From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Cc: "H . J . Lu" <hjl.tools@gmail.com>,
Florian Weimer <fweimer@redhat.com>,
Zack Weinberg <zack@owlfolio.org>
Subject: [PATCH v3 4/4] elf: Add glibc.rtld.execstack
Date: Tue, 18 Jun 2024 16:40:22 -0300 [thread overview]
Message-ID: <20240618194102.2059389-5-adhemerval.zanella@linaro.org> (raw)
In-Reply-To: <20240618194102.2059389-1-adhemerval.zanella@linaro.org>
The new tunable can be used to control whether executable stacks are
allowed from either the main program or dependencies. The default is
to allow executable stacks.
The executable stacks default permission is checked agains the one
provided by the PT_GNU_STACK from program headers (if present). The
tunable also disables the stack permission change if any dependency
requires an executable stack at loading time.
Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
---
NEWS | 4 ++++
elf/Makefile | 42 ++++++++++++++++++++++++++++++++++
elf/dl-load.c | 4 +++-
elf/dl-support.c | 5 ++++
elf/dl-tunables.list | 6 +++++
elf/rtld.c | 4 ++++
elf/tst-rtld-list-tunables.exp | 1 +
manual/tunables.texi | 19 +++++++++++++++
8 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 43ff2ee23b..a5bbf3851b 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,10 @@ Major new features:
* On Linux, update epoll header to include epoll ioctl definitions and
related structure added in Linux kernel 6.9.
+* A new tunable, glibc.rtld.execstack, can be used to control whether
+ executable stacks are allowed from either main program or dependencies.
+ The default is to allow executable stacks.
+
Deprecated and removed features, and other changes affecting compatibility:
* Architectures which use a 32-bit seconds-since-epoch field in struct
diff --git a/elf/Makefile b/elf/Makefile
index 604b7df1cc..dba6a6ddac 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -546,6 +546,11 @@ tests-execstack-yes = \
tests-execstack-static-yes = \
tst-execstack-prog-static
# tests-execstack-static-yes
+tests-execstack-special-yes = \
+ $(objpfx)tst-execstack-prog-noexecstack.out \
+ $(objpfx)tst-execstack-needed-noexecstack.out \
+ $(objpfx)tst-execstack-prog-static-noexecstack.out \
+ # tests-execstack-special-yes
endif
ifeq ($(have-depaudit),yes)
tests += \
@@ -634,6 +639,7 @@ $(objpfx)tst-rtld-does-not-exist.out: tst-rtld-does-not-exist.sh $(objpfx)ld.so
tests += $(tests-execstack-$(have-z-execstack))
tests-static+= $(tests-execstack-static-$(have-z-execstack))
+tests-special += $(tests-execstack-special-$(have-z-execstack))
ifeq ($(run-built-tests),yes)
tests-special += \
$(objpfx)noload-mem.out \
@@ -1863,6 +1869,42 @@ CFLAGS-tst-execstack-mod.c += -Wno-trampolines
LDFLAGS-tst-execstack-prog-static = -Wl,-z,execstack
CFLAGS-tst-execstack-prog-static.c += -Wno-trampolines
+
+ifeq (yes,$(build-hardcoded-path-in-tests))
+tst-execstack-prog-noexecstack-msg = "Fatal glibc error: executable stack is not allowed$$"
+else
+tst-execstack-prog-noexecstack-msg = "error while loading shared libraries:.*cannot enable executable stack as shared object requires:"
+endif
+
+$(objpfx)tst-execstack-prog-noexecstack.out: $(objpfx)tst-execstack-prog
+ $(test-program-cmd-before-env) \
+ $(run-program-env) \
+ GLIBC_TUNABLES=glibc.rtld.execstack=0 \
+ $(test-program-cmd-after-env) $< \
+ > $@ 2>&1; echo "status: $$?" >> $@; \
+ grep -q $(tst-execstack-prog-noexecstack-msg) $@ \
+ && grep -q '^status: 127$$' $@; \
+ $(evaluate-test)
+
+$(objpfx)tst-execstack-needed-noexecstack.out: $(objpfx)tst-execstack-needed
+ $(test-program-cmd-before-env) \
+ $(run-program-env) \
+ GLIBC_TUNABLES=glibc.rtld.execstack=0 \
+ $(test-program-cmd-after-env) $< \
+ > $@ 2>&1; echo "status: $$?" >> $@; \
+ grep -q 'error while loading shared libraries:.*cannot enable executable stack as shared object requires:' $@ \
+ && grep -q '^status: 127$$' $@; \
+ $(evaluate-test)
+
+$(objpfx)tst-execstack-prog-static-noexecstack.out: $(objpfx)tst-execstack-prog-static
+ $(test-program-cmd-before-env) \
+ $(run-program-env) \
+ GLIBC_TUNABLES=glibc.rtld.execstack=0 \
+ $< \
+ > $@ 2>&1; echo "status: $$?" >> $@; \
+ grep -q 'Fatal glibc error: executable stack is not allowed$$' $@ \
+ && grep -q '^status: 127$$' $@; \
+ $(evaluate-test)
endif
LDFLAGS-tst-array2 = -Wl,--no-as-needed
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 015595aac4..75550fe089 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -32,6 +32,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <gnu/lib-names.h>
+#include <dl-tunables.h>
/* Type for the buffer we put the ELF header and hopefully the program
header. This buffer does not really have to be too large. In most
@@ -1300,7 +1301,8 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
/* The stack is presently not executable, but this module
requires that it be executable. Only tries to change the
stack protection during process startup. */
- if ((mode & __RTLD_DLOPEN) == 0)
+ if ((mode & __RTLD_DLOPEN) == 0
+ && TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL) == 1)
#if PTHREAD_IN_LIBC
errval = _dl_make_stacks_executable (stack_endp);
#else
diff --git a/elf/dl-support.c b/elf/dl-support.c
index 451932dd03..b674468572 100644
--- a/elf/dl-support.c
+++ b/elf/dl-support.c
@@ -45,6 +45,7 @@
#include <dl-find_object.h>
#include <array_length.h>
#include <dl-symbol-redir-ifunc.h>
+#include <dl-tunables.h>
extern char *__progname;
char **_dl_argv = &__progname; /* This is checked for some error messages. */
@@ -335,6 +336,10 @@ _dl_non_dynamic_init (void)
break;
}
+ if ((__glibc_unlikely (GL(dl_stack_flags)) & PF_X)
+ && TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL) == 0)
+ _dl_fatal_printf ("Fatal glibc error: executable stack is not allowed\n");
+
call_function_static_weak (_dl_find_object_init);
/* Setup relro on the binary itself. */
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index 1186272c81..2d6febc249 100644
--- a/elf/dl-tunables.list
+++ b/elf/dl-tunables.list
@@ -142,6 +142,12 @@ glibc {
maxval: 1
default: 0
}
+ execstack {
+ type: INT_32
+ minval: 0
+ maxval: 1
+ default: 1
+ }
}
mem {
diff --git a/elf/rtld.c b/elf/rtld.c
index e9525ea987..5793f291e4 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -1668,6 +1668,10 @@ dl_main (const ElfW(Phdr) *phdr,
bool has_interp = rtld_setup_main_map (main_map);
+ if ((__glibc_unlikely (GL(dl_stack_flags)) & PF_X)
+ && TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL) == 0)
+ _dl_fatal_printf ("Fatal glibc error: executable stack is not allowed\n");
+
/* If the current libname is different from the SONAME, add the
latter as well. */
if (GL(dl_rtld_map).l_info[DT_SONAME] != NULL
diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp
index db0e1c86e9..9f5990f340 100644
--- a/elf/tst-rtld-list-tunables.exp
+++ b/elf/tst-rtld-list-tunables.exp
@@ -13,5 +13,6 @@ glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+)
glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+)
glibc.rtld.dynamic_sort: 2 (min: 1, max: 2)
glibc.rtld.enable_secure: 0 (min: 0, max: 1)
+glibc.rtld.execstack: 1 (min: 0, max: 1)
glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10)
glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+)
diff --git a/manual/tunables.texi b/manual/tunables.texi
index 8dd02d8149..f1674f31ea 100644
--- a/manual/tunables.texi
+++ b/manual/tunables.texi
@@ -356,6 +356,25 @@ tests for @code{AT_SECURE} programs and not meant to be a security feature.
The default value of this tunable is @samp{0}.
@end deftp
+@deftp Tunable glibc.rtld.execstack
+@theglibc{} will use either the default architecture flags (that might contain
+the executable bit) or the value of @code{PT_GNU_STACK} (if present), and if
+the program or any shared library dependency require an executable stack the
+loader will change the main stack permission if kernel starts with a non
+executable stack.
+
+The @code{glibc.rtld.execstack} tunable allows the user to control whether
+to control executable stacks from the main program or dependencies. Setting
+its value to @code{0} disable executable stacks, where @code{1} enables it.
+The default value is @code{1}.
+
+When executable stacks are not allowed, and if the main program or dependencies
+require an executable stack, the loader will fail with an error message.
+@strong{NB:} Trying to load a dynamic shared library with @code{dlopen} or
+@code{dlmopen} that requires an executable stack will always fail if the
+default flags does not contain the executable bit.
+@end deftp
+
@node Elision Tunables
@section Elision Tunables
@cindex elision tunables
--
2.43.0
prev parent reply other threads:[~2024-06-18 19:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-18 19:40 [PATCH v3 0/4] Improve executable stack handling Adhemerval Zanella
2024-06-18 19:40 ` [PATCH v3 1/4] elf: Consolidate stackinfo.h Adhemerval Zanella
2024-06-18 19:40 ` [PATCH v3 2/4] elf: Do not change stack permission on dlopen/dlmopen Adhemerval Zanella
2024-06-18 19:40 ` [PATCH v3 3/4] elf: Add tst-execstack-prog-static Adhemerval Zanella
2024-06-18 19:40 ` Adhemerval Zanella [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240618194102.2059389-5-adhemerval.zanella@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).