From patchwork Thu Jun 24 13:49:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 43997 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id F3F9C3888C72 for ; Thu, 24 Jun 2021 13:53:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F3F9C3888C72 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1624542785; bh=+HlTecsglP7wvJWjG+sM2DMD/mv4LGSbVS/NlQoAPnE=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=e5IKbJSq/jtjdVudfXkYT094atSiVy9SuopJ0JUHUwYRpoW+cR1NEed/NBT03ZSR1 xT/3zYoTzws0brP6uaFzYOQ/oDTdUN+YrDRlDykNgt+WKkHTNrLXEOJ7Z1axzH16i8 1ykHqLqekj7TeQ51VuhUp8mFwD2NF25cnahyQcJA= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by sourceware.org (Postfix) with ESMTPS id A0F083888019 for ; Thu, 24 Jun 2021 13:49:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A0F083888019 Received: by mail-pl1-x634.google.com with SMTP id v13so2982368ple.9 for ; Thu, 24 Jun 2021 06:49:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+HlTecsglP7wvJWjG+sM2DMD/mv4LGSbVS/NlQoAPnE=; b=Bk8/v2pueEQ5v4TUU01cVqFyw0HC1YZxePvqQkm5P2mdEJ/JPlEMa4LGzrtXCI3cH9 Gcn6JIObQLChqh6A9FF3h7QcR7ihEp4NrmetFH6v85JVNeU15LFL6W7T7Sw1R/k2MgLz qfTT3B8ia51B1n8ixGQjiqT/25SHCh9xoS6DFlHVOLivuqO4o87+DxhU0bpzsZJtqJNl 7YApt1EI+FRI99auPArZud7irmV1Q4RJQAbOpCda1IGncRPu5waU8tiGGOQoJo+vjGD4 GjLNlUmk2Oc1Np6f2jjZvr9LQ7+4qIA0gkgT7XHpg4OwtpCC3UkpBBhUULfhckSjx8l9 stLQ== X-Gm-Message-State: AOAM533yeZuNoRXz6OclygtkY31p1DKG2rjpZ5XwL32nQ3n5Vt7qee+s bcY+W83sqra5Cui6WQrx2lI= X-Google-Smtp-Source: ABdhPJzkJ4eV2QDkGoEZH8kTWeXSxwMCKoZWcjmnHbAqw9JiJoo7f2keZ4/McccdUSDdvi0feE4AVA== X-Received: by 2002:a17:90a:1c02:: with SMTP id s2mr5523399pjs.172.1624542580842; Thu, 24 Jun 2021 06:49:40 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.56.39.115]) by smtp.gmail.com with ESMTPSA id b18sm8701516pjq.2.2021.06.24.06.49.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Jun 2021 06:49:40 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id E9FEEC04CF; Thu, 24 Jun 2021 06:49:38 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH v2 3/4] Add run-time chesk for indirect external access Date: Thu, 24 Jun 2021 06:49:37 -0700 Message-Id: <20210624134938.2025098-4-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210624134938.2025098-1-hjl.tools@gmail.com> References: <20210624134938.2025098-1-hjl.tools@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-3032.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Cc: Florian Weimer Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" When performing symbol lookup for references in executable without indirect external access: 1. Disallow copy relocations in executable against protected data symbols in a shared object with indirect external access. 2. Disallow non-zero symbol values of undefined function symbols in executable, which are used as the function pointer, against protected function symbols in a shared object with indirect external access. --- elf/dl-lookup.c | 5 ++++ sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 sysdeps/generic/dl-protected.h diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c index eea217eb28..430359af39 100644 --- a/elf/dl-lookup.c +++ b/elf/dl-lookup.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash, if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym))) goto skip; + if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED) + _dl_check_protected_symbol (undef_name, undef_map, ref, map, + type_class); + switch (ELFW(ST_BIND) (sym->st_info)) { case STB_WEAK: diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h new file mode 100644 index 0000000000..244d020dc4 --- /dev/null +++ b/sysdeps/generic/dl-protected.h @@ -0,0 +1,54 @@ +/* Support for STV_PROTECTED visibility. Generic version. + Copyright (C) 2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _DL_PROTECTED_H +#define _DL_PROTECTED_H + +static inline void __attribute__ ((always_inline)) +_dl_check_protected_symbol (const char *undef_name, + const struct link_map *undef_map, + const ElfW(Sym) *ref, + const struct link_map *map, + int type_class) +{ + if (undef_map != NULL + && undef_map->l_type == lt_executable + && !(undef_map->l_1_needed + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS) + && (map->l_1_needed + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)) + { + if ((type_class & ELF_RTYPE_CLASS_COPY)) + /* Disallow copy relocations in executable against protected + data symbols in a shared object which needs indirect external + access. */ + _dl_signal_error (0, map->l_name, undef_name, + N_("copy relocation against non-copyable protected symbol")); + else if (ref->st_value != 0 + && ref->st_shndx == SHN_UNDEF + && (type_class & ELF_RTYPE_CLASS_PLT)) + /* Disallow non-zero symbol values of undefined symbols in + executable, which are used as the function pointer, against + protected function symbols in a shared object with indirect + external access. */ + _dl_signal_error (0, map->l_name, undef_name, + N_("non-canonical reference to canonical protected function")); + } +} + +#endif /* _DL_PROTECTED_H */