From patchwork Thu Jun 24 13:49:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 43996 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7BEB13888C47 for ; Thu, 24 Jun 2021 13:52:20 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7BEB13888C47 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1624542740; bh=KuK0twMcDoJPWm64rrhuKcH80uvNFF6g+fWbrWBG57I=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=sCt+926mGwvqaYF1pX5qz15xupBVM6evpDz5xkZ2CcLCpcoOU51zbuVOcR1qG/i7Y 6jooPPxK7PlaY+Ez0J7KAyo3UqCPSWEFc7gD2Lr93UVh3tuq64Hwcc2tfzIT5b9LwN r9yVGIB/KrhMd/QBAYQhQm//Bi67acjxfUD9goy8= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) by sourceware.org (Postfix) with ESMTPS id 275453888C52 for ; Thu, 24 Jun 2021 13:49:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 275453888C52 Received: by mail-pl1-x636.google.com with SMTP id b3so2993580plg.2 for ; Thu, 24 Jun 2021 06:49:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KuK0twMcDoJPWm64rrhuKcH80uvNFF6g+fWbrWBG57I=; b=hjEqemCnsY1VVzQ0SVehTlqxFbn855bdoloYXyagtLpF61QdGsRbszRftxKTjmM9Xw InqG89t0sAaIoWb8CExRooNGqcncK4P+esZSDiB70WGhHJ5Wc2dVej7Gs5S860DgjkOh 4hqSZYn4gfz9CjX+oqossVgFY/fO9mm2K4xLoB7xw1MFN+M/lEBikjvBk0+qKHWFo8vE 3M+hOwmPagFxuR6EBYiswiHLcH1A3lVGz372BCfTyGIZVl0blxjCb1OkGrKC0WnrInw1 2u6/srpNtT/pbG1m85XNiMBbeH9R95J3z88LX0JmKK497aTdt6dhC7QU4wX8ElMDMrY4 Yraw== X-Gm-Message-State: AOAM530YPnLZJzgpDkY9xz+Bxl4K0oiP9b/zbrs1v22tX/ukLZQ65OzE 56msAsDjffqWdYib87tLU/bdVPcF1hI= X-Google-Smtp-Source: ABdhPJyA7UOoP6Mb5JIawlJk0hJ/SX4xXulkC75F907hXHkw/vADXPJOiDmCA82FkS9vGzIMo4n1sA== X-Received: by 2002:a17:90a:4cc2:: with SMTP id k60mr5518088pjh.83.1624542580272; Thu, 24 Jun 2021 06:49:40 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.56.39.115]) by smtp.gmail.com with ESMTPSA id p6sm8841257pjh.24.2021.06.24.06.49.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Jun 2021 06:49:40 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id CE8CFC02CB; Thu, 24 Jun 2021 06:49:38 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH v2 0/4] Implement indirect external access marker Date: Thu, 24 Jun 2021 06:49:34 -0700 Message-Id: <20210624134938.2025098-1-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Spam-Status: No, score=-3025.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_SHORT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Cc: Florian Weimer Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Changes in the v2 patch. 1. Rename GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION to GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS. 2. Rename the option to -z [no]indirect-extern-access and move it to ld/emulparams/extern_protected_data.sh. 3. Clear the indirect external access bit in executable when there are non-GOT or non-PLT relocations in relocatable input files without this bit set. --- On systems with copy relocation: * A copy in executable is created for the definition in a shared library at run-time by ld.so. * The copy is referenced by executable and shared libraries. * Executable can access the copy directly. Issues are: * Overhead of a copy, time and space, may be visible at run-time. * Read-only data in the shared library becomes read-write copy in executable at run-time. * Local access to data with the STV_PROTECTED visibility in the shared library must use GOT. On systems without function descriptor, function pointers vary depending on where and how the functions are defined. * If the function is defined in executable, it can be the address of function body. * If the function, including the function with STV_PROTECTED visibility, is defined in the shared library, it can be the address of the PLT entry in executable or shared library. Issues are: * The address of function body may not be used as its function pointer. * ld.so needs to search loaded shared libraries for the function pointer of the function with STV_PROTECTED visibility. Here is a proposal to remove copy relocation and use canonical function pointer: 1. Accesses, including in PIE and non-PIE, to undefined symbols must use GOT. a. Linker may optimize out GOT access if the data is defined in PIE or non-PIE. 2. Read-only data in the shared library remain read-only at run-time 3. Address of global data with the STV_PROTECTED visibility in the shared library is the address of data body. a. Can use IP-relative access. b. May need GOT without IP-relative access. 4. For systems without function descriptor, a. All global function pointers of undefined functions in PIE and non-PIE must use GOT. Linker may optimize out GOT access if the function is defined in PIE or non-PIE. b. Function pointer of functions with the STV_PROTECTED visibility in executable and shared library is the address of function body. i. Can use IP-relative access. ii. May need GOT without IP-relative access. iii. Branches to undefined functions may use PLT. 5. Single global definition marker: Add GNU_PROPERTY_1_NEEDED: #define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO to indicate the needed properties by the object file. Add GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS: #define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0) to indicate that the object file requires canonical function pointers and cannot be used with copy relocation. This bit should be cleared in executable when there are non-GOT or non-PLT relocations in relocatable input files without this bit set. a. Protected symbol access within the shared library can be treated as local. b. Copy relocation should be disallowed at link-time and run-time. c. GOT function pointer reference is required at link-time and run-time. The indirect external access marker can be used in the following ways: 1. Linker can decide the best way to resolve a relocation against a protected symbol before seeing all relocations against the symbol. 2. Dynamic linker can decide if it is an error to have a copy relocation in executable against the protected symbol in a shared library by checking if the shared library is built with -fno-direct-extern-access. Dynamic linker changes: * Scan the indirect external access marker on all components, including the executable and its dependency shared libraries. * When performing symbol lookup for references in executable without indirect external access: 1. Disallow copy relocations in executable against protected data symbols in a shared object with indirect external access. 2. Disallow non-zero symbol values of undefined function symbols in executable, which are used as the function pointer, against protected function symbols in a shared object with indirect external access. The corresponding binutils patches are posted at https://sourceware.org/pipermail/binutils/2021-June/117153.html and GCC patches are posted at https://gcc.gnu.org/pipermail/gcc-patches/2021-June/573633.html We can replace hidden function symbols with protected symbols and build glibc with -fno-direct-extern-access. H.J. Lu (4): Initial support for GNU_PROPERTY_1_NEEDED Check -z indirect-extern-access and -fno-direct-extern-access Add run-time chesk for indirect external access Update tests for protected data and function symbols configure | 59 +++++++++++++++ configure.ac | 37 ++++++++++ elf/Makefile | 54 ++++++++++++++ elf/dl-lookup.c | 5 ++ elf/elf.h | 17 +++++ elf/tst-protected1moda.c | 10 +-- elf/tst-protected1modb.c | 4 +- elf/tst-protected2a.c | 130 +++++++++++++++++++++++++++++++++ elf/tst-protected2apie.c | 1 + elf/tst-protected2b.c | 121 ++++++++++++++++++++++++++++++ elf/tst-protected2bpie.c | 1 + elf/tst-protected2mod.h | 35 +++++++++ elf/tst-protected2moda.c | 52 +++++++++++++ elf/tst-protected2moda2.c | 41 +++++++++++ elf/tst-protected2modb.c | 45 ++++++++++++ elf/tst-protected2modb2.c | 28 +++++++ sysdeps/generic/dl-prop.h | 9 ++- sysdeps/generic/dl-protected.h | 54 ++++++++++++++ sysdeps/generic/link_map.h | 3 +- sysdeps/x86/dl-prop.h | 19 +++-- sysdeps/x86/link_map.h | 2 + 21 files changed, 710 insertions(+), 17 deletions(-) create mode 100644 elf/tst-protected2a.c create mode 100644 elf/tst-protected2apie.c create mode 100644 elf/tst-protected2b.c create mode 100644 elf/tst-protected2bpie.c create mode 100644 elf/tst-protected2mod.h create mode 100644 elf/tst-protected2moda.c create mode 100644 elf/tst-protected2moda2.c create mode 100644 elf/tst-protected2modb.c create mode 100644 elf/tst-protected2modb2.c create mode 100644 sysdeps/generic/dl-protected.h