From: Fangrui Song <maskray@google.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Florian Weimer <fweimer@redhat.com>,
GNU C Library <libc-alpha@sourceware.org>,
Binutils <binutils@sourceware.org>
Subject: Re: PT_GNU_RELRO is somewhat broken
Date: Wed, 11 May 2022 12:42:58 -0700 [thread overview]
Message-ID: <20220511194258.uxbki5opu6mcvdvt@google.com> (raw)
In-Reply-To: <CAMe9rOrB2w45O8JC20WWDDeuXjkZRcoDpeinjBDQG1myYNTJBw@mail.gmail.com>
On 2022-05-11, H.J. Lu wrote:
>On Wed, May 11, 2022 at 11:17 AM Fangrui Song <maskray@google.com> wrote:
>>
>> On 2022-05-11, H.J. Lu via Libc-alpha wrote:
>> >On Wed, May 11, 2022 at 9:59 AM Florian Weimer via Libc-alpha
>> ><libc-alpha@sourceware.org> wrote:
>> >>
>> >> PT_GNU_RELRO is supposed to identify a region in the process image which
>> >> has to be flipped to PROT_READ (only) permission after relocation
>> >> (“Read-Only after RELocation”).
>> >>
>> >> glibc has this code in the dynamic loader in elf/dl-reloc.c:
>> >>
>> >> | void
>> >> | _dl_protect_relro (struct link_map *l)
>> >> | {
>> >> | ElfW(Addr) start = ALIGN_DOWN((l->l_addr
>> >> | + l->l_relro_addr),
>> >> | GLRO(dl_pagesize));
>> >> | ElfW(Addr) end = ALIGN_DOWN((l->l_addr
>> >> | + l->l_relro_addr
>> >> | + l->l_relro_size),
>> >> | GLRO(dl_pagesize));
>> >> | if (start != end
>> >> | && __mprotect ((void *) start, end - start, PROT_READ) < 0)
>> >> | {
>> >> | static const char errstring[] = N_("\
>> >> | cannot apply additional memory protection after relocation");
>> >> | _dl_signal_error (errno, l->l_name, NULL, errstring);
>> >> | }
>> >> | }
>> >>
>> >> I assume the intent is to conservatively apply the largest possible
>> >> RELRO region given GLRO(dl_pagesize), the run-time page size reported by
>> >> the kernel. If the binary is built to a smaller page size (to save disk
>> >> space), glibc can still load it, but apply only some RELRO protection.
>> >> But _dl_relocate_object has a bug: to be conservative, it would have to
>> >> use ALGIN_UP for the start (lower) address of the range.
>> >>
>> >> But it turns out we can't make this change without incurring a loss of
>> >> hardening: BFD ld does not align the start address to a page boundary.
>> >> For example, /bin/true in Fedora 35 x86-64 has this:
>> >>
>> >> | $ readelf -l /bin/true
>> >> |
>> >> | Elf file type is DYN (Position-Independent Executable file)
>> >> | Entry point 0x1960
>> >> | There are 13 program headers, starting at offset 64
>> >> |
>> >> | Program Headers:
>> >> | Type Offset VirtAddr PhysAddr
>> >> | FileSiz MemSiz Flags Align
>> >> | PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
>> >> | 0x00000000000002d8 0x00000000000002d8 R 0x8
>> >> | INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
>> >> | 0x000000000000001c 0x000000000000001c R 0x1
>> >> | [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
>> >> | LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
>> >> | 0x0000000000000ff8 0x0000000000000ff8 R 0x1000
>> >> | LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
>> >> | 0x00000000000029a1 0x00000000000029a1 R E 0x1000
>> >> | LOAD 0x0000000000004000 0x0000000000004000 0x0000000000004000
>> >> | 0x0000000000000d38 0x0000000000000d38 R 0x1000
>> >> | LOAD 0x0000000000005c78 0x0000000000006c78 0x0000000000006c78
>> >> | 0x0000000000000390 0x00000000000003a0 RW 0x1000
>> >> | DYNAMIC 0x0000000000005c90 0x0000000000006c90 0x0000000000006c90
>> >> | 0x00000000000001f0 0x00000000000001f0 RW 0x8
>> >> | NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
>> >> | 0x0000000000000050 0x0000000000000050 R 0x8
>> >> | NOTE 0x0000000000000388 0x0000000000000388 0x0000000000000388
>> >> | 0x0000000000000044 0x0000000000000044 R 0x4
>> >> | GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
>> >> | 0x0000000000000050 0x0000000000000050 R 0x8
>> >> | GNU_EH_FRAME 0x00000000000049c4 0x00000000000049c4 0x00000000000049c4
>> >> | 0x000000000000007c 0x000000000000007c R 0x4
>> >> | GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
>> >> | 0x0000000000000000 0x0000000000000000 RW 0x10
>> >> | GNU_RELRO 0x0000000000005c78 0x0000000000006c78 0x0000000000006c78
>> >> | 0x0000000000000388 0x0000000000000388 R 0x1
>> >> | […]
>> >>
>> >> The virtual address for PT_GNU_RELRO is 0x388, which is definitely not
>> >> aligned to a 4K page. (0x388 + 0x6c78 == 0x7000, so at least the end
>> >> address is aligned.) In practice, this seems to work because the RELRO
>> >> area seems to be at the start of the RW LOAD segment, so we can safely
>> >> flip the slack space at the start of the page to RO. It still looks
>> >> like a major wart to me, though.
>> >
>> >After relocation, we change the end of the RO segment (aligned down from
>> >the beginning of the RELRO area) to the end of the RELRO segment to RO.
>> >Since the end of the RELRO segment must be aligned to the page size,
>> >ALIGN_DOWN on the end of the RELRO segment doesn't lose any protection.
>> >
>> >> Any suggestions what should we do to fix this properly, mainly for
>> >> targets that have varying page size in practice?
>> >
>> >The end of the RELRO segment should be aligned to the maximum page
>> >size.
>> >
>>
>> PT_GNU_RELRO is designed/implemented this way:
>>
>> * there can be at most one PT_GNU_RELRO
>> * p_vaddr(PT_GNU_RELRO) = p_vaddr(first RW PT_LOAD); https://sourceware.org/binutils/docs/ld/Builtin-Functions.html DATA_SEGMENT_RELRO_END is designed this way
>> * p_vaddr(PT_GNU_RELRO) + p_memsz(PT_GNU_RELRO) is aligned by common-page-size. comon page size is chosen probably because of less waste
>
>ld aligns DATA_SEGMENT_RELRO_END to the maximum page size.
Is p_vaddr(PT_GNU_RELRO) + p_memsz(PT_GNU_RELRO) aligned to max-page-size for non-x86 ports?
I know some changes have been made in binutils in recent months, but
don't know the exact state.
If so, the security looks good to me.
With ld 2.38's x86-64 port, `-z max-page-size=2097152 -z separate-code`
aligns the end of PT_GNU_RELRO to common-page-size for an executable
(0xaa82000, not a multiple of 2097152.)
next prev parent reply other threads:[~2022-05-11 19:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-11 16:59 Florian Weimer
2022-05-11 17:50 ` H.J. Lu
2022-05-11 18:17 ` Fangrui Song
2022-05-11 19:27 ` H.J. Lu
2022-05-11 19:33 ` Fangrui Song
2022-05-11 19:42 ` Fangrui Song [this message]
2022-05-11 19:55 ` H.J. Lu
2022-05-11 20:50 ` Fangrui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220511194258.uxbki5opu6mcvdvt@google.com \
--to=maskray@google.com \
--cc=binutils@sourceware.org \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).