From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C0F073857C48; Tue, 28 Nov 2023 18:59:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C0F073857C48 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1701197974; bh=DkVV3WqR2mq0pIt4cf9zyoJSeEpkjUctK+IZVB52Rag=; h=From:To:Subject:Date:In-Reply-To:References:From; b=mgUutXvcIEiP3XofPY2kgX8fgN52rptBnHpNppHTQv8gaAdSPEdOf7pA/47mnOWIc Ji5Cn+ivz8mG58RybLsTyU3uyHYL//J5CLejybIbn2ciPTz71DRT6m34zRxjUZwkz1 8X8XYZ50cS1udeAp2KmZ/Z4pCcU9/HWixKMzs77k= From: "kaleshsingh at google dot com" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/31076] Extra struct vm_area_struct with ---p created when PAGE_SIZE < max-page-size Date: Tue, 28 Nov 2023 18:59:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: kaleshsingh at google dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31076 --- Comment #15 from Kalesh Singh --- (In reply to Adhemerval Zanella from comment #9) > (In reply to Florian Weimer from comment #8) > > (In reply to Adhemerval Zanella from comment #7) > > > So the mprotect is essentially a hardening feature, assuming that the > > > dynamic object padding/holes might contain gadgets. It still does not > > > happen for loader and main program itself, since normally they would = be > > > mapped by the kernel and its does do anything with holes, > >=20 > > There's no expectation that these are contiguous in memory, yes. Such an > > expectation exists for shared objects loaded by glibc. >=20 > Right, but my point is if this is a hardening feature that glibc aims to > provide it does not help if the kernel still does not provide it for the > loader (if this is built with a different page size) and the main program > itself. Should we push for kernel to implement a similar handling? >=20 > And the holes seem to be always from the initial read-only segment, which > makes the whole gadget avoidance argument moot. This would make sense back > when RELRO was not wildly used/deployed (even with the current somewhat > broken status), but it still does not make much sense to me. >=20 > >=20 > > > and IMHO it should > > > up to the static linker to fill the padding with NOP/trap instruction= to > > > avoid such issues.=20 Hi folks, I was wondering if this is really a security feature or rather a result of = how the original VA space is reserved (split VMAs from the original mapping). AIUI if the runtime-page-size equals the max-page-size, the holes are also mapped in as part of the segment mapping and share the same permissions. Do= es this mean that on such systems, any protection it offers becomes void? Sorry if dumb questions (I'm not too familiar with this area) Thanks, Kalesh > >=20 > > That requires padding to the maximum page size on disk, though. >=20 > But this is what binutils does [1], and while not being optimized it seems > that it would be somewhat hard to fix it (at least with Fangrui Song > suggestion). >=20 > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=3D30612 --=20 You are receiving this mail because: You are on the CC list for the bug.=