From patchwork Sat Nov 28 11:59:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Topi Miettinen X-Patchwork-Id: 41227 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C701F3850432; Sat, 28 Nov 2020 12:00:02 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C701F3850432 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1606564802; bh=11lnWQMB8urgcL5NAVobok0xcQ6jzNTGJmjXahKP66A=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=vFNqPKTy0iGHbFWztqMq/ZIyypePJ2CkSJVx4Pyu6jqStyBVoODimML5DsoqVW6tR YhGSKyc6AIZp3LdCOI8KTuJvO2Oih5kVmNOjBRRw3ghmYitM7Ve5MzqHPBUJcgSEkA ot9xWSp9DYG69bgKv5/pyhtIz+hL8IQVqns93KZ8= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) by sourceware.org (Postfix) with ESMTPS id CFD713850432 for ; Sat, 28 Nov 2020 11:59:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org CFD713850432 Received: by mail-lf1-x144.google.com with SMTP id v14so10884258lfo.3 for ; Sat, 28 Nov 2020 03:59:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=11lnWQMB8urgcL5NAVobok0xcQ6jzNTGJmjXahKP66A=; b=UjHdXLuaGV3TtIdxmmuhWcsg1JZB8jMD/pNSi04+EOjr7fLPysp9RRs1c7wDvwVi2J 5DJiA6Y3kJMES1EdYlhSvoREos7sZaKeWFwtzqOhcoZvIdirIOncGfltUpTryogWXLGZ EGCc5698JxtQWlyrpLD3f0qBmsXK6ZJT5vSnmb8Ai7HqQA3WyR2cJtY9YmIRA/g5juS3 hY9CI0OJ2jg0/+MMijnfBubR+QFhs7Q+nN/b88x4eYk+48PLG0mftPJM+7IYB4fh+s5M 4aYGkXQv9CVXGH6nFqNDrt4DTVfsEBoi9ayaYu5YkoflC2J5hDOTWEu7pkwFzZXC72YY w7ig== X-Gm-Message-State: AOAM533DMIu2pCjKoFK97TzAXTVPR7feU6QqYDpkKETPFPUo5buBFl8v CMgF07L2mfmMmyr5U6lFLcI4LqYuCfO4RQ== X-Google-Smtp-Source: ABdhPJwoVuP+8RuJyEkB5LLR3YT54M5wxUYoPzue+1cLamrPz3A+/BAH1RdL9M3mUywqoRkluVMfxw== X-Received: by 2002:a05:6512:3218:: with SMTP id d24mr4942224lfe.358.1606564798116; Sat, 28 Nov 2020 03:59:58 -0800 (PST) Received: from localhost.localdomain (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id w28sm1055145lfk.8.2020.11.28.03.59.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Nov 2020 03:59:57 -0800 (PST) To: libc-alpha@sourceware.org Subject: [PATCH 1/4] csu: randomize location of TCB Date: Sat, 28 Nov 2020 13:59:42 +0200 Message-Id: <20201128115945.42732-2-toiwoton@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201128115945.42732-1-toiwoton@gmail.com> References: <20201128115945.42732-1-toiwoton@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-9.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Topi Miettinen via Libc-alpha From: Topi Miettinen Reply-To: Topi Miettinen Cc: Topi Miettinen Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" Use mmap() for allocating TCB except if instructed by tunable glibc.malloc.use_sbrk. This makes the location of TCB random instead of always staying predictably next to data segment. When using mmap(), improve the logic so that allocation of TCB can be assumed to fail insted of segfaulting. --- v2: introduce a tunable to use sbrk() v3: - refactor mmap() (Adhemerval Zanella) - rename mmap_internal to mmap_noerrno --- csu/libc-tls.c | 40 ++++++++++++++++---- elf/dl-tunables.list | 7 ++++ include/sys/mman.h | 5 +++ manual/tunables.texi | 5 +++ sysdeps/mach/hurd/dl-sysdep.c | 18 +++++++-- sysdeps/unix/sysv/linux/mmap.c | 30 ++++++++++++--- sysdeps/unix/sysv/linux/mmap64.c | 23 ++++++++--- sysdeps/unix/sysv/linux/mmap_internal.h | 2 +- sysdeps/unix/sysv/linux/s390/mmap_internal.h | 2 +- 9 files changed, 109 insertions(+), 23 deletions(-) diff --git a/csu/libc-tls.c b/csu/libc-tls.c index c3589f0a7d..0cb6cb2e42 100644 --- a/csu/libc-tls.c +++ b/csu/libc-tls.c @@ -25,11 +25,18 @@ #include #include #include +#include +#include #ifdef SHARED #error makefile bug, this file is for static only #endif +#if HAVE_TUNABLES +# define TUNABLE_NAMESPACE malloc +#endif +#include + dtv_t _dl_static_dtv[2 + TLS_SLOTINFO_SURPLUS]; @@ -135,26 +142,45 @@ __libc_setup_tls (void) /* We have to set up the TCB block which also (possibly) contains 'errno'. Therefore we avoid 'malloc' which might touch 'errno'. - Instead we use 'sbrk' which would only uses 'errno' if it fails. - In this case we are right away out of memory and the user gets - what she/he deserves. */ + Instead we use '__mmap_noerrno' (when available) which does not + use 'errno', except if instructed by tunable + glibc.malloc.use_sbrk to use 'sbrk()' instead. If 'sbrk()' fails, + it will access 'errno' with catastrophic results. */ + + size_t tlsblock_size; #if TLS_TCB_AT_TP /* Align the TCB offset to the maximum alignment, as _dl_allocate_tls_storage (in elf/dl-tls.c) does using __libc_memalign and dl_tls_static_align. */ tcb_offset = roundup (memsz + GLRO(dl_tls_static_surplus), max_align); - tlsblock = __sbrk (tcb_offset + TLS_INIT_TCB_SIZE + max_align); + tlsblock_size = tcb_offset + TLS_INIT_TCB_SIZE + max_align; #elif TLS_DTV_AT_TP tcb_offset = roundup (TLS_INIT_TCB_SIZE, align ?: 1); - tlsblock = __sbrk (tcb_offset + memsz + max_align - + TLS_PRE_TCB_SIZE + GLRO(dl_tls_static_surplus)); - tlsblock += TLS_PRE_TCB_SIZE; + tlsblock_size = tcb_offset + memsz + max_align + + TLS_PRE_TCB_SIZE + GLRO(dl_tls_static_surplus); #else /* In case a model with a different layout for the TCB and DTV is defined add another #elif here and in the following #ifs. */ # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined" #endif +#if HAVE_TUNABLES + if (!TUNABLE_GET (use_sbrk, int32_t, NULL)) + { + int error = 0; + tlsblock = __mmap_noerrno (NULL, tlsblock_size, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, -1, 0, &error); + if (error || tlsblock == MAP_FAILED) + _startup_fatal ("Cannot allocate TCB"); + } + else +#endif + tlsblock = __sbrk (tlsblock_size); + +#if TLS_DTV_AT_TP + tlsblock += TLS_PRE_TCB_SIZE; +#endif + /* Align the TLS block. */ tlsblock = (void *) (((uintptr_t) tlsblock + max_align - 1) & ~(max_align - 1)); diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index e1d8225128..777ebee788 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -91,6 +91,13 @@ glibc { minval: 0 security_level: SXID_IGNORE } + use_sbrk { + type: INT_32 + minval: 0 + maxval: 1 + default: 0 + security_level: SXID_IGNORE + } } cpu { hwcap_mask { diff --git a/include/sys/mman.h b/include/sys/mman.h index 503edaae88..d2fc5608c3 100644 --- a/include/sys/mman.h +++ b/include/sys/mman.h @@ -22,6 +22,11 @@ extern void *__mremap (void *__addr, size_t __old_len, size_t __new_len, int __flags, ...); libc_hidden_proto (__mremap) +/* Internal version of mmap() which doesn't attempt to access errno */ +extern void *__mmap_noerrno (void *addr, size_t len, int prot, int flags, + int fd, off_t offset, int *err); +libc_hidden_proto (__mmap_noerrno) + # if IS_IN (rtld) # include # endif diff --git a/manual/tunables.texi b/manual/tunables.texi index d72d7a5ec0..46132900e3 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -227,6 +227,11 @@ pointer, so add 4 on 32-bit systems or 8 on 64-bit systems to the size passed to @code{malloc} for the largest bin size to enable. @end deftp +@deftp Tunable glibc.malloc.use_sbrk +A value of 1 instructs @theglibc{} to use @code{sbrk()} for memory +allocation instead of @code{mmap()}. +@end deftp + @node Dynamic Linking Tunables @section Dynamic Linking Tunables @cindex dynamic linking tunables diff --git a/sysdeps/mach/hurd/dl-sysdep.c b/sysdeps/mach/hurd/dl-sysdep.c index 370495710e..40e2919b9d 100644 --- a/sysdeps/mach/hurd/dl-sysdep.c +++ b/sysdeps/mach/hurd/dl-sysdep.c @@ -482,9 +482,9 @@ __libc_lseek64 (int fd, off64_t offset, int whence) return offset; } -check_no_hidden(__mmap); +check_no_hidden(__mmap_noerrno); void *weak_function -__mmap (void *addr, size_t len, int prot, int flags, int fd, off_t offset) +__mmap_noerrno (void *addr, size_t len, int prot, int flags, int fd, off_t offset, int *error) { error_t err; vm_prot_t vmprot; @@ -541,10 +541,22 @@ __mmap (void *addr, size_t len, int prot, int flags, int fd, off_t offset) __mach_port_deallocate (__mach_task_self (), memobj_rd); if (err) - return __hurd_fail (err), MAP_FAILED; + *error = err; return (void *) mapaddr; } +check_no_hidden(__mmap); +void *weak_function +__mmap (void *addr, size_t len, int prot, int flags, int fd, off_t offset) +{ + int err = 0; + + void *r = __mmap_noerrno (addr, len, prot, flags, fd, offset, &err); + if (err) + return __hurd_fail (err), MAP_FAILED; + return r; +} + check_no_hidden(__fstat64); int weak_function __fstat64 (int fd, struct stat64 *buf) diff --git a/sysdeps/unix/sysv/linux/mmap.c b/sysdeps/unix/sysv/linux/mmap.c index 22f276bb14..19eca3fe18 100644 --- a/sysdeps/unix/sysv/linux/mmap.c +++ b/sysdeps/unix/sysv/linux/mmap.c @@ -31,20 +31,38 @@ # endif void * -__mmap (void *addr, size_t len, int prot, int flags, int fd, off_t offset) +__mmap_noerrno (void *addr, size_t len, int prot, int flags, int fd, off_t offset, int *err) { MMAP_CHECK_PAGE_UNIT (); if (offset & MMAP_OFF_LOW_MASK) - return (void *) INLINE_SYSCALL_ERROR_RETURN_VALUE (EINVAL); + return (void *) -EINVAL; #ifdef __NR_mmap2 - return (void *) MMAP_CALL (mmap2, addr, len, prot, flags, fd, - offset / (uint32_t) MMAP2_PAGE_UNIT); + long int r = MMAP_CALL (mmap2, addr, len, prot, flags, fd, + offset / (uint32_t) MMAP2_PAGE_UNIT); #else - return (void *) MMAP_CALL (mmap, addr, len, prot, flags, fd, - MMAP_ADJUST_OFFSET (offset)); + long int r = MMAP_CALL (mmap, addr, len, prot, flags, fd, + MMAP_ADJUST_OFFSET (offset)); #endif + if (INTERNAL_SYSCALL_ERROR_P (r)) + { + *err = (INTERNAL_SYSCALL_ERRNO (r)); + return MAP_FAILED; + } + return (void*) r; +} +libc_hidden_def (__mmap_noerrno) + +void * +__mmap (void *addr, size_t len, int prot, int flags, int fd, off_t offset) +{ + int error = 0; + + void *r = __mmap_noerrno (addr, len, prot, flags, fd, offset, &error); + if (error) + __set_errno(error); + return r; } weak_alias (__mmap, mmap) libc_hidden_def (__mmap) diff --git a/sysdeps/unix/sysv/linux/mmap64.c b/sysdeps/unix/sysv/linux/mmap64.c index 8074deb466..3d6557734b 100644 --- a/sysdeps/unix/sysv/linux/mmap64.c +++ b/sysdeps/unix/sysv/linux/mmap64.c @@ -44,25 +44,38 @@ #endif void * -__mmap64 (void *addr, size_t len, int prot, int flags, int fd, off64_t offset) +__mmap64_noerrno (void *addr, size_t len, int prot, int flags, int fd, off64_t offset, int *err) { MMAP_CHECK_PAGE_UNIT (); if (offset & MMAP_OFF_MASK) - return (void *) INLINE_SYSCALL_ERROR_RETURN_VALUE (EINVAL); + return (void *) -EINVAL; MMAP_PREPARE (addr, len, prot, flags, fd, offset); #ifdef __NR_mmap2 - return (void *) MMAP_CALL (mmap2, addr, len, prot, flags, fd, - (off_t) (offset / MMAP2_PAGE_UNIT)); + long int r = MMAP_CALL (mmap2, addr, len, prot, flags, fd, + (off_t) (offset / MMAP2_PAGE_UNIT)); #else - return (void *) MMAP_CALL (mmap, addr, len, prot, flags, fd, offset); + long int r = MMAP_CALL (mmap, addr, len, prot, flags, fd, offset); #endif + if (INTERNAL_SYSCALL_ERROR_P (r)) + { + *err = INTERNAL_SYSCALL_ERRNO (r); + return MAP_FAILED; + } + return (void *) r; +} + +void * +__mmap64 (void *addr, size_t len, int prot, int flags, int fd, off64_t offset) +{ + return __mmap64_noerrno (addr, len, prot, flags, fd, offset, &errno); } weak_alias (__mmap64, mmap64) libc_hidden_def (__mmap64) #ifdef __OFF_T_MATCHES_OFF64_T +weak_alias (__mmap64_noerrno, __mmap_noerrno) weak_alias (__mmap64, mmap) weak_alias (__mmap64, __mmap) libc_hidden_def (__mmap) diff --git a/sysdeps/unix/sysv/linux/mmap_internal.h b/sysdeps/unix/sysv/linux/mmap_internal.h index d53f0c642a..5386b5eb63 100644 --- a/sysdeps/unix/sysv/linux/mmap_internal.h +++ b/sysdeps/unix/sysv/linux/mmap_internal.h @@ -43,7 +43,7 @@ static uint64_t page_unit; /* An architecture may override this. */ #ifndef MMAP_CALL # define MMAP_CALL(__nr, __addr, __len, __prot, __flags, __fd, __offset) \ - INLINE_SYSCALL_CALL (__nr, __addr, __len, __prot, __flags, __fd, __offset) + INTERNAL_SYSCALL_CALL (__nr, __addr, __len, __prot, __flags, __fd, __offset) #endif #endif /* MMAP_INTERNAL_LINUX_H */ diff --git a/sysdeps/unix/sysv/linux/s390/mmap_internal.h b/sysdeps/unix/sysv/linux/s390/mmap_internal.h index 2884f2844b..d2289f311c 100644 --- a/sysdeps/unix/sysv/linux/s390/mmap_internal.h +++ b/sysdeps/unix/sysv/linux/s390/mmap_internal.h @@ -24,7 +24,7 @@ long int __args[6] = { (long int) (__addr), (long int) (__len), \ (long int) (__prot), (long int) (__flags), \ (long int) (__fd), (long int) (__offset) }; \ - INLINE_SYSCALL_CALL (__nr, __args); \ + INTERNAL_SYSCALL_CALL (__nr, __args); \ }) #include_next