[Bug dynamic-link/23509] New: CET enabled glibc is incompatible with the older linker

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/23509] New: CET enabled glibc is incompatible with the older linker

albert.aribaud at 3adev dot fr
https://sourceware.org/bugzilla/show_bug.cgi?id=23509

            Bug ID: 23509
           Summary: CET enabled glibc is incompatible with the older
                    linker
           Product: glibc
           Version: 2.29
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: hjl.tools at gmail dot com
  Target Milestone: ---
            Target: i386,x86-64

The older linker treats .note.gnu.property as a generic note and
just concatenates all .note.gnu.property sections from the input
to the output:

[hjl@gnu-cet-1 cet-5]$ readelf -n foo

Displaying notes found in: .note.gnu.property
  Owner                 Data size       Description
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK
  GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
      Properties: x86 feature: IBT, SHSTK

Displaying notes found in: .note.ABI-tag
  Owner                 Data size       Description
  GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 3.2.0

Displaying notes found in: .note.gnu.build-id
  Owner                 Data size       Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID
bitstring)
    Build ID: 5157f1baccad8f68cd95440a98967c9374286125
[hjl@gnu-cet-1 cet-5]$

On CET machine, it crashed:

[hjl@gnu-cet-1 cet-5]$ cat foo.c
void
foo (void)
{
}

void
__attribute__((noinline, noclone))
bar (void (*func) (void))
{
  func ();
}

int
main ()
{
  bar (foo);
  return 0;
}
[hjl@gnu-cet-1 cet-5]$ make
gcc -g -O0 -fcf-protection=none   -c -o foo.o foo.c
gcc -B./usr/local/bin/ -o foo foo.o
./foo
make: *** [Makefile:9: all] Segmentation fault
[hjl@gnu-cet-1 cet-5]$ gdb foo
GNU gdb (GDB) Fedora 8.1.1-3.fc28
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
BFD: warning: /export/home/hjl/bugs/libc/cet-5/foo: unsupported
GNU_PROPERTY_TYPE (5) type: 0xc0000003
Reading symbols from foo...done.
(gdb) r
Starting program: /export/home/hjl/bugs/libc/cet-5/foo
Missing separate debuginfos, use: dnf debuginfo-install
glibc-2.27-30.7.fc28.x86_64

Program received signal SIGSEGV, Segmentation fault.
main () at foo.c:15
15      {
(gdb) disass
Dump of assembler code for function main:
=> 0x00000000004005e2 <+0>:     push   %rbp
   0x00000000004005e3 <+1>:     mov    %rsp,%rbp
   0x00000000004005e6 <+4>:     mov    $0x4005c6,%edi
   0x00000000004005eb <+9>:     callq  0x4005cd <bar>
   0x00000000004005f0 <+14>:    mov    $0x0,%eax
   0x00000000004005f5 <+19>:    pop    %rbp
   0x00000000004005f6 <+20>:    retq  
End of assembler dump.
(gdb) bt
#0  main () at foo.c:15
(gdb)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/23509] CET enabled glibc is incompatible with the older linker

albert.aribaud at 3adev dot fr
https://sourceware.org/bugzilla/show_bug.cgi?id=23509

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/23509] CET enabled glibc is incompatible with the older linker

albert.aribaud at 3adev dot fr
In reply to this post by albert.aribaud at 3adev dot fr
https://sourceware.org/bugzilla/show_bug.cgi?id=23509

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  d524fa6c35e675eedbd8fe6cdf4db0b49c658026 (commit)
      from  ac8060265bcaca61568ef3a20b9a0140a270af54 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d524fa6c35e675eedbd8fe6cdf4db0b49c658026

commit d524fa6c35e675eedbd8fe6cdf4db0b49c658026
Author: H.J. Lu <[hidden email]>
Date:   Thu Nov 8 10:06:58 2018 -0800

    Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

    Linkers group input note sections with the same name into one output
    note section with the same name.  One output note section is placed in
    one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
    sections into one output .note.gnu.property section, there is only
    one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
    Since older linkers treat input .note.gnu.property section as a generic
    note section and just concatenate all input .note.gnu.property sections
    into one output .note.gnu.property section without merging them, we may
    see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
    older linkers.

    When an older linker is used to created the program on CET-enabled OS,
    the linker output has a single .note.gnu.property section with multiple
    NT_GNU_PROPERTY_TYPE_0 notes, some of which have IBT and SHSTK enable
    bits set even if the program isn't CET enabled.  Such programs will
    crash on CET-enabled machines.  This patch updates the note parser:

    1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
    2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.

        [BZ #23509]
        * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
        note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
        Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
        Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
        * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
        lc_unknown.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |   10 +++++++++
 sysdeps/x86/dl-prop.h  |   51 ++++++++++++++++++++++++++++++++++++++---------
 sysdeps/x86/link_map.h |    9 ++++---
 3 files changed, 56 insertions(+), 14 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/23509] CET enabled glibc is incompatible with the older linker

albert.aribaud at 3adev dot fr
In reply to this post by albert.aribaud at 3adev dot fr
https://sourceware.org/bugzilla/show_bug.cgi?id=23509

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.28/master has been updated
       via  3e8d8dd5afba18a847ff7a80f473336f777cc329 (commit)
      from  fc0e3393ff775aa795b523083bb0db7f18d3b91e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3e8d8dd5afba18a847ff7a80f473336f777cc329

commit 3e8d8dd5afba18a847ff7a80f473336f777cc329
Author: H.J. Lu <[hidden email]>
Date:   Thu Nov 8 10:06:58 2018 -0800

    Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

    Linkers group input note sections with the same name into one output
    note section with the same name.  One output note section is placed in
    one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
    sections into one output .note.gnu.property section, there is only
    one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
    Since older linkers treat input .note.gnu.property section as a generic
    note section and just concatenate all input .note.gnu.property sections
    into one output .note.gnu.property section without merging them, we may
    see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
    older linkers.

    When an older linker is used to created the program on CET-enabled OS,
    the linker output has a single .note.gnu.property section with multiple
    NT_GNU_PROPERTY_TYPE_0 notes, some of which have IBT and SHSTK enable
    bits set even if the program isn't CET enabled.  Such programs will
    crash on CET-enabled machines.  This patch updates the note parser:

    1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
    2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.

        [BZ #23509]
        * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
        note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
        Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
        Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
        * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
        lc_unknown.

    (cherry picked from commit d524fa6c35e675eedbd8fe6cdf4db0b49c658026)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |   10 +++++++++
 NEWS                   |    1 +
 sysdeps/x86/dl-prop.h  |   51 ++++++++++++++++++++++++++++++++++++++---------
 sysdeps/x86/link_map.h |    9 ++++---
 4 files changed, 57 insertions(+), 14 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/23509] CET enabled glibc is incompatible with the older linker

albert.aribaud at 3adev dot fr
In reply to this post by albert.aribaud at 3adev dot fr
https://sourceware.org/bugzilla/show_bug.cgi?id=23509

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.29

--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.29 and 2.28 branch.

--
You are receiving this mail because:
You are on the CC list for the bug.