|
Message-Id: <cover.1606319495.git.szabolcs.nagy@arm.com> Date: Fri, 27 Nov 2020 13:19:16 +0000 From: Szabolcs Nagy <szabolcs.nagy@....com> To: libc-alpha@...rceware.org Cc: Mark Rutland <mark.rutland@....com>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, linux-kernel@...r.kernel.org, Jeremy Linton <jeremy.linton@....com>, Mark Brown <broonie@...nel.org>, kernel-hardening@...ts.openwall.com, Topi Miettinen <toiwoton@...il.com>, linux-arm-kernel@...ts.infradead.org Subject: [PATCH v2 0/6] aarch64: avoid mprotect(PROT_BTI|PROT_EXEC) [BZ #26831] This is v2 of https://sourceware.org/pipermail/libc-alpha/2020-November/119305.html To enable BTI support, re-mmap executable segments instead of mprotecting them in case mprotect is seccomp filtered. I would like linux to change to map the main exe with PROT_BTI when that is marked as BTI compatible. From the linux side i heard the following concerns about this: - it's an ABI change so requires some ABI bump. (this is fine with me, i think glibc does not care about backward compat as nothing can reasonably rely on the current behaviour, but if we have a new bit in auxv or similar then we can save one mprotect call.) - in case we discover compatibility issues with user binaries it's better if userspace can easily disable BTI (e.g. removing the mprotect based on some env var, but if kernel adds PROT_BTI and mprotect is filtered then we have no reliable way to remove that from executables. this problem already exists for static linked exes, although admittedly those are less of a compat concern.) - ideally PROT_BTI would be added via a new syscall that does not interfere with PROT_EXEC filtering. (this does not conflict with the current patches: even with a new syscall we need a fallback.) - solve it in systemd (e.g. turn off the filter, use better filter): i would prefer not to have aarch64 (or BTI) specific policy in user code. and there was no satisfying way to do this portably. Other concerns about the approach: - mmap is more expensive than mprotect: in my measurements using mmap instead of mprotect is 3-8x slower (and after mmap pages have to be faulted in again), but e.g. the exec time of a program with 4 deps only increases by < 8% due to the 4 new mmaps. (the kernel side resource usage may increase too, i didnt look at that.) - _dl_signal_error is not valid from the _dl_process_gnu_property hook. The v2 set addresses this problem: i could either propagate the errors up until they can be handled or solve it in the aarch64 backend by first recording failures and then dealing with them in _dl_open_check. I choose the latter, but did some refactorings in _dl_map_object_from_fd that makes the former possible too. v2: - [1/6]: New patch that fixes a missed BTI bug found during v2. - [2-3/6]: New, _dl_map_object_from_fd failure handling improvements, these are independent of the rest of the series. - [4/6]: Move the note handling to a different place (after l_phdr setup, but before fd is closed). - [5/6]: Rebased. - [6/6]: First record errors and only report them later. (this fixes various failure handling issues.) Szabolcs Nagy (6): aarch64: Fix missing BTI protection from dependencies [BZ #26926] elf: lose is closely tied to _dl_map_object_from_fd elf: Fix failure handling in _dl_map_object_from_fd elf: Move note processing after l_phdr is updated elf: Pass the fd to note processing aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831] elf/dl-load.c | 110 ++++++++++++++++++++----------------- elf/rtld.c | 4 +- sysdeps/aarch64/dl-bti.c | 74 ++++++++++++++++++------- sysdeps/aarch64/dl-prop.h | 14 +++-- sysdeps/aarch64/linkmap.h | 2 +- sysdeps/generic/dl-prop.h | 6 +- sysdeps/generic/ldsodefs.h | 5 +- sysdeps/x86/dl-prop.h | 6 +- 8 files changed, 135 insertions(+), 86 deletions(-) -- 2.17.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.