf env, int val)
_longjmp_unwind (env, val);
if (env[0].__mask_was_saved)
- /* Restore the saved signal mask. */
- (void) __sigprocmask (SIG_SETMASK, &env[0].__saved_mask,
- (sigset_t *) NULL);
+ {
+ _Static_assert (sizeof (env[0].__target) == sizeof (__sigset_t),
+ "__jmpbuf_target_t == __sigset_t");
+ __sigset_t *saved_mask = (__sigset_t *) &env[0].__saved_mask;
+ /* Restore the saved signal mask. */
+ (void) __sigprocmask (SIG_SETMASK, saved_mask, (sigset_t *) NULL);
+ }
/* Call the machine-dependent function to restore machine state. */
__longjmp (env[0].__jmpbuf, val ?: 1);
@@ -27,6 +27,7 @@
__BEGIN_DECLS
#include <bits/setjmp.h> /* Get `__jmp_buf'. */
+#include <bits/setjmp3.h>
#include <bits/types/__sigset_t.h>
/* Calling environment, plus possibly a saved signal mask. */
@@ -38,7 +39,7 @@ struct __jmp_buf_tag
or add others before it. */
__jmp_buf __jmpbuf; /* Calling environment. */
int __mask_was_saved; /* Saved the signal mask? */
- __sigset_t __saved_mask; /* Saved signal mask. */
+ __jmpbuf_target_t __target; /* Target specific data. */
};
@@ -19,6 +19,10 @@
#include <setjmp.h>
#include <signal.h>
+#if _JUMP_BUF_SIGSET_NSIG < _NSIG
+# error _JUMP_BUF_SIGSET_NSIG < _NSIG
+#endif
+
/* This function is called by the `sigsetjmp' macro
before doing a `__setjmp' on ENV[0].__jmpbuf.
Always return zero. */
@@ -26,9 +30,12 @@
int
__sigjmp_save (sigjmp_buf env, int savemask)
{
+ _Static_assert (sizeof (env[0].__target) == sizeof (__sigset_t),
+ "__jmpbuf_target_t == __sigset_t");
+ __sigset_t *saved_mask = (__sigset_t *) &env[0].__saved_mask;
env[0].__mask_was_saved = (savemask &&
__sigprocmask (SIG_BLOCK, (sigset_t *) NULL,
- &env[0].__saved_mask) == 0);
+ saved_mask) == 0);
return 0;
}
--
2.9.4