[Bug dynamic-link/25397] New: Legacy bitmap isn't freed when

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] New: Legacy bitmap isn't freed when

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

            Bug ID: 25397
           Summary: Legacy bitmap isn't freed when
           Product: glibc
           Version: 2.31
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: hjl.tools at gmail dot com
  Target Milestone: ---

When CET is enabled, during dlopen, dl_cet_check does:

1. Allocate legacy bitmap for each legacy DSO.
2. If SHSTK is enabled, call _dl_signal_error if there is a legacy DSO.

But legacy bitmap for legacy DSOs is never cleared.  We need to clear
legacy bitmap for legacy DSOs before calling _dl_signal_error.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap isn't freed when shadow stack is enabled

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Legacy bitmap isn't freed   |Legacy bitmap isn't freed
                   |when                        |when shadow stack is
                   |                            |enabled

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap isn't freed when shadow stack is enabled

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap doesn't cover jitted code

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Legacy bitmap isn't freed   |Legacy bitmap doesn't cover
                   |when shadow stack is        |jitted code
                   |enabled                     |

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
(In reply to H.J. Lu from comment #0)
> When CET is enabled, during dlopen, dl_cet_check does:
>
> 1. Allocate legacy bitmap for each legacy DSO.

Since legacy bitmap doesn't cover jitted code generated by JIT engine
within the legacy DSO, this brings out a question of how useful legacy
bitmap is.

> 2. If SHSTK is enabled, call _dl_signal_error if there is a legacy DSO.
>
> But legacy bitmap for legacy DSOs is never cleared.  We need to clear
> legacy bitmap for legacy DSOs before calling _dl_signal_error.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap doesn't cover jitted code

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
A testcase:

---
#include <stdio.h>
#include <sys/mman.h>

#define PAGE_SIZE 0x1000

int
main(int argc, char *argv[])
{
  void (*funcp) (void);

  funcp = mmap(NULL, PAGE_SIZE, PROT_EXEC | PROT_READ | PROT_WRITE,
               MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);

  if (funcp == MAP_FAILED)
    {
      printf("mmap failed!\n");
      return -1;
    }

  printf("mmap = %p\n", funcp);

  /* Write RET instruction.  */
  *(char *) funcp = 0xc3;

  funcp ();

  return 0;
}
---

Compiling this with -fcf-protection=none, it fails with legacy bitmap
on CET processors since legacy bitmap doesn't cover mmap region.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap doesn't cover jitted code

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by H.J. Lu <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1fabdb99084df004f7f4cdc7068d1be209a258be

commit 1fabdb99084df004f7f4cdc7068d1be209a258be
Author: H.J. Lu <[hidden email]>
Date:   Wed Mar 18 04:35:54 2020 -0700

    x86: Remove ARCH_CET_LEGACY_BITMAP [BZ #25397]

    Since legacy bitmap doesn't cover jitted code generated by legacy JIT
    engine, it isn't very useful.  This patch removes ARCH_CET_LEGACY_BITMAP
    and treats indirect branch tracking similar to shadow stack by removing
    legacy bitmap support.

    Tested on CET Linux/x86-64 and non-CET Linux/x86-64.

    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug dynamic-link/25397] Legacy bitmap doesn't cover jitted code

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25397

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.32
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.32.

--
You are receiving this mail because:
You are on the CC list for the bug.