From patchwork Tue Aug 3 21:59:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 44566 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0FD92384F03F for ; Tue, 3 Aug 2021 21:59:40 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0FD92384F03F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1628027980; bh=R/JsluPq9Z5RYLaYXe/m6BuinST4obzJG7YppEG/yEE=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=sjwxyjO+P82HctJ4G9dYG3JDEDaqzC4Gk/NKx3/sIqPG8Ai4Vdciu+VAO8UNvCV3P gMu2EOH2tDBCJvSUPw/XSSUiRLZp1hTeFpdGyKoM78+sUKF6/s6Lzot5Q09H8uuTSG dfIb9HzXPE8g3xuBw1I99HHYx8RsG+rjfg+jC+XI= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by sourceware.org (Postfix) with ESMTPS id 5DF1C3857436 for ; Tue, 3 Aug 2021 21:59:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5DF1C3857436 Received: by mail-pj1-x102f.google.com with SMTP id g23-20020a17090a5797b02901765d605e14so730633pji.5 for ; Tue, 03 Aug 2021 14:59:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=R/JsluPq9Z5RYLaYXe/m6BuinST4obzJG7YppEG/yEE=; b=XXYx+uxnTQvyiHaD+YoHEsM3ntm1NQrzm6hr/Ecx5LBrxyTXH7AHoIcWTdR4C1Lrun 7qBiHGcJC8F8co/GPBrdSUCXZVrIk5AW9vzNCIH4x6QbXLwGPCQnBAlYVJIahduxBQr3 EcGZYz3YdJJj2S18JWmkWSBR7qpRsMiYTiCvKsSz51/UbIVBR+c80v07ixB3rqVgjNYM NXgTtvCwr/anZprHbBv9Ra5bzU7aniKYWNRz9TN+0uoXd/5Mmb8oDGSuxBM5Rw0D9fQa LtNXVbHr1pYy8gxsdzthpNQwZH6olz6ITzGeMTYWIS3tnAc9ueOiqvZbytZuYgTKiohL wxPw== X-Gm-Message-State: AOAM530N0NQ2xHr1tKfC2hjbgpJWSkzeMtfXwk9ObO1aOkObBQy/yYa+ HIzl3H9l4DoJT52GCD59QRLG3X9NWho= X-Google-Smtp-Source: ABdhPJynXjufe7NQanZKOBy4x63zE4Munnews5VOU0fRPYrr+DJzAIC9hSSJBdUPEz5LmSpbNqQR0A== X-Received: by 2002:a17:90a:a390:: with SMTP id x16mr24962143pjp.136.1628027956303; Tue, 03 Aug 2021 14:59:16 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.58.38.240]) by smtp.gmail.com with ESMTPSA id p20sm3729350pju.48.2021.08.03.14.59.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Aug 2021 14:59:16 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id BC43EC02CB for ; Tue, 3 Aug 2021 14:59:14 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH 1/2] Initial support for GNU_PROPERTY_1_NEEDED Date: Tue, 3 Aug 2021 14:59:13 -0700 Message-Id: <20210803215914.4170913-1-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Spam-Status: No, score=-3033.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" 1. Add GNU_PROPERTY_1_NEEDED: #define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO to indicate the needed properties by the object file. 2. Add GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS: #define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0) to indicate that the object file requires canonical function pointers and cannot be used with copy relocation. 3. Scan GNU_PROPERTY_1_NEEDED property and store it in l_1_needed. Reviewed-by: Adhemerval Zanella --- elf/elf.h | 17 +++++++++++++++++ sysdeps/generic/dl-prop.h | 9 ++++++++- sysdeps/generic/link_map.h | 3 ++- sysdeps/x86/dl-prop.h | 19 ++++++++++++++----- sysdeps/x86/link_map.h | 2 ++ 5 files changed, 43 insertions(+), 7 deletions(-) diff --git a/elf/elf.h b/elf/elf.h index 4738dfa28f..50f87baceb 100644 --- a/elf/elf.h +++ b/elf/elf.h @@ -1312,6 +1312,23 @@ typedef struct /* No copy relocation on protected data symbol. */ #define GNU_PROPERTY_NO_COPY_ON_PROTECTED 2 +/* A 4-byte unsigned integer property: A bit is set if it is set in all + relocatable inputs. */ +#define GNU_PROPERTY_UINT32_AND_LO 0xb0000000 +#define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff + +/* A 4-byte unsigned integer property: A bit is set if it is set in any + relocatable inputs. */ +#define GNU_PROPERTY_UINT32_OR_LO 0xb0008000 +#define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff + +/* The needed properties by the object file. */ +#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO + +/* Set if the object file requires canonical function pointers and + cannot be used with copy relocation. */ +#define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0) + /* Processor-specific semantics, lo */ #define GNU_PROPERTY_LOPROC 0xc0000000 /* Processor-specific semantics, hi */ diff --git a/sysdeps/generic/dl-prop.h b/sysdeps/generic/dl-prop.h index eaee8052b6..207aadb35d 100644 --- a/sysdeps/generic/dl-prop.h +++ b/sysdeps/generic/dl-prop.h @@ -47,7 +47,14 @@ static inline int __attribute__ ((always_inline)) _dl_process_gnu_property (struct link_map *l, int fd, uint32_t type, uint32_t datasz, void *data) { - return 0; + /* Continue until GNU_PROPERTY_1_NEEDED is found. */ + if (type == GNU_PROPERTY_1_NEEDED) + { + if (datasz == 4) + l->l_1_needed = *(unsigned int *) data; + return 0; + } + return 1; } #endif /* _DL_PROP_H */ diff --git a/sysdeps/generic/link_map.h b/sysdeps/generic/link_map.h index a056184690..9f482b8c20 100644 --- a/sysdeps/generic/link_map.h +++ b/sysdeps/generic/link_map.h @@ -1 +1,2 @@ -/* No architecture specific definitions. */ +/* GNU_PROPERTY_1_NEEDED of this object. */ +unsigned int l_1_needed; diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h index 56bd020b3c..385548fad3 100644 --- a/sysdeps/x86/dl-prop.h +++ b/sysdeps/x86/dl-prop.h @@ -97,6 +97,7 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note, const ElfW(Addr) start = (ElfW(Addr)) note; + unsigned int needed_1 = 0; unsigned int feature_1_and = 0; unsigned int isa_1_needed = 0; unsigned int last_type = 0; @@ -141,7 +142,8 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note, last_type = type; if (type == GNU_PROPERTY_X86_FEATURE_1_AND - || type == GNU_PROPERTY_X86_ISA_1_NEEDED) + || type == GNU_PROPERTY_X86_ISA_1_NEEDED + || type == GNU_PROPERTY_1_NEEDED) { /* The sizes of types which we are searching for are 4 bytes. There is no point to continue if this @@ -151,12 +153,18 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note, /* NB: Stop the scan only after seeing all types which we are searching for. */ - _Static_assert ((GNU_PROPERTY_X86_ISA_1_NEEDED > - GNU_PROPERTY_X86_FEATURE_1_AND), + _Static_assert (((GNU_PROPERTY_X86_ISA_1_NEEDED + > GNU_PROPERTY_X86_FEATURE_1_AND) + && (GNU_PROPERTY_X86_FEATURE_1_AND + > GNU_PROPERTY_1_NEEDED)), "GNU_PROPERTY_X86_ISA_1_NEEDED > " - "GNU_PROPERTY_X86_FEATURE_1_AND"); + "GNU_PROPERTY_X86_FEATURE_1_AND && " + "GNU_PROPERTY_X86_FEATURE_1_AND > " + "GNU_PROPERTY_1_NEEDED"); if (type == GNU_PROPERTY_X86_FEATURE_1_AND) feature_1_and = *(unsigned int *) ptr; + else if (type == GNU_PROPERTY_1_NEEDED) + needed_1 = *(unsigned int *) ptr; else { isa_1_needed = *(unsigned int *) ptr; @@ -187,9 +195,10 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note, } /* We get here only if there is one or no GNU property note. */ - if (isa_1_needed != 0 || feature_1_and != 0) + if (needed_1 != 0 || isa_1_needed != 0 || feature_1_and != 0) { l->l_property = lc_property_valid; + l->l_1_needed = needed_1; l->l_x86_isa_1_needed = isa_1_needed; l->l_x86_feature_1_and = feature_1_and; } diff --git a/sysdeps/x86/link_map.h b/sysdeps/x86/link_map.h index 4c46a25f83..0c7e25dc96 100644 --- a/sysdeps/x86/link_map.h +++ b/sysdeps/x86/link_map.h @@ -29,3 +29,5 @@ unsigned int l_x86_feature_1_and; /* GNU_PROPERTY_X86_ISA_1_NEEDED of this object. */ unsigned int l_x86_isa_1_needed; + +#include From patchwork Tue Aug 3 21:59:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 44567 X-Patchwork-Delegate: azanella@linux.vnet.ibm.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 16DC2396E07E for ; Tue, 3 Aug 2021 22:00:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 16DC2396E07E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1628028025; bh=+HlTecsglP7wvJWjG+sM2DMD/mv4LGSbVS/NlQoAPnE=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=KpDED+DRQcv3+anfEIJNAu5b1hFHAXoLyTToy/orftPUN5Mi9WrUw5DPtjsvrGKEi bNPHJ8/fF5ajAV1r8SoKv374CYrWy/3wn0CTjK+PfNCj/hjKHsvZ0IQoYSCuvQcKSU WJMz3FPDpP4ZLfajmEHmIRvFNoPoV1LgvgCIj1XI= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by sourceware.org (Postfix) with ESMTPS id 7C35F385703F for ; Tue, 3 Aug 2021 21:59:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7C35F385703F Received: by mail-pj1-x102a.google.com with SMTP id t7-20020a17090a5d87b029017807007f23so2686622pji.5 for ; Tue, 03 Aug 2021 14:59:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+HlTecsglP7wvJWjG+sM2DMD/mv4LGSbVS/NlQoAPnE=; b=bJNiaVYbHRcNPvgj1anVdVBnZ7N7XCDoJSuGNsyNqkvi8HDs5/pk20pqoWWwVn+AFE 3uhAP6EVaxe9KP9WsSVM8QXSR56RlY1iwvl+RmZva7kjFmqofMZ/PGPpqRmHz0NSGr/v F8wnuHpeLjhy+jn9nAyAQKV2jRHxVpc9sHAaB57NJz5KOLC7+T7CF9Tl9tfgHlA5oB4F RccolahGyIvqZ2YZmTaOtQBHLLu+rJe2GNQvLshD/24VWfwkleROSp/puxZA9ZQ+BYlf fDCOuNFV8H3kKKbcdfdP12M5wTS3w+ckQvPFCqccOhGhNSPLIXBZOKkeabXZUBzmlO3T FORw== X-Gm-Message-State: AOAM530hJqh30q0oHD6/24TOw21x/+sXBybVjd6PieOs/B03vcs2QwIt 1BcbnCx35HyVg1/pBObuB6rqCSqzxVQ= X-Google-Smtp-Source: ABdhPJwah4EYSTo5kXXwiqyQxhUDPxuj13wPhxMmbkaL0+JxptDivtopfGAQSIUBNX5x/4jEFOOnDw== X-Received: by 2002:a17:902:a9c1:b029:12b:8ae3:e077 with SMTP id b1-20020a170902a9c1b029012b8ae3e077mr20452568plr.75.1628027956490; Tue, 03 Aug 2021 14:59:16 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.58.38.240]) by smtp.gmail.com with ESMTPSA id v5sm72659pgi.74.2021.08.03.14.59.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Aug 2021 14:59:16 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id BE01BC02FD for ; Tue, 3 Aug 2021 14:59:14 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH 2/2] Add run-time chesk for indirect external access Date: Tue, 3 Aug 2021 14:59:14 -0700 Message-Id: <20210803215914.4170913-2-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210803215914.4170913-1-hjl.tools@gmail.com> References: <20210803215914.4170913-1-hjl.tools@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-3033.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" When performing symbol lookup for references in executable without indirect external access: 1. Disallow copy relocations in executable against protected data symbols in a shared object with indirect external access. 2. Disallow non-zero symbol values of undefined function symbols in executable, which are used as the function pointer, against protected function symbols in a shared object with indirect external access. Reviewed-by: Adhemerval Zanella --- elf/dl-lookup.c | 5 ++++ sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 sysdeps/generic/dl-protected.h diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c index eea217eb28..430359af39 100644 --- a/elf/dl-lookup.c +++ b/elf/dl-lookup.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash, if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym))) goto skip; + if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED) + _dl_check_protected_symbol (undef_name, undef_map, ref, map, + type_class); + switch (ELFW(ST_BIND) (sym->st_info)) { case STB_WEAK: diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h new file mode 100644 index 0000000000..244d020dc4 --- /dev/null +++ b/sysdeps/generic/dl-protected.h @@ -0,0 +1,54 @@ +/* Support for STV_PROTECTED visibility. Generic version. + Copyright (C) 2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#ifndef _DL_PROTECTED_H +#define _DL_PROTECTED_H + +static inline void __attribute__ ((always_inline)) +_dl_check_protected_symbol (const char *undef_name, + const struct link_map *undef_map, + const ElfW(Sym) *ref, + const struct link_map *map, + int type_class) +{ + if (undef_map != NULL + && undef_map->l_type == lt_executable + && !(undef_map->l_1_needed + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS) + && (map->l_1_needed + & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)) + { + if ((type_class & ELF_RTYPE_CLASS_COPY)) + /* Disallow copy relocations in executable against protected + data symbols in a shared object which needs indirect external + access. */ + _dl_signal_error (0, map->l_name, undef_name, + N_("copy relocation against non-copyable protected symbol")); + else if (ref->st_value != 0 + && ref->st_shndx == SHN_UNDEF + && (type_class & ELF_RTYPE_CLASS_PLT)) + /* Disallow non-zero symbol values of undefined symbols in + executable, which are used as the function pointer, against + protected function symbols in a shared object with indirect + external access. */ + _dl_signal_error (0, map->l_name, undef_name, + N_("non-canonical reference to canonical protected function")); + } +} + +#endif /* _DL_PROTECTED_H */