diff mbox series

[v6,08/14] aarch64: enable BTI at runtime

Message ID f5a7a03e32f84ea6f5ba2cda5abcb50f40700bd3.1593612309.git.szabolcs.nagy@arm.com
State New
Headers show
Series aarch64: branch protection support | expand

Commit Message

Szabolcs Nagy July 1, 2020, 2:39 p.m. UTC
From: Sudakshina Das <sudi.das@arm.com>

Binaries can opt-in to using BTI via an ELF object file marking.
The dynamic linker has to then mprotect the executable segments
with PROT_BTI. In case of static linked executables or in case
of the dynamic linker itself, PROT_BTI protection is done by the
operating system.

On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
the properties of a binary because PT_NOTE can be unreliable with
old linkers (old linkers just append the notes of input objects
together and add them to the output without checking them for
consistency which means multiple incompatible GNU property notes
can be present in PT_NOTE).

BTI property is handled in the loader even if glibc is not built
with BTI support, so in theory user code can be BTI protected
independently of glibc. In practice though user binaries are not
marked with the BTI property if glibc has no support because the
static linked libc objects (crt files, libc_nonshared.a) are
unmarked.

This patch relies on Linux userspace API that is not yet in a
linux release but in v5.8-rc1 so scheduled to be in Linux 5.8.

Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
---
 sysdeps/aarch64/Makefile                      |  4 ++
 sysdeps/aarch64/dl-bti.c                      | 54 ++++++++++++++++
 sysdeps/aarch64/dl-prop.h                     | 63 +++++++++++++++++++
 sysdeps/aarch64/linkmap.h                     |  3 +
 sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h  |  1 +
 sysdeps/unix/sysv/linux/aarch64/bits/mman.h   | 31 +++++++++
 .../unix/sysv/linux/aarch64/cpu-features.c    |  3 +
 .../unix/sysv/linux/aarch64/cpu-features.h    |  2 +
 8 files changed, 161 insertions(+)
 create mode 100644 sysdeps/aarch64/dl-bti.c
 create mode 100644 sysdeps/aarch64/dl-prop.h
 create mode 100644 sysdeps/unix/sysv/linux/aarch64/bits/mman.h

Comments

Adhemerval Zanella July 6, 2020, 5:28 p.m. UTC | #1
On 01/07/2020 11:39, Szabolcs Nagy wrote:
> From: Sudakshina Das <sudi.das@arm.com>
> 
> Binaries can opt-in to using BTI via an ELF object file marking.
> The dynamic linker has to then mprotect the executable segments
> with PROT_BTI. In case of static linked executables or in case
> of the dynamic linker itself, PROT_BTI protection is done by the
> operating system.
> 
> On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
> the properties of a binary because PT_NOTE can be unreliable with
> old linkers (old linkers just append the notes of input objects
> together and add them to the output without checking them for
> consistency which means multiple incompatible GNU property notes
> can be present in PT_NOTE).
> 
> BTI property is handled in the loader even if glibc is not built
> with BTI support, so in theory user code can be BTI protected
> independently of glibc. In practice though user binaries are not
> marked with the BTI property if glibc has no support because the
> static linked libc objects (crt files, libc_nonshared.a) are
> unmarked.
> 
> This patch relies on Linux userspace API that is not yet in a
> linux release but in v5.8-rc1 so scheduled to be in Linux 5.8.
> 
> Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>


LGTM, with a jsut nit below.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

> ---
>  sysdeps/aarch64/Makefile                      |  4 ++
>  sysdeps/aarch64/dl-bti.c                      | 54 ++++++++++++++++
>  sysdeps/aarch64/dl-prop.h                     | 63 +++++++++++++++++++
>  sysdeps/aarch64/linkmap.h                     |  3 +
>  sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h  |  1 +
>  sysdeps/unix/sysv/linux/aarch64/bits/mman.h   | 31 +++++++++
>  .../unix/sysv/linux/aarch64/cpu-features.c    |  3 +
>  .../unix/sysv/linux/aarch64/cpu-features.h    |  2 +
>  8 files changed, 161 insertions(+)
>  create mode 100644 sysdeps/aarch64/dl-bti.c
>  create mode 100644 sysdeps/aarch64/dl-prop.h
>  create mode 100644 sysdeps/unix/sysv/linux/aarch64/bits/mman.h
> 
> diff --git a/sysdeps/aarch64/Makefile b/sysdeps/aarch64/Makefile
> index 9cb141004d..5ae8b082b0 100644
> --- a/sysdeps/aarch64/Makefile
> +++ b/sysdeps/aarch64/Makefile
> @@ -1,5 +1,9 @@
>  long-double-fcts = yes
>  
> +ifeq ($(subdir),elf)
> +sysdep-dl-routines += dl-bti
> +endif
> +
>  ifeq ($(subdir),elf)
>  sysdep-dl-routines += tlsdesc dl-tlsdesc
>  gen-as-const-headers += dl-link.sym

Ok.

> diff --git a/sysdeps/aarch64/dl-bti.c b/sysdeps/aarch64/dl-bti.c
> new file mode 100644
> index 0000000000..3c92377cc8
> --- /dev/null
> +++ b/sysdeps/aarch64/dl-bti.c
> @@ -0,0 +1,54 @@
> +/* AArch64 BTI functions.
> +   Copyright (C) 2020 Free Software Foundation, Inc.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#include <unistd.h>
> +#include <errno.h>
> +#include <libintl.h>
> +#include <ldsodefs.h>
> +
> +static int
> +enable_bti (struct link_map *map, const char *program)
> +{
> +  const ElfW(Phdr) *phdr;
> +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> +
> +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
> +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
> +      {
> +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
> +	ElfW(Addr) len = phdr->p_memsz;

I don't think ElfW(Addr) is the correct type here (although it will be
mapped to uint64_t anyway). Why not use size_t here since the idea is
really to use on __mprotect?

> +	if (__mprotect ((void *) start, len, prot) < 0)
> +	  {
> +	    if (program)
> +	      _dl_fatal_printf ("%s: mprotect failed to turn on BTI\n",
> +				map->l_name);
> +	    else
> +	      _dl_signal_error (errno, map->l_name, "dlopen",
> +				N_("mprotect failed to turn on BTI"));
> +	  }
> +      }
> +  return 0;
> +}
> +
> +/* Enable BTI for L if required.  */
> +
> +void
> +_dl_bti_check (struct link_map *l, const char *program)
> +{
> +  if (GLRO(dl_aarch64_cpu_features).bti && l->l_mach.bti)
> +    enable_bti (l, program);
> +}

Ok.

> diff --git a/sysdeps/aarch64/dl-prop.h b/sysdeps/aarch64/dl-prop.h
> new file mode 100644
> index 0000000000..b0785bda83
> --- /dev/null
> +++ b/sysdeps/aarch64/dl-prop.h
> @@ -0,0 +1,63 @@
> +/* Support for GNU properties.  AArch64 version.
> +   Copyright (C) 2018-2020 Free Software Foundation, Inc.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#ifndef _DL_PROP_H
> +#define _DL_PROP_H
> +
> +extern void _dl_bti_check (struct link_map *, const char *)
> +    attribute_hidden;
> +
> +static inline void __attribute__ ((always_inline))
> +_rtld_main_check (struct link_map *m, const char *program)
> +{
> +  _dl_bti_check (m, program);
> +}
> +
> +static inline void __attribute__ ((always_inline))
> +_dl_open_check (struct link_map *m)
> +{
> +  _dl_bti_check (m, NULL);
> +}
> +
> +static inline void __attribute__ ((always_inline))
> +_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
> +{
> +}
> +
> +static inline int
> +_dl_process_gnu_property (struct link_map *l, uint32_t type, uint32_t datasz,
> +			  void *data)
> +{
> +  if (type == GNU_PROPERTY_AARCH64_FEATURE_1_AND)
> +    {
> +      /* Stop if the property note is ill-formed.  */
> +      if (datasz != 4)
> +	return 0;
> +
> +      unsigned int feature_1 = *(unsigned int *) data;
> +      if (feature_1 & GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
> +	l->l_mach.bti = true;
> +
> +      /* Stop if we processed the property note.  */
> +      return 0;
> +    }
> +  /* Continue.  */
> +  return 1;
> +}
> +
> +#endif /* _DL_PROP_H */

Ok.

> diff --git a/sysdeps/aarch64/linkmap.h b/sysdeps/aarch64/linkmap.h
> index 943a9ee9e4..847a03ace2 100644
> --- a/sysdeps/aarch64/linkmap.h
> +++ b/sysdeps/aarch64/linkmap.h
> @@ -16,8 +16,11 @@
>     License along with the GNU C Library; if not, see
>     <https://www.gnu.org/licenses/>.  */
>  
> +#include <stdbool.h>
> +
>  struct link_map_machine
>  {
>    ElfW(Addr) plt;	  /* Address of .plt */
>    void *tlsdesc_table;	  /* Address of TLS descriptor hash table.  */
> +  bool bti;		  /* Branch Target Identification is enabled.  */
>  };

Ok.

> diff --git a/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h b/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
> index 4ee14b4208..af90d8a626 100644
> --- a/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
> +++ b/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
> @@ -72,3 +72,4 @@
>  #define HWCAP2_BF16		(1 << 14)
>  #define HWCAP2_DGH		(1 << 15)
>  #define HWCAP2_RNG		(1 << 16)
> +#define HWCAP2_BTI		(1 << 17)

Ok.

> diff --git a/sysdeps/unix/sysv/linux/aarch64/bits/mman.h b/sysdeps/unix/sysv/linux/aarch64/bits/mman.h
> new file mode 100644
> index 0000000000..ecae046344
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/aarch64/bits/mman.h
> @@ -0,0 +1,31 @@
> +/* Definitions for POSIX memory map interface.  Linux/AArch64 version.
> +   Copyright (C) 2020 Free Software Foundation, Inc.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +#ifndef _SYS_MMAN_H
> +# error "Never use <bits/mman.h> directly; include <sys/mman.h> instead."
> +#endif
> +
> +/* AArch64 specific definitions, should be in sync with
> +   arch/arm64/include/uapi/asm/mman.h.  */
> +
> +#define PROT_BTI	0x10
> +
> +#include <bits/mman-map-flags-generic.h>
> +
> +/* Include generic Linux declarations.  */
> +#include <bits/mman-linux.h>

Ok.

> diff --git a/sysdeps/unix/sysv/linux/aarch64/cpu-features.c b/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
> index 896c588fee..b9ab827aca 100644
> --- a/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
> +++ b/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
> @@ -83,4 +83,7 @@ init_cpu_features (struct cpu_features *cpu_features)
>  
>    if ((dczid & DCZID_DZP_MASK) == 0)
>      cpu_features->zva_size = 4 << (dczid & DCZID_BS_MASK);
> +
> +  /* Check if BTI is supported.  */
> +  cpu_features->bti = GLRO (dl_hwcap2) & HWCAP2_BTI;
>  }

Ok.

> diff --git a/sysdeps/unix/sysv/linux/aarch64/cpu-features.h b/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
> index 1389cea1b3..a81f186ec2 100644
> --- a/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
> +++ b/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
> @@ -20,6 +20,7 @@
>  #define _CPU_FEATURES_AARCH64_H
>  
>  #include <stdint.h>
> +#include <stdbool.h>
>  
>  #define MIDR_PARTNUM_SHIFT	4
>  #define MIDR_PARTNUM_MASK	(0xfff << MIDR_PARTNUM_SHIFT)
> @@ -64,6 +65,7 @@ struct cpu_features
>  {
>    uint64_t midr_el1;
>    unsigned zva_size;
> +  bool bti;
>  };
>  
>  #endif /* _CPU_FEATURES_AARCH64_H  */
> 

Ok.
Richard Henderson July 11, 2020, 3:58 p.m. UTC | #2
On 7/1/20 7:39 AM, Szabolcs Nagy wrote:
> +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> +
> +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
> +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
> +      {
> +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
> +	ElfW(Addr) len = phdr->p_memsz;
> +	if (__mprotect ((void *) start, len, prot) < 0)

Spend an extra cycle or two and honor the exact set of p_flags?

If I construct an executable but non-readable PT_LOAD segment, that should be
fine.  RWX with BTI would undoubtedly be an unusual case, but perhaps not
implausible in the context of a JIT with a statically allocated buffer.


r~
Szabolcs Nagy July 13, 2020, 8:32 a.m. UTC | #3
The 07/11/2020 08:58, Richard Henderson wrote:
> On 7/1/20 7:39 AM, Szabolcs Nagy wrote:
> > +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> > +
> > +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
> > +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
> > +      {
> > +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
> > +	ElfW(Addr) len = phdr->p_memsz;
> > +	if (__mprotect ((void *) start, len, prot) < 0)
> 
> Spend an extra cycle or two and honor the exact set of p_flags?
> 
> If I construct an executable but non-readable PT_LOAD segment, that should be
> fine.  RWX with BTI would undoubtedly be an unusual case, but perhaps not
> implausible in the context of a JIT with a statically allocated buffer.

hm makes sense, i'll fix it.
Szabolcs Nagy July 13, 2020, 1:14 p.m. UTC | #4
The 07/11/2020 08:58, Richard Henderson wrote:
> On 7/1/20 7:39 AM, Szabolcs Nagy wrote:
> > +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> > +
> > +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
> > +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
> > +      {
> > +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
> > +	ElfW(Addr) len = phdr->p_memsz;
> > +	if (__mprotect ((void *) start, len, prot) < 0)
> 
> Spend an extra cycle or two and honor the exact set of p_flags?
> 
> If I construct an executable but non-readable PT_LOAD segment, that should be
> fine.  RWX with BTI would undoubtedly be an unusual case, but perhaps not
> implausible in the context of a JIT with a statically allocated buffer.

i will commit the attached fix tomorrow
unless there are comments on it.
Szabolcs Nagy July 13, 2020, 1:28 p.m. UTC | #5
The 07/13/2020 14:14, Szabolcs Nagy wrote:
> The 07/11/2020 08:58, Richard Henderson wrote:
> > On 7/1/20 7:39 AM, Szabolcs Nagy wrote:
> > > +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> > > +
> > > +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
> > > +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
> > > +      {
> > > +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
> > > +	ElfW(Addr) len = phdr->p_memsz;
> > > +	if (__mprotect ((void *) start, len, prot) < 0)
> > 
> > Spend an extra cycle or two and honor the exact set of p_flags?
> > 
> > If I construct an executable but non-readable PT_LOAD segment, that should be
> > fine.  RWX with BTI would undoubtedly be an unusual case, but perhaps not
> > implausible in the context of a JIT with a statically allocated buffer.
> 
> i will commit the attached fix tomorrow
> unless there are comments on it.
> 

> From ee5765a839f6a40a61960264ed46393dc5d6c534 Mon Sep 17 00:00:00 2001
> From: Szabolcs Nagy <szabolcs.nagy@arm.com>
> Date: Mon, 13 Jul 2020 11:28:18 +0100
> Subject: [PATCH] aarch64: Respect p_flags when protecting code with PROT_BTI
> 
> Use PROT_READ and PROT_WRITE according to the load segment p_flags
> when adding PROT_BTI.
> 
> This is before processing relocations which may drop PROT_BTI in
> case of textrels.  Executable stacks are not protected via PROT_BTI
> either.  PROT_BTI is hardening in case memory corruption happened,
> it's value is reduced if there is writable and executable memory
> available so missing it on such memory is fine, but we should
> respect the p_flags and should not drop PROT_WRITE.
> ---
>  sysdeps/aarch64/dl-bti.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/sysdeps/aarch64/dl-bti.c b/sysdeps/aarch64/dl-bti.c
> index 965ddcc732..01ffb69a4a 100644
> --- a/sysdeps/aarch64/dl-bti.c
> +++ b/sysdeps/aarch64/dl-bti.c
> @@ -24,13 +24,20 @@ static int
>  enable_bti (struct link_map *map, const char *program)
>  {
>    const ElfW(Phdr) *phdr;
> -  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
> +  unsigned prot;
>  
>    for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
>      if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
>        {
>  	void *start = (void *) (phdr->p_vaddr + map->l_addr);
>  	size_t len = phdr->p_memsz;
> +
> +	prot = PROT_EXEC | PROT_BTI;
> +	if (ph->p_flags & PF_R)

should be phdr-> instead of ph->

and i will have to wait for the tests to finish too which
takes about 40h.

> +	  prot |= PROT_READ;
> +	if (ph->p_flags & PF_W)
> +	  prot |= PROT_WRITE;
> +
>  	if (__mprotect (start, len, prot) < 0)
>  	  {
>  	    if (program)
> -- 
> 2.17.1
>
Richard Henderson July 13, 2020, 4:55 p.m. UTC | #6
On 7/13/20 6:28 AM, Szabolcs Nagy wrote:
> The 07/13/2020 14:14, Szabolcs Nagy wrote:
>> The 07/11/2020 08:58, Richard Henderson wrote:
>>> On 7/1/20 7:39 AM, Szabolcs Nagy wrote:
>>>> +  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
>>>> +
>>>> +  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
>>>> +    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
>>>> +      {
>>>> +	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
>>>> +	ElfW(Addr) len = phdr->p_memsz;
>>>> +	if (__mprotect ((void *) start, len, prot) < 0)
>>>
>>> Spend an extra cycle or two and honor the exact set of p_flags?
>>>
>>> If I construct an executable but non-readable PT_LOAD segment, that should be
>>> fine.  RWX with BTI would undoubtedly be an unusual case, but perhaps not
>>> implausible in the context of a JIT with a statically allocated buffer.
>>
>> i will commit the attached fix tomorrow
>> unless there are comments on it.

Thanks.  LGTM, modulo the naming typo.


r~

>>
> 
>> From ee5765a839f6a40a61960264ed46393dc5d6c534 Mon Sep 17 00:00:00 2001
>> From: Szabolcs Nagy <szabolcs.nagy@arm.com>
>> Date: Mon, 13 Jul 2020 11:28:18 +0100
>> Subject: [PATCH] aarch64: Respect p_flags when protecting code with PROT_BTI
>>
>> Use PROT_READ and PROT_WRITE according to the load segment p_flags
>> when adding PROT_BTI.
>>
>> This is before processing relocations which may drop PROT_BTI in
>> case of textrels.  Executable stacks are not protected via PROT_BTI
>> either.  PROT_BTI is hardening in case memory corruption happened,
>> it's value is reduced if there is writable and executable memory
>> available so missing it on such memory is fine, but we should
>> respect the p_flags and should not drop PROT_WRITE.
>> ---
>>  sysdeps/aarch64/dl-bti.c | 9 ++++++++-
>>  1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/sysdeps/aarch64/dl-bti.c b/sysdeps/aarch64/dl-bti.c
>> index 965ddcc732..01ffb69a4a 100644
>> --- a/sysdeps/aarch64/dl-bti.c
>> +++ b/sysdeps/aarch64/dl-bti.c
>> @@ -24,13 +24,20 @@ static int
>>  enable_bti (struct link_map *map, const char *program)
>>  {
>>    const ElfW(Phdr) *phdr;
>> -  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
>> +  unsigned prot;
>>  
>>    for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
>>      if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
>>        {
>>  	void *start = (void *) (phdr->p_vaddr + map->l_addr);
>>  	size_t len = phdr->p_memsz;
>> +
>> +	prot = PROT_EXEC | PROT_BTI;
>> +	if (ph->p_flags & PF_R)
> 
> should be phdr-> instead of ph->
> 
> and i will have to wait for the tests to finish too which
> takes about 40h.
> 
>> +	  prot |= PROT_READ;
>> +	if (ph->p_flags & PF_W)
>> +	  prot |= PROT_WRITE;
>> +
>>  	if (__mprotect (start, len, prot) < 0)
>>  	  {
>>  	    if (program)
>> -- 
>> 2.17.1
>>
diff mbox series

Patch

diff --git a/sysdeps/aarch64/Makefile b/sysdeps/aarch64/Makefile
index 9cb141004d..5ae8b082b0 100644
--- a/sysdeps/aarch64/Makefile
+++ b/sysdeps/aarch64/Makefile
@@ -1,5 +1,9 @@ 
 long-double-fcts = yes
 
+ifeq ($(subdir),elf)
+sysdep-dl-routines += dl-bti
+endif
+
 ifeq ($(subdir),elf)
 sysdep-dl-routines += tlsdesc dl-tlsdesc
 gen-as-const-headers += dl-link.sym
diff --git a/sysdeps/aarch64/dl-bti.c b/sysdeps/aarch64/dl-bti.c
new file mode 100644
index 0000000000..3c92377cc8
--- /dev/null
+++ b/sysdeps/aarch64/dl-bti.c
@@ -0,0 +1,54 @@ 
+/* AArch64 BTI functions.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <unistd.h>
+#include <errno.h>
+#include <libintl.h>
+#include <ldsodefs.h>
+
+static int
+enable_bti (struct link_map *map, const char *program)
+{
+  const ElfW(Phdr) *phdr;
+  unsigned prot = PROT_READ | PROT_EXEC | PROT_BTI;
+
+  for (phdr = map->l_phdr; phdr < &map->l_phdr[map->l_phnum]; ++phdr)
+    if (phdr->p_type == PT_LOAD && (phdr->p_flags & PF_X))
+      {
+	ElfW(Addr) start = phdr->p_vaddr + map->l_addr;
+	ElfW(Addr) len = phdr->p_memsz;
+	if (__mprotect ((void *) start, len, prot) < 0)
+	  {
+	    if (program)
+	      _dl_fatal_printf ("%s: mprotect failed to turn on BTI\n",
+				map->l_name);
+	    else
+	      _dl_signal_error (errno, map->l_name, "dlopen",
+				N_("mprotect failed to turn on BTI"));
+	  }
+      }
+  return 0;
+}
+
+/* Enable BTI for L if required.  */
+
+void
+_dl_bti_check (struct link_map *l, const char *program)
+{
+  if (GLRO(dl_aarch64_cpu_features).bti && l->l_mach.bti)
+    enable_bti (l, program);
+}
diff --git a/sysdeps/aarch64/dl-prop.h b/sysdeps/aarch64/dl-prop.h
new file mode 100644
index 0000000000..b0785bda83
--- /dev/null
+++ b/sysdeps/aarch64/dl-prop.h
@@ -0,0 +1,63 @@ 
+/* Support for GNU properties.  AArch64 version.
+   Copyright (C) 2018-2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _DL_PROP_H
+#define _DL_PROP_H
+
+extern void _dl_bti_check (struct link_map *, const char *)
+    attribute_hidden;
+
+static inline void __attribute__ ((always_inline))
+_rtld_main_check (struct link_map *m, const char *program)
+{
+  _dl_bti_check (m, program);
+}
+
+static inline void __attribute__ ((always_inline))
+_dl_open_check (struct link_map *m)
+{
+  _dl_bti_check (m, NULL);
+}
+
+static inline void __attribute__ ((always_inline))
+_dl_process_pt_note (struct link_map *l, const ElfW(Phdr) *ph)
+{
+}
+
+static inline int
+_dl_process_gnu_property (struct link_map *l, uint32_t type, uint32_t datasz,
+			  void *data)
+{
+  if (type == GNU_PROPERTY_AARCH64_FEATURE_1_AND)
+    {
+      /* Stop if the property note is ill-formed.  */
+      if (datasz != 4)
+	return 0;
+
+      unsigned int feature_1 = *(unsigned int *) data;
+      if (feature_1 & GNU_PROPERTY_AARCH64_FEATURE_1_BTI)
+	l->l_mach.bti = true;
+
+      /* Stop if we processed the property note.  */
+      return 0;
+    }
+  /* Continue.  */
+  return 1;
+}
+
+#endif /* _DL_PROP_H */
diff --git a/sysdeps/aarch64/linkmap.h b/sysdeps/aarch64/linkmap.h
index 943a9ee9e4..847a03ace2 100644
--- a/sysdeps/aarch64/linkmap.h
+++ b/sysdeps/aarch64/linkmap.h
@@ -16,8 +16,11 @@ 
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
+#include <stdbool.h>
+
 struct link_map_machine
 {
   ElfW(Addr) plt;	  /* Address of .plt */
   void *tlsdesc_table;	  /* Address of TLS descriptor hash table.  */
+  bool bti;		  /* Branch Target Identification is enabled.  */
 };
diff --git a/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h b/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
index 4ee14b4208..af90d8a626 100644
--- a/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
+++ b/sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h
@@ -72,3 +72,4 @@ 
 #define HWCAP2_BF16		(1 << 14)
 #define HWCAP2_DGH		(1 << 15)
 #define HWCAP2_RNG		(1 << 16)
+#define HWCAP2_BTI		(1 << 17)
diff --git a/sysdeps/unix/sysv/linux/aarch64/bits/mman.h b/sysdeps/unix/sysv/linux/aarch64/bits/mman.h
new file mode 100644
index 0000000000..ecae046344
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/aarch64/bits/mman.h
@@ -0,0 +1,31 @@ 
+/* Definitions for POSIX memory map interface.  Linux/AArch64 version.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _SYS_MMAN_H
+# error "Never use <bits/mman.h> directly; include <sys/mman.h> instead."
+#endif
+
+/* AArch64 specific definitions, should be in sync with
+   arch/arm64/include/uapi/asm/mman.h.  */
+
+#define PROT_BTI	0x10
+
+#include <bits/mman-map-flags-generic.h>
+
+/* Include generic Linux declarations.  */
+#include <bits/mman-linux.h>
diff --git a/sysdeps/unix/sysv/linux/aarch64/cpu-features.c b/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
index 896c588fee..b9ab827aca 100644
--- a/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
+++ b/sysdeps/unix/sysv/linux/aarch64/cpu-features.c
@@ -83,4 +83,7 @@  init_cpu_features (struct cpu_features *cpu_features)
 
   if ((dczid & DCZID_DZP_MASK) == 0)
     cpu_features->zva_size = 4 << (dczid & DCZID_BS_MASK);
+
+  /* Check if BTI is supported.  */
+  cpu_features->bti = GLRO (dl_hwcap2) & HWCAP2_BTI;
 }
diff --git a/sysdeps/unix/sysv/linux/aarch64/cpu-features.h b/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
index 1389cea1b3..a81f186ec2 100644
--- a/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
+++ b/sysdeps/unix/sysv/linux/aarch64/cpu-features.h
@@ -20,6 +20,7 @@ 
 #define _CPU_FEATURES_AARCH64_H
 
 #include <stdint.h>
+#include <stdbool.h>
 
 #define MIDR_PARTNUM_SHIFT	4
 #define MIDR_PARTNUM_MASK	(0xfff << MIDR_PARTNUM_SHIFT)
@@ -64,6 +65,7 @@  struct cpu_features
 {
   uint64_t midr_el1;
   unsigned zva_size;
+  bool bti;
 };
 
 #endif /* _CPU_FEATURES_AARCH64_H  */