V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Tue, Aug 14, 2018 at 10:32 AM, H.J. Lu <[hidden email]> wrote:

> The older linker treats .note.gnu.property section as a generic note
> section and just concatenates all .note.gnu.property sections from the
> inputs to the output.  When the older linker is used to created the
> program on CET-enabled OS, the generated output has .note.gnu.property
> section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> enable bits are set even if the program isn't CET enabled.  Such program
> will crash on CET-enabled machines.  This patch updates the note parser:
>
> 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>
> OK for master?
>
> H.J.
> ---
>         [BZ #23509]
>         * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
>         note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>         Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
>         Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>         * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
>         lc_unknown.
Here is the updated patch which passed CET smoke test:

https://github.com/hjl-tools/cet-smoke-test

--
H.J.

0001-Check-multiple-NT_GNU_PROPERTY_TYPE_0-notes-BZ-23509.patch (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
* H. J. Lu:

> From e1c6cdeb7530c37ddb6688b17435c1c9a373a09c Mon Sep 17 00:00:00 2001
> From: "H.J. Lu" <[hidden email]>
> Date: Fri, 10 Aug 2018 18:43:22 -0700
> Subject: [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]
>
> The older linker treats .note.gnu.property section as a generic note
> section and just concatenates all .note.gnu.property sections from the
> inputs to the output.  When the older linker is used to created the
> program on CET-enabled OS, the generated output has .note.gnu.property
> section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> enable bits are set even if the program isn't CET enabled.  Such program
> will crash on CET-enabled machines.  This patch updates the note parser:
>
> 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>
> [BZ #23509]
> * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> lc_unknown.

As far as I can tell, this patch catches only the case where a single
PT_NOTE segment contains multiple notes.  If there are multiple PT_NOTE
segments with notes, and each one contains a single note, the patch will
still enable CET.

Is my summary accurate?  Do you think it is safe to treat PT_NOTE
segments in isolation?

If yes, this should be mentioned in the commit message.

This seems to be an unrelated change?

+      /* Property type must be in ascending order.  */
+      if (type < last_type)
+ return;

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Thu, Sep 20, 2018 at 1:54 AM, Florian Weimer <[hidden email]> wrote:

> * H. J. Lu:
>
>> From e1c6cdeb7530c37ddb6688b17435c1c9a373a09c Mon Sep 17 00:00:00 2001
>> From: "H.J. Lu" <[hidden email]>
>> Date: Fri, 10 Aug 2018 18:43:22 -0700
>> Subject: [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]
>>
>> The older linker treats .note.gnu.property section as a generic note
>> section and just concatenates all .note.gnu.property sections from the
>> inputs to the output.  When the older linker is used to created the
>> program on CET-enabled OS, the generated output has .note.gnu.property
>> section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
>> enable bits are set even if the program isn't CET enabled.  Such program
>> will crash on CET-enabled machines.  This patch updates the note parser:
>>
>> 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>> 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>>
>>       [BZ #23509]
>>       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
>>       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>>       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
>>       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>>       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
>>       lc_unknown.
>
> As far as I can tell, this patch catches only the case where a single
> PT_NOTE segment contains multiple notes.  If there are multiple PT_NOTE
> segments with notes, and each one contains a single note, the patch will
> still enable CET.

I believe this is covered by CET smoke test:

https://github.com/hjl-tools/cet-smoke-test

My patch should work in all cases.  If it misses some cases, please add it
to master branch at

https://github.com/hjl-tools/cet-smoke-test

under the "note" directory.

> Is my summary accurate?  Do you think it is safe to treat PT_NOTE
> segments in isolation?

What do you mean by that?  The only assumption I made is that
property note must follow the spec.  Any violation makes it invalid.

> If yes, this should be mentioned in the commit message.
>
> This seems to be an unrelated change?
>
> +             /* Property type must be in ascending order.  */
> +             if (type < last_type)
> +               return;
>

This is the part of property spec.  If properties aren't properly
sorted, it is invalid.

--
H.J.
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
* H. J. Lu:

>> As far as I can tell, this patch catches only the case where a single
>> PT_NOTE segment contains multiple notes.  If there are multiple PT_NOTE
>> segments with notes, and each one contains a single note, the patch will
>> still enable CET.
>
> I believe this is covered by CET smoke test:
>
> https://github.com/hjl-tools/cet-smoke-test
>
> My patch should work in all cases.  If it misses some cases, please add it
> to master branch at
>
> https://github.com/hjl-tools/cet-smoke-test
>
> under the "note" directory.
>
>> Is my summary accurate?  Do you think it is safe to treat PT_NOTE
>> segments in isolation?
>
> What do you mean by that?  The only assumption I made is that
> property note must follow the spec.  Any violation makes it invalid.
I'm attaching a patched executable which has two PT_NOTE segments with
separately valid GNU property notes (if I did my patching correctly).

I think your code will still accept it.  It is conceivable that a linker
which is not aware of the required merging for property notes would
create such segments, I think.

>> If yes, this should be mentioned in the commit message.
>>
>> This seems to be an unrelated change?
>>
>> +             /* Property type must be in ascending order.  */
>> +             if (type < last_type)
>> +               return;
>>
>
> This is the part of property spec.  If properties aren't properly
> sorted, it is invalid.
Okay, that part makes sense because it's internal to the notes AFAICS.
And note merging without GNU property note awareness will likely violate
this constraint.  Maybe you could add a comment to this effect?

Thanks,
Florian

patched (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Fri, Sep 21, 2018 at 7:49 AM, Florian Weimer <[hidden email]> wrote:

> * H. J. Lu:
>
>>> As far as I can tell, this patch catches only the case where a single
>>> PT_NOTE segment contains multiple notes.  If there are multiple PT_NOTE
>>> segments with notes, and each one contains a single note, the patch will
>>> still enable CET.
>>
>> I believe this is covered by CET smoke test:
>>
>> https://github.com/hjl-tools/cet-smoke-test
>>
>> My patch should work in all cases.  If it misses some cases, please add it
>> to master branch at
>>
>> https://github.com/hjl-tools/cet-smoke-test
>>
>> under the "note" directory.
>>
>>> Is my summary accurate?  Do you think it is safe to treat PT_NOTE
>>> segments in isolation?
>>
>> What do you mean by that?  The only assumption I made is that
>> property note must follow the spec.  Any violation makes it invalid.
>
> I'm attaching a patched executable which has two PT_NOTE segments with
> separately valid GNU property notes (if I did my patching correctly).
>
> I think your code will still accept it.  It is conceivable that a linker
> which is not aware of the required merging for property notes would
> create such segments, I think.

My goal is to allow older linkers which don't understand property notes
to generate working executables on CET enabled OS.  It isn't tended to
handle all hand-crafted binaries.  The worst case is that such binaries
won't run on CET enabled OS.  I don't believe it is an issue.  It may even
be a bonus.

Do you have a testcase which may be generated by an old linker on
CET enabled OS?

>>> If yes, this should be mentioned in the commit message.
>>>
>>> This seems to be an unrelated change?
>>>
>>> +             /* Property type must be in ascending order.  */
>>> +             if (type < last_type)
>>> +               return;
>>>
>>
>> This is the part of property spec.  If properties aren't properly
>> sorted, it is invalid.
>
> Okay, that part makes sense because it's internal to the notes AFAICS.
> And note merging without GNU property note awareness will likely violate
> this constraint.  Maybe you could add a comment to this effect?

I updated comments to

              /* Property types must be sorted in ascending order.
                 Ignore property note with the wrong type order.  */
              if (type < last_type)
                return;

Thanks.

--
H.J.
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
* H. J. Lu:

> My goal is to allow older linkers which don't understand property notes
> to generate working executables on CET enabled OS.  It isn't tended to
> handle all hand-crafted binaries.  The worst case is that such binaries
> won't run on CET enabled OS.  I don't believe it is an issue.  It may even
> be a bonus.
>
> Do you have a testcase which may be generated by an old linker on
> CET enabled OS?

My position is that ELF is an open format and that we don't really know
what kind of link editors are out there and are used in practice.

Other views are certainly possible.  I mainly wanted to understand the
rationale behind the code.  If you do not expect multiple PT_NOTE
segments with properly aligned property notes, I think that's okay.  We
can adjust the dynamic linker again if such binaries show up in the
future.

>> Okay, that part makes sense because it's internal to the notes AFAICS.
>> And note merging without GNU property note awareness will likely violate
>> this constraint.  Maybe you could add a comment to this effect?
>
> I updated comments to
>
>               /* Property types must be sorted in ascending order.
>                  Ignore property note with the wrong type order.  */
>               if (type < last_type)
>                 return;

Thanks.

Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
In reply to this post by Florian Weimer-5
* Florian Weimer:

>>> If yes, this should be mentioned in the commit message.
>>>
>>> This seems to be an unrelated change?
>>>
>>> +             /* Property type must be in ascending order.  */
>>> +             if (type < last_type)
>>> +               return;
>>>
>>
>> This is the part of property spec.  If properties aren't properly
>> sorted, it is invalid.
>
> Okay, that part makes sense because it's internal to the notes AFAICS.
> And note merging without GNU property note awareness will likely violate
> this constraint.  Maybe you could add a comment to this effect?

Hmm, isn't the point that this is the internal type in the note (not the
tag), and there isn't any *note* merging, only note *section* merging in
an old linker.  The latter leaves the note boundaries intact, so the
internal layout will be unmodified.

Or am I confused about this?

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
In reply to this post by H.J. Lu-30
* H. J. Lu:

> The older linker treats .note.gnu.property section as a generic note
> section and just concatenates all .note.gnu.property sections from the
> inputs to the output.  When the older linker is used to created the
> program on CET-enabled OS, the generated output has .note.gnu.property
> section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> enable bits are set even if the program isn't CET enabled.  Such program
> will crash on CET-enabled machines.  This patch updates the note parser:
>
> 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>
> [BZ #23509]
> * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> lc_unknown.

I would like to move this forward.

I think the code is okay, as long as we are confident that older linkers
will not produce multiple PT_NOTE segments, each containing one
NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
commit message (assuming that you agree that my understanding of the
code is correct).

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
In reply to this post by Florian Weimer-5
On Wed, Nov 7, 2018 at 10:27 AM Florian Weimer <[hidden email]> wrote:

>
> * Florian Weimer:
>
> >>> If yes, this should be mentioned in the commit message.
> >>>
> >>> This seems to be an unrelated change?
> >>>
> >>> +             /* Property type must be in ascending order.  */
> >>> +             if (type < last_type)
> >>> +               return;
> >>>
> >>
> >> This is the part of property spec.  If properties aren't properly
> >> sorted, it is invalid.
> >
> > Okay, that part makes sense because it's internal to the notes AFAICS.
> > And note merging without GNU property note awareness will likely violate
> > this constraint.  Maybe you could add a comment to this effect?
>
> Hmm, isn't the point that this is the internal type in the note (not the
> tag), and there isn't any *note* merging, only note *section* merging in
> an old linker.  The latter leaves the note boundaries intact, so the
> internal layout will be unmodified.
>

Older linkers will concatenate all input GNU property note sections
into a single output GNU property note section without merging them.

--
H.J.
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
In reply to this post by Florian Weimer-5
On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <[hidden email]> wrote:

>
> * H. J. Lu:
>
> > The older linker treats .note.gnu.property section as a generic note
> > section and just concatenates all .note.gnu.property sections from the
> > inputs to the output.  When the older linker is used to created the
> > program on CET-enabled OS, the generated output has .note.gnu.property
> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> > enable bits are set even if the program isn't CET enabled.  Such program
> > will crash on CET-enabled machines.  This patch updates the note parser:
> >
> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >
> >       [BZ #23509]
> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> >       lc_unknown.
>
> I would like to move this forward.
>
> I think the code is okay, as long as we are confident that older linkers
> will not produce multiple PT_NOTE segments, each containing one
> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
> commit message (assuming that you agree that my understanding of the
> code is correct).
>
Like this?

--
H.J.

0001-Check-multiple-NT_GNU_PROPERTY_TYPE_0-notes-BZ-23509.patch (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
* H. J. Lu:

> On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <[hidden email]> wrote:
>>
>> * H. J. Lu:
>>
>> > The older linker treats .note.gnu.property section as a generic note
>> > section and just concatenates all .note.gnu.property sections from the
>> > inputs to the output.  When the older linker is used to created the
>> > program on CET-enabled OS, the generated output has .note.gnu.property
>> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
>> > enable bits are set even if the program isn't CET enabled.  Such program
>> > will crash on CET-enabled machines.  This patch updates the note parser:
>> >
>> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>> >
>> >       [BZ #23509]
>> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
>> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
>> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
>> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
>> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
>> >       lc_unknown.
>>
>> I would like to move this forward.
>>
>> I think the code is okay, as long as we are confident that older linkers
>> will not produce multiple PT_NOTE segments, each containing one
>> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
>> commit message (assuming that you agree that my understanding of the
>> code is correct).
>>
>
> Like this?

Sorry, let me rephrase:

The commit message talks about sections, not segments.  The code deals
with PT_NOTE segments, obviously.

Old linkers produce multiple PT_NOTE segments for the *same* alignment
if they process multiple note sections with differing alignment in a
certain order.  (It does not happen always.)

Based on reading the code, I think that if the first PT_NOTE segment it
encounters contains one NT_GNU_PROPERTY_TYPE_0 note that enables CET, it
will enable CET even if the loader produced multiple PT_NOTE segments,
and there is another (unmerged) NT_GNU_PROPERTY_TYPE_0 note in a
subsequent PT_NOTE segment.  This means that the current code can still
incorrectly enable CET in cases where an old linker produced a multitude
of PT_NOTE sections.

Based on the patch and the discussion so far it is unclear to me whether
you have analyzed the issue and concluded that split PT_NOTE segments of
the same alignment (as generated by old linkers in some cases) are not
relevant, or if it is an accidental omission in the patch.  The
explaination in the patch itself does not help because of the
section/segment discrepancy I mentioned first.

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Thu, Nov 8, 2018 at 2:52 AM Florian Weimer <[hidden email]> wrote:

>
> * H. J. Lu:
>
> > On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <[hidden email]> wrote:
> >>
> >> * H. J. Lu:
> >>
> >> > The older linker treats .note.gnu.property section as a generic note
> >> > section and just concatenates all .note.gnu.property sections from the
> >> > inputs to the output.  When the older linker is used to created the
> >> > program on CET-enabled OS, the generated output has .note.gnu.property
> >> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> >> > enable bits are set even if the program isn't CET enabled.  Such program
> >> > will crash on CET-enabled machines.  This patch updates the note parser:
> >> >
> >> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >> >
> >> >       [BZ #23509]
> >> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> >> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> >> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> >> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> >> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> >> >       lc_unknown.
> >>
> >> I would like to move this forward.
> >>
> >> I think the code is okay, as long as we are confident that older linkers
> >> will not produce multiple PT_NOTE segments, each containing one
> >> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
> >> commit message (assuming that you agree that my understanding of the
> >> code is correct).
> >>
> >
> > Like this?
>
> Sorry, let me rephrase:
>
> The commit message talks about sections, not segments.  The code deals
> with PT_NOTE segments, obviously.

See my reply before.

> Old linkers produce multiple PT_NOTE segments for the *same* alignment
> if they process multiple note sections with differing alignment in a
> certain order.  (It does not happen always.)

True.

> Based on reading the code, I think that if the first PT_NOTE segment it
> encounters contains one NT_GNU_PROPERTY_TYPE_0 note that enables CET, it
> will enable CET even if the loader produced multiple PT_NOTE segments,
> and there is another (unmerged) NT_GNU_PROPERTY_TYPE_0 note in a
> subsequent PT_NOTE segment.  This means that the current code can still
> incorrectly enable CET in cases where an old linker produced a multitude
> of PT_NOTE sections.

Linkers group input note sections with the same name into a single output note
section with the same name.  One output note section is placed in one PT_NOTE
segment.  There won't be "another (unmerged) NT_GNU_PROPERTY_TYPE_0
note in a subsequent PT_NOTE segment."

> Based on the patch and the discussion so far it is unclear to me whether
> you have analyzed the issue and concluded that split PT_NOTE segments of
> the same alignment (as generated by old linkers in some cases) are not
> relevant, or if it is an accidental omission in the patch.  The
> explaination in the patch itself does not help because of the
> section/segment discrepancy I mentioned first.
>


--
H.J.
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Thu, Nov 8, 2018 at 5:15 AM H.J. Lu <[hidden email]> wrote:

>
> On Thu, Nov 8, 2018 at 2:52 AM Florian Weimer <[hidden email]> wrote:
> >
> > * H. J. Lu:
> >
> > > On Wed, Nov 7, 2018 at 10:32 AM Florian Weimer <[hidden email]> wrote:
> > >>
> > >> * H. J. Lu:
> > >>
> > >> > The older linker treats .note.gnu.property section as a generic note
> > >> > section and just concatenates all .note.gnu.property sections from the
> > >> > inputs to the output.  When the older linker is used to created the
> > >> > program on CET-enabled OS, the generated output has .note.gnu.property
> > >> > section with multiple NT_GNU_PROPERTY_TYPE_0 notes whose IBT and SHSTK
> > >> > enable bits are set even if the program isn't CET enabled.  Such program
> > >> > will crash on CET-enabled machines.  This patch updates the note parser:
> > >> >
> > >> > 1. Skip note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> > >> > 2. Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> > >> >
> > >> >       [BZ #23509]
> > >> >       * sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Skip
> > >> >       note parsing if a NT_GNU_PROPERTY_TYPE_0 note has been processed.
> > >> >       Update the l_cet field when processing NT_GNU_PROPERTY_TYPE_0 note.
> > >> >       Check multiple NT_GNU_PROPERTY_TYPE_0 notes.
> > >> >       * sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
> > >> >       lc_unknown.
> > >>
> > >> I would like to move this forward.
> > >>
> > >> I think the code is okay, as long as we are confident that older linkers
> > >> will not produce multiple PT_NOTE segments, each containing one
> > >> NT_GNU_PROPERTY_TYPE_0 note.  Maybe this should be mentioned in the
> > >> commit message (assuming that you agree that my understanding of the
> > >> code is correct).
> > >>
> > >
> > > Like this?
> >
> > Sorry, let me rephrase:
> >
> > The commit message talks about sections, not segments.  The code deals
> > with PT_NOTE segments, obviously.
>
> See my reply before.
>
> > Old linkers produce multiple PT_NOTE segments for the *same* alignment
> > if they process multiple note sections with differing alignment in a
> > certain order.  (It does not happen always.)
>
> True.
>
> > Based on reading the code, I think that if the first PT_NOTE segment it
> > encounters contains one NT_GNU_PROPERTY_TYPE_0 note that enables CET, it
> > will enable CET even if the loader produced multiple PT_NOTE segments,
> > and there is another (unmerged) NT_GNU_PROPERTY_TYPE_0 note in a
> > subsequent PT_NOTE segment.  This means that the current code can still
> > incorrectly enable CET in cases where an old linker produced a multitude
> > of PT_NOTE sections.
>
> Linkers group input note sections with the same name into a single output note
> section with the same name.  One output note section is placed in one PT_NOTE
> segment.  There won't be "another (unmerged) NT_GNU_PROPERTY_TYPE_0
> note in a subsequent PT_NOTE segment."
>
> > Based on the patch and the discussion so far it is unclear to me whether
> > you have analyzed the issue and concluded that split PT_NOTE segments of
> > the same alignment (as generated by old linkers in some cases) are not
> > relevant, or if it is an accidental omission in the patch.  The
> > explaination in the patch itself does not help because of the
> > section/segment discrepancy I mentioned first.
> >
Here is the updated patch with

Linkers group input note sections with the same name into one output
note section with the same name.  One output note section is placed in
one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
sections into one output .note.gnu.property section, there is only
one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
Since older linkers treat input .note.gnu.property section as a generic
note section and just concatenate all input .note.gnu.property sections
into one output .note.gnu.property section without merging them, we may
see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
older linkers.


--
H.J.

0001-Check-multiple-NT_GNU_PROPERTY_TYPE_0-notes-BZ-23509.patch (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

Florian Weimer-5
* H. J. Lu:

> Here is the updated patch with
>
> Linkers group input note sections with the same name into one output
> note section with the same name.  One output note section is placed in
> one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
> sections into one output .note.gnu.property section, there is only
> one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
> Since older linkers treat input .note.gnu.property section as a generic
> note section and just concatenate all input .note.gnu.property sections
> into one output .note.gnu.property section without merging them, we may
> see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
> older linkers.

Thanks.  This hypothesis regarding older linkers seems reasonable, and
the explanation is very clear now.  The code looks okay to me.

Would you please backport this to the 2.28 release branch as well?

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: V2 [PATCH] Check multiple NT_GNU_PROPERTY_TYPE_0 notes [BZ #23509]

H.J. Lu-30
On Thu, Nov 8, 2018 at 9:41 AM Florian Weimer <[hidden email]> wrote:

>
> * H. J. Lu:
>
> > Here is the updated patch with
> >
> > Linkers group input note sections with the same name into one output
> > note section with the same name.  One output note section is placed in
> > one PT_NOTE segment.  Since new linkers merge input .note.gnu.property
> > sections into one output .note.gnu.property section, there is only
> > one NT_GNU_PROPERTY_TYPE_0 note in one PT_NOTE segment with new linkers.
> > Since older linkers treat input .note.gnu.property section as a generic
> > note section and just concatenate all input .note.gnu.property sections
> > into one output .note.gnu.property section without merging them, we may
> > see multiple NT_GNU_PROPERTY_TYPE_0 notes in one PT_NOTE segment with
> > older linkers.
>
> Thanks.  This hypothesis regarding older linkers seems reasonable, and
> the explanation is very clear now.  The code looks okay to me.
I checked it into master branch.

> Would you please backport this to the 2.28 release branch as well?
>

I am backporting this patch to 2.28 branch.

--
H.J.

0001-Check-multiple-NT_GNU_PROPERTY_TYPE_0-notes-BZ-23509.patch (9K) Download Attachment