From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <maskray@google.com>
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com
 [IPv6:2607:f8b0:4864:20::530])
 by sourceware.org (Postfix) with ESMTPS id BF4623839C6F
 for <libc-alpha@sourceware.org>; Wed, 11 May 2022 19:43:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BF4623839C6F
Received: by mail-pg1-x530.google.com with SMTP id 7so2644359pga.12
 for <libc-alpha@sourceware.org>; Wed, 11 May 2022 12:43:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:content-transfer-encoding
 :in-reply-to;
 bh=6hpT/N3+fWLBYXNHTXGg0U/1wZyaIgcIteGZ5B8aMnI=;
 b=LDxdY3Y5gcd35B8LDdzeTGc/7K2hwNGVeJBt7LAS6xgkO3n1pdebuCp9zJAEGcSyGn
 j5vYhsINZqQQ5Z/pMXz3eE2Hfj7tuo0tRa9MHVh16ytYtEWvtGBayF1FXbZ6AUQMDKvi
 zjb87khTZkCBe5577V9NtkUZhilmiaq81ag/MYR/Edb8d4XRhsZgKwdSBXWnIJ+7IT4F
 Jvj2HbGzyqLf76O96cAYEpf5k+jiAf5V/LRxTR+LWtgToLAND03dMqy/nkQfgb75aBwS
 Ey44M50swvM5xQRJbvQ1WTQZEoaVTEHRMnJkqaU9piZCAGvLZhf3DaLxR62d/Tr8Hyww
 5xeQ==
X-Gm-Message-State: AOAM533b/bKr97oIt1xMzCfP0HGyC+5Xj/NpyGTiA+qOV+Z93VvA/dIS
 tjEAk2Q98ah4wu5I93J51wTtJvqkUB7goQ==
X-Google-Smtp-Source: ABdhPJyJtvjNTF8htqzeKx9rUAWYE9EyWVjU7iWqztURZED8AeXsmXIMa8z1mouAyFCmVXTZ2KXeeg==
X-Received: by 2002:a62:f20d:0:b0:50d:6961:7b75 with SMTP id
 m13-20020a62f20d000000b0050d69617b75mr26693569pfh.19.1652298181553; 
 Wed, 11 May 2022 12:43:01 -0700 (PDT)
Received: from google.com ([2620:15c:2ce:200:3228:6d2d:ebc8:7bc1])
 by smtp.gmail.com with ESMTPSA id
 p3-20020a170902780300b0015e8d4eb293sm2285478pll.221.2022.05.11.12.43.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 11 May 2022 12:43:01 -0700 (PDT)
Date: Wed, 11 May 2022 12:42:58 -0700
From: Fangrui Song <maskray@google.com>
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Florian Weimer <fweimer@redhat.com>,
 GNU C Library <libc-alpha@sourceware.org>,
 Binutils <binutils@sourceware.org>
Subject: Re: PT_GNU_RELRO is somewhat broken
Message-ID: <20220511194258.uxbki5opu6mcvdvt@google.com>
References: <871qx0dmz5.fsf@oldenburg.str.redhat.com>
 <CAMe9rOp94idbVb60zwJfss+Hk3amdT7d9CXavMbSdcgiBUJ-jw@mail.gmail.com>
 <20220511181704.y4pldvlqnbix3p53@google.com>
 <CAMe9rOrB2w45O8JC20WWDDeuXjkZRcoDpeinjBDQG1myYNTJBw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAMe9rOrB2w45O8JC20WWDDeuXjkZRcoDpeinjBDQG1myYNTJBw@mail.gmail.com>
X-Spam-Status: No, score=-20.1 required=5.0 tests=BAYES_00, DKIMWL_WL_MED,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE,
 USER_IN_DEF_DKIM_WL,
 USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 19:43:04 -0000


On 2022-05-11, H.J. Lu wrote:
>On Wed, May 11, 2022 at 11:17 AM Fangrui Song <maskray@google.com> wrote:
>>
>> On 2022-05-11, H.J. Lu via Libc-alpha wrote:
>> >On Wed, May 11, 2022 at 9:59 AM Florian Weimer via Libc-alpha
>> ><libc-alpha@sourceware.org> wrote:
>> >>
>> >> PT_GNU_RELRO is supposed to identify a region in the process image which
>> >> has to be flipped to PROT_READ (only) permission after relocation
>> >> (“Read-Only after RELocation”).
>> >>
>> >> glibc has this code in the dynamic loader in elf/dl-reloc.c:
>> >>
>> >> | void
>> >> | _dl_protect_relro (struct link_map *l)
>> >> | {
>> >> |   ElfW(Addr) start = ALIGN_DOWN((l->l_addr
>> >> |                                  + l->l_relro_addr),
>> >> |                                 GLRO(dl_pagesize));
>> >> |   ElfW(Addr) end = ALIGN_DOWN((l->l_addr
>> >> |                                + l->l_relro_addr
>> >> |                                + l->l_relro_size),
>> >> |                               GLRO(dl_pagesize));
>> >> |   if (start != end
>> >> |       && __mprotect ((void *) start, end - start, PROT_READ) < 0)
>> >> |     {
>> >> |       static const char errstring[] = N_("\
>> >> | cannot apply additional memory protection after relocation");
>> >> |       _dl_signal_error (errno, l->l_name, NULL, errstring);
>> >> |     }
>> >> | }
>> >>
>> >> I assume the intent is to conservatively apply the largest possible
>> >> RELRO region given GLRO(dl_pagesize), the run-time page size reported by
>> >> the kernel.  If the binary is built to a smaller page size (to save disk
>> >> space), glibc can still load it, but apply only some RELRO protection.
>> >> But _dl_relocate_object has a bug: to be conservative, it would have to
>> >> use ALGIN_UP for the start (lower) address of the range.
>> >>
>> >> But it turns out we can't make this change without incurring a loss of
>> >> hardening: BFD ld does not align the start address to a page boundary.
>> >> For example, /bin/true in Fedora 35 x86-64 has this:
>> >>
>> >> | $ readelf -l /bin/true
>> >> |
>> >> | Elf file type is DYN (Position-Independent Executable file)
>> >> | Entry point 0x1960
>> >> | There are 13 program headers, starting at offset 64
>> >> |
>> >> | Program Headers:
>> >> |   Type           Offset             VirtAddr           PhysAddr
>> >> |                  FileSiz            MemSiz              Flags  Align
>> >> |   PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
>> >> |                  0x00000000000002d8 0x00000000000002d8  R      0x8
>> >> |   INTERP         0x0000000000000318 0x0000000000000318 0x0000000000000318
>> >> |                  0x000000000000001c 0x000000000000001c  R      0x1
>> >> |       [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
>> >> |   LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
>> >> |                  0x0000000000000ff8 0x0000000000000ff8  R      0x1000
>> >> |   LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000
>> >> |                  0x00000000000029a1 0x00000000000029a1  R E    0x1000
>> >> |   LOAD           0x0000000000004000 0x0000000000004000 0x0000000000004000
>> >> |                  0x0000000000000d38 0x0000000000000d38  R      0x1000
>> >> |   LOAD           0x0000000000005c78 0x0000000000006c78 0x0000000000006c78
>> >> |                  0x0000000000000390 0x00000000000003a0  RW     0x1000
>> >> |   DYNAMIC        0x0000000000005c90 0x0000000000006c90 0x0000000000006c90
>> >> |                  0x00000000000001f0 0x00000000000001f0  RW     0x8
>> >> |   NOTE           0x0000000000000338 0x0000000000000338 0x0000000000000338
>> >> |                  0x0000000000000050 0x0000000000000050  R      0x8
>> >> |   NOTE           0x0000000000000388 0x0000000000000388 0x0000000000000388
>> >> |                  0x0000000000000044 0x0000000000000044  R      0x4
>> >> |   GNU_PROPERTY   0x0000000000000338 0x0000000000000338 0x0000000000000338
>> >> |                  0x0000000000000050 0x0000000000000050  R      0x8
>> >> |   GNU_EH_FRAME   0x00000000000049c4 0x00000000000049c4 0x00000000000049c4
>> >> |                  0x000000000000007c 0x000000000000007c  R      0x4
>> >> |   GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
>> >> |                  0x0000000000000000 0x0000000000000000  RW     0x10
>> >> |   GNU_RELRO      0x0000000000005c78 0x0000000000006c78 0x0000000000006c78
>> >> |                  0x0000000000000388 0x0000000000000388  R      0x1
>> >> | […]
>> >>
>> >> The virtual address for PT_GNU_RELRO is 0x388, which is definitely not
>> >> aligned to a 4K page.  (0x388 + 0x6c78 == 0x7000, so at least the end
>> >> address is aligned.)  In practice, this seems to work because the RELRO
>> >> area seems to be at the start of the RW LOAD segment, so we can safely
>> >> flip the slack space at the start of the page to RO.  It still looks
>> >> like a major wart to me, though.
>> >
>> >After relocation, we change the end of the RO segment (aligned down from
>> >the beginning of the RELRO area) to the end of the RELRO segment to RO.
>> >Since the end of the RELRO segment must be aligned to the page size,
>> >ALIGN_DOWN on the end of the RELRO segment doesn't lose any protection.
>> >
>> >> Any suggestions what should we do to fix this properly, mainly for
>> >> targets that have varying page size in practice?
>> >
>> >The end of the RELRO segment should be aligned to the maximum page
>> >size.
>> >
>>
>> PT_GNU_RELRO is designed/implemented this way:
>>
>> * there can be at most one PT_GNU_RELRO
>> * p_vaddr(PT_GNU_RELRO) = p_vaddr(first RW PT_LOAD); https://sourceware.org/binutils/docs/ld/Builtin-Functions.html DATA_SEGMENT_RELRO_END is designed this way
>> * p_vaddr(PT_GNU_RELRO) + p_memsz(PT_GNU_RELRO) is aligned by common-page-size. comon page size is chosen probably because of less waste
>
>ld aligns DATA_SEGMENT_RELRO_END to the maximum page size.

Is p_vaddr(PT_GNU_RELRO) + p_memsz(PT_GNU_RELRO) aligned to max-page-size for non-x86 ports?
I know some changes have been made in binutils in recent months, but
don't know the exact state.
If so, the security looks good to me.

With ld 2.38's x86-64 port, `-z max-page-size=2097152 -z separate-code`
aligns the end of PT_GNU_RELRO to common-page-size for an executable
(0xaa82000, not a multiple of 2097152.)