From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Brown <broonie@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
Will Deacon <will@kernel.org>, "H . J . Lu" <hjl.tools@gmail.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
libc-alpha@sourceware.org, Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter
Date: Thu, 27 Jan 2022 14:48:20 +0000 [thread overview]
Message-ID: <20220127144820.GF1989194@arm.com> (raw)
In-Reply-To: <YfKO7r5l7AUvd8r/@arm.com>
The 01/27/2022 12:24, Catalin Marinas wrote:
> (Mark posted another series but I'm replying here to clarify some
> aspects)
>
> On Tue, Jan 18, 2022 at 11:02:55AM +0000, Szabolcs Nagy wrote:
> > The 01/17/2022 17:54, Catalin Marinas wrote:
> > > On Fri, Jan 07, 2022 at 12:01:17PM +0000, Catalin Marinas wrote:
> > > > I think we can look at this from two angles:
> > > >
> > > > 1. Ignoring MDWE, should whoever does the original mmap() also honour
> > > > PROT_BTI? We do this for static binaries but, for consistency, should
> > > > we extend it to dynamic executable?
> > > >
> > > > 2. A 'simple' fix to allow MDWE together with BTI.
> > >
> > > Thinking about it, (1) is not that different from the kernel setting
> > > PROT_EXEC on the main executable when the dynamic loader could've done
> > > it as well. There is a case for making this more consistent: whoever
> > > does the mmap() should use the full attributes.
> >
> > Yeah that was my original idea that it should be consistent.
> > One caveat is that protection flags are normally specified
> > in the program header, but the BTI marking is in
> > PT_GNU_PROPERTY which is harder to get to, so glibc does not
> > try to get it right for the initial mapping either: it has
> > to re-mmap or mprotect. (In principle we could use read
> > syscalls to parse the ELF headers and notes before mmap,
> > but that's more complicated with additional failure modes.)
> >
> > i.e. if (2) is fixed then mprotect can be used for library
> > mapping too which is simpler than re-mmap.
>
> I lost track of the userspace fixes here, was glibc changed to attempt a
> re-mmap of the dynamic libraries instead of mprotect()?
yes (so under mdwe, bti is lost on the exe but not on libs)
see the commit message for the fix
https://sourceware.org/bugzilla/show_bug.cgi?id=26831
>
> It looks like (2) is a simpler fix and (1) could still be added for
> consistency, it's complementary.
i agree.
if (2) is fixed then i would change glibc to use
mprotect and handle the failure (this will require an
update to systemd and disabling mdwe on old kernels)
if (1) is fixed then i would probably still keep
doing mprotect on the main exe so bti protection
works on old kernels.
WARNING: multiple messages have this Message-ID (diff)
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Brown <broonie@kernel.org>,
Jeremy Linton <jeremy.linton@arm.com>,
Will Deacon <will@kernel.org>, "H . J . Lu" <hjl.tools@gmail.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
libc-alpha@sourceware.org, Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter
Date: Thu, 27 Jan 2022 14:48:20 +0000 [thread overview]
Message-ID: <20220127144820.GF1989194@arm.com> (raw)
In-Reply-To: <YfKO7r5l7AUvd8r/@arm.com>
The 01/27/2022 12:24, Catalin Marinas wrote:
> (Mark posted another series but I'm replying here to clarify some
> aspects)
>
> On Tue, Jan 18, 2022 at 11:02:55AM +0000, Szabolcs Nagy wrote:
> > The 01/17/2022 17:54, Catalin Marinas wrote:
> > > On Fri, Jan 07, 2022 at 12:01:17PM +0000, Catalin Marinas wrote:
> > > > I think we can look at this from two angles:
> > > >
> > > > 1. Ignoring MDWE, should whoever does the original mmap() also honour
> > > > PROT_BTI? We do this for static binaries but, for consistency, should
> > > > we extend it to dynamic executable?
> > > >
> > > > 2. A 'simple' fix to allow MDWE together with BTI.
> > >
> > > Thinking about it, (1) is not that different from the kernel setting
> > > PROT_EXEC on the main executable when the dynamic loader could've done
> > > it as well. There is a case for making this more consistent: whoever
> > > does the mmap() should use the full attributes.
> >
> > Yeah that was my original idea that it should be consistent.
> > One caveat is that protection flags are normally specified
> > in the program header, but the BTI marking is in
> > PT_GNU_PROPERTY which is harder to get to, so glibc does not
> > try to get it right for the initial mapping either: it has
> > to re-mmap or mprotect. (In principle we could use read
> > syscalls to parse the ELF headers and notes before mmap,
> > but that's more complicated with additional failure modes.)
> >
> > i.e. if (2) is fixed then mprotect can be used for library
> > mapping too which is simpler than re-mmap.
>
> I lost track of the userspace fixes here, was glibc changed to attempt a
> re-mmap of the dynamic libraries instead of mprotect()?
yes (so under mdwe, bti is lost on the exe but not on libs)
see the commit message for the fix
https://sourceware.org/bugzilla/show_bug.cgi?id=26831
>
> It looks like (2) is a simpler fix and (1) could still be added for
> consistency, it's complementary.
i agree.
if (2) is fixed then i would change glibc to use
mprotect and handle the failure (this will require an
update to systemd and disabling mdwe on old kernels)
if (1) is fixed then i would probably still keep
doing mprotect on the main exe so bti protection
works on old kernels.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-01-27 14:49 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-15 15:27 [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter Mark Brown
2021-11-15 15:27 ` Mark Brown
2021-11-15 15:27 ` [PATCH v7 1/4] elf: Allow architectures to parse properties on the main executable Mark Brown
2021-11-15 15:27 ` Mark Brown
2021-11-15 15:27 ` [PATCH v7 2/4] arm64: Enable BTI for main executable as well as the interpreter Mark Brown
2021-11-15 15:27 ` Mark Brown
2021-11-15 15:27 ` [PATCH v7 3/4] elf: Remove has_interp property from arch_adjust_elf_prot() Mark Brown
2021-11-15 15:27 ` Mark Brown
2021-11-15 15:27 ` [PATCH v7 4/4] elf: Remove has_interp property from arch_parse_elf_property() Mark Brown
2021-11-15 15:27 ` Mark Brown
2021-12-08 18:23 ` [PATCH v7 0/4] arm64: Enable BTI for the executable as well as the interpreter Catalin Marinas
2021-12-08 18:23 ` Catalin Marinas
2021-12-09 11:10 ` Szabolcs Nagy
2021-12-09 11:10 ` Szabolcs Nagy
2022-01-04 17:32 ` Mark Brown
2022-01-04 17:32 ` Mark Brown
2022-01-05 22:42 ` Jeremy Linton
2022-01-05 22:42 ` Jeremy Linton
2022-01-06 11:00 ` Catalin Marinas
2022-01-06 11:00 ` Catalin Marinas
2022-01-06 16:09 ` Jeremy Linton
2022-01-06 16:09 ` Jeremy Linton
2022-01-06 18:13 ` Catalin Marinas
2022-01-06 18:13 ` Catalin Marinas
2022-01-06 19:07 ` Mark Brown
2022-01-06 19:07 ` Mark Brown
2022-01-07 12:01 ` Catalin Marinas
2022-01-07 12:01 ` Catalin Marinas
2022-01-07 13:10 ` Mark Brown
2022-01-07 13:10 ` Mark Brown
2022-01-17 17:54 ` Catalin Marinas
2022-01-17 17:54 ` Catalin Marinas
2022-01-17 18:16 ` Adhemerval Zanella
2022-01-17 18:16 ` Adhemerval Zanella
2022-01-17 19:01 ` H.J. Lu
2022-01-17 19:01 ` H.J. Lu
2022-01-18 11:22 ` Szabolcs Nagy
2022-01-18 11:22 ` Szabolcs Nagy
2022-01-18 12:55 ` H.J. Lu
2022-01-18 12:55 ` H.J. Lu
2022-01-18 11:02 ` Szabolcs Nagy
2022-01-18 11:02 ` Szabolcs Nagy
2022-01-27 12:24 ` Catalin Marinas
2022-01-27 12:24 ` Catalin Marinas
2022-01-27 14:48 ` Szabolcs Nagy [this message]
2022-01-27 14:48 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220127144820.GF1989194@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=hjl.tools@gmail.com \
--cc=jeremy.linton@arm.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=will@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.