From patchwork Tue Jul 24 12:25:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 28583 Received: (qmail 75366 invoked by alias); 24 Jul 2018 12:25:56 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 75344 invoked by uid 89); 24 Jul 2018 12:25:55 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-25.3 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.2 spammy=H*RU:209.85.218.65, Hx-spam-relays-external:209.85.218.65 X-HELO: mail-oi0-f65.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CeGhrjvIvGKCVmtYDg984B4arOfUNStMrrkg0F0EgWg=; b=CXUIIAUu2i21AcGindUjigPwx2AVPMU8+Q7opnu3u8twrsVYrG03fgElVBklr6sc4x y2vwLp4p5yogy9QgbpZt0lfmYfXa0QuBQM8zCslImMlHFdDA2RzGnJ/hKJwYhgDKXiVr kM+wFHGs/MtXe0RG16oxkSTP21JY/xa6dPOSgtoDMaxaUPLbuSsBI3pHRULKmlR1xBEz 2B3PZlJsDCBxE1hgS0FMkfzZL8MsIU1yd59OCRdlZC/Z63VuyaCeHzAH9Sbm9E7/A9BA G1PUTO4pTToE0wKCtBKpyF12iJQVls52EiMA4A1R0oLV4q+xDsewbgztmrv8Q77GuAKq B97A== MIME-Version: 1.0 In-Reply-To: References: <20180721142035.21059-1-hjl.tools@gmail.com> <20180721142035.21059-2-hjl.tools@gmail.com> From: "H.J. Lu" Date: Tue, 24 Jul 2018 05:25:50 -0700 Message-ID: Subject: Re: [PATCH 01/12] x86: Update vfork to pop shadow stack To: "Carlos O'Donell" Cc: GNU C Library On Mon, Jul 23, 2018 at 7:47 PM, Carlos O'Donell wrote: > On 07/21/2018 10:20 AM, H.J. Lu wrote: >> Since we can't change return address on shadow stack, if shadow stack >> is in use, we need to pop shadow stack and jump back to caller directly. >> >> * sysdeps/unix/sysv/linux/i386/vfork.S (SYSCALL_ERROR_HANDLER): >> Redefine if shadow stack is enabled. >> (SYSCALL_ERROR_LABEL): Likewise. >> (__vfork): Pop shadow stack and jump back to to caller directly >> when shadow stack is in use. >> * sysdeps/unix/sysv/linux/x86_64/vfork.S (SYSCALL_ERROR_HANDLER): >> Redefine if shadow stack is enabled. >> (SYSCALL_ERROR_LABEL): Likewise. >> (__vfork): Pop shadow stack and jump back to to caller directly >> when shadow stack is in use. >> --- >> sysdeps/unix/sysv/linux/i386/vfork.S | 54 ++++++++++++++++++++++++++ >> sysdeps/unix/sysv/linux/x86_64/vfork.S | 35 +++++++++++++++++ >> 2 files changed, 89 insertions(+) > > OK with comment suggestion. > > Reviewed-by: Carlos O'Donell > This is what I checked in. Thanks. From 2f165ed718036e91a798a657dc00101393692208 Mon Sep 17 00:00:00 2001 From: "H.J. Lu" Date: Thu, 7 Jun 2018 20:50:11 -0700 Subject: [PATCH] Add MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add and include it in . __INDIRECT_RETURN defined in indicates if swapcontext requires special compiler treatment. The default __INDIRECT_RETURN is empty. On x86, when shadow stack is enabled, __INDIRECT_RETURN is defined with indirect_return attribute, which has been added to GCC 9, to indicate that swapcontext returns via indirect branch. Otherwise __INDIRECT_RETURN is defined with returns_twice attribute. When shadow stack is enabled, remove always_inline attribute from prepare_test_buffer in string/tst-xbzero-opt.c to avoid: tst-xbzero-opt.c: In function ‘prepare_test_buffer’: tst-xbzero-opt.c:105:1: error: function ‘prepare_test_buffer’ can never be inlined because it uses setjmp prepare_test_buffer (unsigned char *buf) when indirect_return attribute isn't available. * bits/indirect-return.h: New file. * misc/sys/cdefs.h (__glibc_has_attribute): New. * sysdeps/x86/bits/indirect-return.h: Likewise. * stdlib/Makefile (headers): Add bits/indirect-return.h. * stdlib/ucontext.h: Include . (swapcontext): Add __INDIRECT_RETURN. * string/tst-xbzero-opt.c (ALWAYS_INLINE): New. (prepare_test_buffer): Use it. --- bits/indirect-return.h | 25 +++++++++++++++++++++ misc/sys/cdefs.h | 6 +++++ stdlib/Makefile | 2 +- stdlib/ucontext.h | 6 ++++- string/tst-xbzero-opt.c | 10 ++++++++- sysdeps/x86/bits/indirect-return.h | 35 ++++++++++++++++++++++++++++++ 6 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 bits/indirect-return.h create mode 100644 sysdeps/x86/bits/indirect-return.h diff --git a/bits/indirect-return.h b/bits/indirect-return.h new file mode 100644 index 0000000000..47f6f15a6e --- /dev/null +++ b/bits/indirect-return.h @@ -0,0 +1,25 @@ +/* Definition of __INDIRECT_RETURN. Generic version. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _UCONTEXT_H +# error "Never include directly; use instead." +#endif + +/* __INDIRECT_RETURN is used on swapcontext to indicate if it requires + special compiler treatment. */ +#define __INDIRECT_RETURN diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h index e80a45ca68..3f6fe3cc85 100644 --- a/misc/sys/cdefs.h +++ b/misc/sys/cdefs.h @@ -406,6 +406,12 @@ # define __glibc_likely(cond) (cond) #endif +#ifdef __has_attribute +# define __glibc_has_attribute(attr) __has_attribute (attr) +#else +# define __glibc_has_attribute(attr) 0 +#endif + #if (!defined _Noreturn \ && (defined __STDC_VERSION__ ? __STDC_VERSION__ : 0) < 201112 \ && !__GNUC_PREREQ (4,7)) diff --git a/stdlib/Makefile b/stdlib/Makefile index 808a8ceab7..b5e55b0a55 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -26,7 +26,7 @@ headers := stdlib.h bits/stdlib.h bits/stdlib-ldbl.h bits/stdlib-float.h \ monetary.h bits/monetary-ldbl.h \ inttypes.h stdint.h bits/wordsize.h \ errno.h sys/errno.h bits/errno.h bits/types/error_t.h \ - ucontext.h sys/ucontext.h \ + ucontext.h sys/ucontext.h bits/indirect-return.h \ alloca.h fmtmsg.h \ bits/stdlib-bsearch.h sys/random.h bits/stdint-intn.h \ bits/stdint-uintn.h diff --git a/stdlib/ucontext.h b/stdlib/ucontext.h index eec7611631..ec630038f6 100644 --- a/stdlib/ucontext.h +++ b/stdlib/ucontext.h @@ -22,6 +22,9 @@ #include +/* Get definition of __INDIRECT_RETURN. */ +#include + /* Get machine dependent definition of data structures. */ #include @@ -36,7 +39,8 @@ extern int setcontext (const ucontext_t *__ucp) __THROWNL; /* Save current context in context variable pointed to by OUCP and set context from variable pointed to by UCP. */ extern int swapcontext (ucontext_t *__restrict __oucp, - const ucontext_t *__restrict __ucp) __THROWNL; + const ucontext_t *__restrict __ucp) + __THROWNL __INDIRECT_RETURN; /* Manipulate user context UCP to continue with calling functions FUNC and the ARGC-1 parameters following ARGC when the context is used diff --git a/string/tst-xbzero-opt.c b/string/tst-xbzero-opt.c index cf7041f37a..aab4a7f715 100644 --- a/string/tst-xbzero-opt.c +++ b/string/tst-xbzero-opt.c @@ -100,7 +100,15 @@ static ucontext_t uc_main, uc_co; /* Always check the test buffer immediately after filling it; this makes externally visible side effects depend on the buffer existing and having been filled in. */ -static inline __attribute__ ((always_inline)) void +#if defined __CET__ && !__glibc_has_attribute (__indirect_return__) +/* Note: swapcontext returns via indirect branch when SHSTK is enabled. + Without indirect_return attribute, swapcontext is marked with + returns_twice attribute, which prevents always_inline to work. */ +# define ALWAYS_INLINE +#else +# define ALWAYS_INLINE __attribute__ ((always_inline)) +#endif +static inline ALWAYS_INLINE void prepare_test_buffer (unsigned char *buf) { for (unsigned int i = 0; i < PATTERN_REPS; i++) diff --git a/sysdeps/x86/bits/indirect-return.h b/sysdeps/x86/bits/indirect-return.h new file mode 100644 index 0000000000..0587e687ac --- /dev/null +++ b/sysdeps/x86/bits/indirect-return.h @@ -0,0 +1,35 @@ +/* Definition of __INDIRECT_RETURN. x86 version. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _UCONTEXT_H +# error "Never include directly; use instead." +#endif + +/* On x86, swapcontext returns via indirect branch when the shadow stack + is enabled. Define __INDIRECT_RETURN to indicate whether swapcontext + returns via indirect branch. */ +#if defined __CET__ && (__CET__ & 2) != 0 +# if __glibc_has_attribute (__indirect_return__) +# define __INDIRECT_RETURN __attribute__ ((__indirect_return__)) +# else +/* Without indirect_return attribute, use returns_twice attribute. */ +# define __INDIRECT_RETURN __attribute__ ((__returns_twice__)) +# endif +#else +# define __INDIRECT_RETURN +#endif -- 2.17.1