* PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel
@ 2018-03-29 14:32 H.J. Lu
2018-03-29 17:37 ` Zack Weinberg
0 siblings, 1 reply; 5+ messages in thread
From: H.J. Lu @ 2018-03-29 14:32 UTC (permalink / raw)
To: Florian Weimer
Cc: Joseph Myers, Carlos O'Donell, Tsimbalist, Igor V, GNU C Library
On Thu, Mar 22, 2018 at 1:59 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Fri, Mar 16, 2018 at 4:28 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Fri, Mar 16, 2018 at 1:24 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>> * H. J. Lu:
>>>
>>>> +/* Function used in the macros. */
>>>> +struct __jmp_buf_tag;
>>>> +extern int __sigsetjmp_cancel (struct __jmp_buf_tag *__env, int __savemask)
>>>> + __THROWNL __attribute_returns_twice__;
>>>
>>> How is __THROWNL correct here? We do unwind through this function.
>>> The __EXCEPTIONS guard is not effective because of LTO, and some
>>> applications undefine __EXCEPTIONS to avoid the table-based
>>> cancellation handlers.
>>
>> This is moved from <pthread.h>:
>>
>> /* Function used in the macros. */
>> struct __jmp_buf_tag;
>> extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL;
>>
>> Is <pthread.h> wrong?
>
> It turns out that since libpthread provides compatible versions of
> longjmp and siglongjmp
> which don't save and restore shadow stack, new versions of longjmp
> and siglongjmp,
> which save and restore shadow stack, should be added to libc.
> Otherwise, porgrams
> linked with libpthread will pick the wrong longjmp.
>
> Here is the updated patch. OK for master?
>
>
PING:
https://sourceware.org/ml/libc-alpha/2018-03/msg00521.html
--
H.J.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel
2018-03-29 14:32 PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel H.J. Lu
@ 2018-03-29 17:37 ` Zack Weinberg
2018-03-29 17:48 ` Zack Weinberg
0 siblings, 1 reply; 5+ messages in thread
From: Zack Weinberg @ 2018-03-29 17:37 UTC (permalink / raw)
To: H.J. Lu
Cc: Florian Weimer, Joseph Myers, Carlos O'Donell, Tsimbalist,
Igor V, GNU C Library
On Thu, Mar 29, 2018 at 10:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Thu, Mar 22, 2018 at 1:59 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Fri, Mar 16, 2018 at 4:28 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Fri, Mar 16, 2018 at 1:24 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>>> * H. J. Lu:
>>>>
>>>>> +/* Function used in the macros. */
>>>>> +struct __jmp_buf_tag;
>>>>> +extern int __sigsetjmp_cancel (struct __jmp_buf_tag *__env, int __savemask)
>>>>> + __THROWNL __attribute_returns_twice__;
>>>>
>>>> How is __THROWNL correct here? We do unwind through this function.
>>>> The __EXCEPTIONS guard is not effective because of LTO, and some
>>>> applications undefine __EXCEPTIONS to avoid the table-based
>>>> cancellation handlers.
>>>
>>> This is moved from <pthread.h>:
>>>
>>> /* Function used in the macros. */
>>> struct __jmp_buf_tag;
>>> extern int __sigsetjmp (struct __jmp_buf_tag *__env, int __savemask) __THROWNL;
>>>
>>> Is <pthread.h> wrong?
>>
>> It turns out that since libpthread provides compatible versions of
>> longjmp and siglongjmp
>> which don't save and restore shadow stack, new versions of longjmp
>> and siglongjmp,
>> which save and restore shadow stack, should be added to libc.
>> Otherwise, porgrams
>> linked with libpthread will pick the wrong longjmp.
>>
>> Here is the updated patch. OK for master?
>>
>>
>
> PING:
>
> https://sourceware.org/ml/libc-alpha/2018-03/msg00521.html
>
> --
> H.J.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel
2018-03-29 17:37 ` Zack Weinberg
@ 2018-03-29 17:48 ` Zack Weinberg
2018-03-29 19:58 ` H.J. Lu
2018-04-06 2:41 ` Carlos O'Donell
0 siblings, 2 replies; 5+ messages in thread
From: Zack Weinberg @ 2018-03-29 17:48 UTC (permalink / raw)
To: H.J. Lu; +Cc: GNU C Library
On Thu, Mar 29, 2018 at 1:37 PM, Zack Weinberg <zackw@panix.com> wrote:
> On Thu, Mar 29, 2018 at 10:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>> On Thu, Mar 22, 2018 at 1:59 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Fri, Mar 16, 2018 at 4:28 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>> On Fri, Mar 16, 2018 at 1:24 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>>>> * H. J. Lu:
>>>>>
>>> Here is the updated patch. OK for master?
>>>
>>>
>>
>> PING:
>>
>> https://sourceware.org/ml/libc-alpha/2018-03/msg00521.html
HJ, you've been posting a long stream of one-off fixes to the shadow
stack support code with no end in sight, and you seem to be in a
terrible hurry about it, and speaking only for myself, those add up to
me having no confidence that _any_ of the patches are correct.
Would you please consider halting the stream of code changes for long
enough to write up a careful, thorough description of exactly what the
shadow stack's requirements are and how they interact with _all_ of
the C library's abnormal control flow features (at least:
setjmp/longjmp, cancellation, C++ exceptions, threads, ucontext
coroutines, regular old signals, and signals delivered to an
alternative stack; and I'm sure I'm forgetting at least one more)?
Post _that_ for review. Only go back to the code changes when all of
the x86 maintainers are satisfied that we know how this _ought_ to
work.
zw
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel
2018-03-29 17:48 ` Zack Weinberg
@ 2018-03-29 19:58 ` H.J. Lu
2018-04-06 2:41 ` Carlos O'Donell
1 sibling, 0 replies; 5+ messages in thread
From: H.J. Lu @ 2018-03-29 19:58 UTC (permalink / raw)
To: Zack Weinberg; +Cc: GNU C Library
On Thu, Mar 29, 2018 at 10:48 AM, Zack Weinberg <zackw@panix.com> wrote:
> On Thu, Mar 29, 2018 at 1:37 PM, Zack Weinberg <zackw@panix.com> wrote:
>> On Thu, Mar 29, 2018 at 10:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Thu, Mar 22, 2018 at 1:59 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>> On Fri, Mar 16, 2018 at 4:28 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>>> On Fri, Mar 16, 2018 at 1:24 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>>>>> * H. J. Lu:
>>>>>>
>>>> Here is the updated patch. OK for master?
>>>>
>>>>
>>>
>>> PING:
>>>
>>> https://sourceware.org/ml/libc-alpha/2018-03/msg00521.html
>
> HJ, you've been posting a long stream of one-off fixes to the shadow
> stack support code with no end in sight, and you seem to be in a
> terrible hurry about it, and speaking only for myself, those add up to
> me having no confidence that _any_ of the patches are correct.
The main challenge is adding __sigsetjmp_cancel and __setjmp_cancel,
which introduces a different set of setjmp/longjmp for thread cancellation.
The current set of glibc patches works now. But they won't be finalized
until kernel patches are merged.
> Would you please consider halting the stream of code changes for long
> enough to write up a careful, thorough description of exactly what the
> shadow stack's requirements are and how they interact with _all_ of
Shadow stack is transparent to most functions in glibc. The changes
are limited to a few functions.
> the C library's abnormal control flow features (at least:
> setjmp/longjmp, cancellation, C++ exceptions, threads, ucontext
> coroutines, regular old signals, and signals delivered to an
> alternative stack; and I'm sure I'm forgetting at least one more)?
1. C++ exception handing is handled in libgcc. Glibc isn't involved.
2. setjmp/longjmp just needs to save and restore shadow stack.
3. Thread cancellation doesn't require to restore shadow stack. There
are 2 ways to deal with it:
a. Save and restore shadow stacks when shadow stack is in use, which
doesn't require new symbol version.
b. Don't save and restore shadow stacks, which requires new symbol
version.
4. Signal handling is handled by kernel and should be transparent to glibc,
including alternative signal stack/
5. Shadow stack is incompatible with ucontext family functions since they
can't properly set up and destroy shadow stack. For the time being, it
is an error to use shadow stack with <ucontext.h>. I'd like to get inputs
on how to support shadow stack in ucontext family functions.
> Post _that_ for review. Only go back to the code changes when all of
> the x86 maintainers are satisfied that we know how this _ought_ to
> work.
>
> zw
--
H.J.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel
2018-03-29 17:48 ` Zack Weinberg
2018-03-29 19:58 ` H.J. Lu
@ 2018-04-06 2:41 ` Carlos O'Donell
1 sibling, 0 replies; 5+ messages in thread
From: Carlos O'Donell @ 2018-04-06 2:41 UTC (permalink / raw)
To: Zack Weinberg, H.J. Lu; +Cc: GNU C Library
On 03/29/2018 12:48 PM, Zack Weinberg wrote:
> On Thu, Mar 29, 2018 at 1:37 PM, Zack Weinberg <zackw@panix.com> wrote:
>> On Thu, Mar 29, 2018 at 10:32 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Thu, Mar 22, 2018 at 1:59 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>> On Fri, Mar 16, 2018 at 4:28 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>>> On Fri, Mar 16, 2018 at 1:24 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
>>>>>> * H. J. Lu:
>>>>>>
>>>> Here is the updated patch. OK for master?
>>>>
>>>>
>>>
>>> PING:
>>>
>>> https://sourceware.org/ml/libc-alpha/2018-03/msg00521.html
>
> HJ, you've been posting a long stream of one-off fixes to the shadow
> stack support code with no end in sight, and you seem to be in a
> terrible hurry about it, and speaking only for myself, those add up to
> me having no confidence that _any_ of the patches are correct.
>
> Would you please consider halting the stream of code changes for long
> enough to write up a careful, thorough description of exactly what the
> shadow stack's requirements are and how they interact with _all_ of
> the C library's abnormal control flow features (at least:
> setjmp/longjmp, cancellation, C++ exceptions, threads, ucontext
> coroutines, regular old signals, and signals delivered to an
> alternative stack; and I'm sure I'm forgetting at least one more)?
> Post _that_ for review. Only go back to the code changes when all of
> the x86 maintainers are satisfied that we know how this _ought_ to
> work.
I agree.
I feel like it's my fault for not asking for this up front when the CET
patches started arriving. This is my fault for not being clear enough
on something I normally harp about a lot.
In the future I would ask that we avoid piece-meal work like this and try
to focus on a broader design, followed by a patch set that implements that
design.
All-in-all we would have avoided a lot of back and forth if we had started
with a big-picture design first.
Every time I have to review a CET patch I pull-up my "intel-cet.txt" file
and start by reviewing my current understanding of the design, then I pull
HJ's custom github branch (which annoys me that it's on github), and then
I have to look at the current patch under review and think about how to
best support the design.
Zack, I hope you're not surprised but there are at least a dozen more patches
to touch stuff to fix the places where CET makes a difference, but you have
to review HJ's github hjl/cet/master branch to see that :-)
--
Cheers,
Carlos.
For reference:
commit 5baad824eb7924eecdb7a5b141cc92122db3cbd6
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Oct 25 12:35:11 2017 -0700
Extend arch_prctl syscall for CET control
/* CET features:
IBT: GNU_PROPERTY_X86_FEATURE_1_IBT
SHSTK: GNU_PROPERTY_X86_FEATURE_1_SHSTK
*/
/* Return CET features and legacy region bitmap info in
unsigned long *addr:
features: addr[0]
address: addr[1]
size: addr[2]
*/
# define ARCH_CET_STATUS 0x3001
/* Disable CET features in unsigned int features. */
# define ARCH_CET_DISABLE 0x3002
/* Lock all CET features. */
# define ARCH_CET_LOCK 0x3003
/* Control how CET features should be enabled when launching a new image.
unsigned int *addr:
features: addr[0]
control: addr[1]
*/
# define ARCH_CET_EXEC 0x3004
/* Exit with int status. */
# define ARCH_CET_EXIT 0x3005
/* Valid control values of ARCH_CET_EXEC:
0: Enable CET features based on ELF property note.
1: Always disable CET features.
2: Always enable CET features.
*/
# define ARCH_CET_EXEC_ELF_PROPERTY 0
# define ARCH_CET_EXEC_ALWAYS_OFF 1
# define ARCH_CET_EXEC_ALWAYS_ON 2
# define ARCH_CET_EXEC_MAX ARCH_CET_EXEC_ALWAYS_ON
In exec* system calls, kernel checks CET bits in NT_GNU_PROPERTY_TYPE_0
note of PT_NOTE segment of
1. Interpreter if there is one.
2. Program if there is no interpreter.
Then
1. Enable IBT/SHSTK if IBT/SHSTK bits are set or IBT/SHSTK bits of
CET_EXEC_ENABLED are set. If there is no interpreter, lock CET.
2. Disable IBT/SHSTK if IBT/SHSTK bits aren't set.
Glibc:
1. If interpreter is used:
Get CET status at the beginning ->
If CET is enabled then
disable CET if needed ->
Lock CET ->
Endif
Continue.
2. If interpreter isn't used,
Get CET status at the beginning ->
Continue.
* sysdeps/unix/sysv/linux/Makefile (sysdep_headers): Add
bits/prctl.h.
* sysdeps/unix/sysv/linux/bits/prctl.h: New file.
* sysdeps/unix/sysv/linux/x86/cpu-features.c: Likewise.
* sysdeps/unix/sysv/linux/x86/bits/prctl.h: Likewise.
* sysdeps/unix/sysv/linux/x86/exit-thread.h: Likewise.
* sysdeps/unix/sysv/linux/sys/prctl.h: Include <bits/prctl.h>.
* sysdeps/unix/sysv/linux/x86/dl-cet.c: Include <pthread.h>,
<sys/syscall.h> and <sys/prctl.h>.
(BITS_PER_WORD): New.
(BITMAP_FIRST_WORD_MASK): Likewise.
(BITMAP_LAST_WORD_MASK): Likewise.
(dl_cet_mark_legacy_region): Mark PT_LOAD segments with PF_X in
legacy code page bitmap.
(dl_cet_check): Temporarily make legacy code page bitmap to
writable when updating it. Call arch_prctl to disable IBT
and/or SHSTK as well as lock CET if IBT or SHSTK is enabled.
* sysdeps/unix/sysv/linux/x86/dl-procruntime.c
(dl_x86_legacy_bitmap): New.
* sysdeps/x86/libc-start.c: Include <startup.h>.
commit 86b9326e946dd3b8307905fffe1a7ce0fae3cc01
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Dec 20 06:38:42 2017 -0800
Disallow -fcf-protection -mshstk with <ucontext.h>
-fcf-protection -mshstk is incompatible with makecontext family functions
since they can't properly set up and destroy shadow stack pointer. It is
an error when -fcf-protection -mshstk is used with <ucontext.h>. When
<ucontext.h> is used, GNU_PROPERTY_X86_FEATURE_1_SHSTK shouldn't be set
on the program.
* bits/ucontext.h: New file.
* sysdeps/unix/sysv/linux/x86/bits/ucontext.h: Likewise.
* sysdeps/unix/sysv/linux/x86/tst-setcontext3-shstk.sh: Likewise.
* sysdeps/unix/sysv/linux/x86/tst-ucontext-1.c: Likewise.
* sysdeps/unix/sysv/linux/x86/tst-ucontext-1.sh: Likewise.
* stdlib/Makefile (headers): Add bits/ucontext.h.
* stdlib/ucontext.h: Include <bits/ucontext.h>.
* sysdeps/unix/sysv/linux/x86/Makefile (tests-special): Add
$(objpfx)tst-setcontext3-shstk.out.
($(objpfx)tst-setcontext3-shstk.out): New target.
(tests-special): Add $(objpfx)tst-ucontext-1.out if CET is
enabled.
($(objpfx)tst-ucontext-1.out): New target if CET is enabled.
(asm-CPPFLAGS): Add -fcf-protection -mcet -include cet.h if CET
is enabled.
(CFLAGS-tst-context1.c): Add -fcf-protection=branch -mno-shstk
-mibt.
(CFLAGS-bug-getcontext.c): Likewise.
(CFLAGS-tst-makecontext.c): Likewise.
(CFLAGS-tst-makecontext2.c): Likewise.
(CFLAGS-tst-makecontext3.c): Likewise.
(CFLAGS-tst-makecontext-align.c): Likewise.
(CFLAGS-tst-setcontext.c): Likewise.
(CFLAGS-tst-setcontext2.c): Likewise.
(CFLAGS-tst-setcontext3.c): Likewise.
(CFLAGS-tst-xbzero-opt.c): Likewise.
commit 0629d96baf7da795026bc28f6ef1aebfbc906f2f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Sat Mar 24 15:20:08 2018 -0700
x86-64: Add endbr64 to tst-quadmod[12].S
Add endbr64 to tst-quadmod1.S and tst-quadmod2.S so that func and foo
can be called indirectly.
* sysdeps/x86_64/tst-quadmod1.S (func) [__IBT__]: Add endbr64.
(foo) [__IBT__]: Add endbr64.
* sysdeps/x86_64/tst-quadmod2.S (func) [__IBT__]: Add endbr64.
(foo) [__IBT__]: Add endbr64.
commit c0ea13ad178749059cc20d7ec2f367b350be969f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 16:12:20 2018 -0800
i386: Use _CET_NOTRACK in memset-sse2-rep.S
* sysdeps/i386/i686/multiarch/memset-sse2-rep.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit 1010031a3ea269575db97b5e21b13e895153c72e
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 16:10:46 2018 -0800
i386: Use _CET_NOTRACK in strcat-sse2.S
* sysdeps/i386/i686/multiarch/strcat-sse2.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit bf0e2bacd5f530ac9653517fda55a7d747c97e16
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 16:09:39 2018 -0800
i386: Use _CET_NOTRACK in strcpy-sse2.S
* sysdeps/i386/i686/multiarch/strcpy-sse2.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit 23fd151668ac52e618d0bc39fa32eea112f466d3
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 16:06:37 2018 -0800
i386: Use _CET_NOTRACK in memcpy-ssse3.S
* sysdeps/i386/i686/multiarch/memcpy-ssse3.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit 1ac4d4ecf2587cca64455f9a40712562387725ea
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 16:04:36 2018 -0800
i386: Use _CET_NOTRACK in memcpy-ssse3-rep.S
* sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
(BRANCH_TO_JMPTBL_ENTRY_TAIL): Likewise.
commit d5e00eec613f4c7660b24321aa7de38092275e76
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 15:57:36 2018 -0800
i386: Use _CET_NOTRACK in memcmp-sse4.S
* sysdeps/i386/i686/multiarch/memcmp-sse4.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit 2fd7e58a16622b5d589db1158637691892a7aae9
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 15:56:38 2018 -0800
i386: Use _CET_NOTRACK in memset-sse2.S
* sysdeps/i386/i686/multiarch/memset-sse2.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit 9c0152f2370a3796c8bd54249b0f74c50014a91b
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 15:54:52 2018 -0800
i386: Use _CET_NOTRACK in i686/memcmp.S
* sysdeps/i386/i686/memcmp.S (memcmp): Add _CET_NOTRACK before
indirect jump to jump table.
commit 60b452d97f36569485a9adcc9607c518e25544d2
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 11:02:21 2018 -0800
x86-64: Use _CET_NOTRACK in memcpy-ssse3.S
* sysdeps/x86_64/multiarch/memcpy-ssse3.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
(MEMCPY): Likewise.
commit c256128665f284434074262e677a86927e003270
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 11:00:05 2018 -0800
x86-64: Use _CET_NOTRACK in memcmp-sse4.S
* sysdeps/x86_64/multiarch/memcmp-sse4.S (BRANCH_TO_JMPTBL_ENTRY):
Add _CET_NOTRACK before indirect jump to jump table.
commit 570256c8b5c03617cb4cd323e49360cb7d6640ed
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 10:57:27 2018 -0800
x86-64: Use _CET_NOTRACK in memcpy-ssse3-back.S
* sysdeps/x86_64/multiarch/memcpy-ssse3-back.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
(MEMCPY): Likewise.
commit 8001a897e83b7ab670022398f1565d17d340d9d3
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 10:52:38 2018 -0800
x86-64: Use _CET_NOTRACK in strcmp-sse42.S
* sysdeps/x86_64/multiarch/strcmp-sse42.S (STRCMP_SSE42): Add
_CET_NOTRACK before indirect jump to jump table.
commit b6546570a22e367499e583b852b60d459da93d39
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 10:50:56 2018 -0800
x86-64: Use _CET_NOTRACK in strcpy-sse2-unaligned.S
* sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S
(BRANCH_TO_JMPTBL_ENTRY): Add _CET_NOTRACK before indirect jump
to jump table.
commit aaef461cb89b5916cb72f8dddd7a3062b471d190
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Tue Jan 9 05:45:42 2018 -0800
x86_64: Use _CET_NOTRACK in strcmp.S
* sysdeps/x86_64/strcmp.S (STRCMP): Add _CET_NOTRACK before
indirect jump to jump table.
commit cfff94fa62aabe0c3c74b2335664b8f258af09c9
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Sat Feb 24 20:13:28 2018 -0800
x86: Update vfork to pop shadow stack
Since we can't change return address on shadow stack, if shadow stack
is in use, we need to pop shadow stack and jump back to caller directly.
* sysdeps/unix/sysv/linux/i386/vfork.S (SYSCALL_ERROR_HANDLER):
Redefine if __SHSTK__ is defined.
(SYSCALL_ERROR_LABEL): Likewise.
(__vfork): Pop shadow stack and jump back to to caller directly
when shadow stack is in use.
* sysdeps/unix/sysv/linux/x86_64/vfork.S (SYSCALL_ERROR_HANDLER):
Redefine if __SHSTK__ is defined.
(SYSCALL_ERROR_LABEL): Likewise.
(__vfork): Pop shadow stack and jump back to to caller directly
when shadow stack is in use.
commit 35e214bfcb305ebf0451e653c77c0de6c03d35b6
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 15:50:11 2018 -0800
i386: Add _CET_ENDBR to indirect jump targets in add_n.S/sub_n.S
i386 add_n.S and sub_n.S use a trick to implment jump tables with LEA.
We can't use conditional branches nor normal jump tables since jump
table entries use EFLAGS set by jump table index. This patch adds
_CET_ENDBR to indirect jump targets and adjust destination for
_CET_ENDBR.
* sysdeps/i386/add_n.S: Include <sysdep.h>, instead of
"sysdep.h".
(__mpn_add_n): Save and restore %ebx if __IBT__ is defined.
Add _CET_ENDBR to indirect jump targets and adjust jump
destination for _CET_ENDBR.
* sysdeps/i386/i686/add_n.S: Include <sysdep.h>, instead of
"sysdep.h".
(__mpn_add_n): Save and restore %ebx if __IBT__ is defined.
Add _CET_ENDBR to indirect jump targets and adjust jump
destination for _CET_ENDBR.
* sysdeps/i386/sub_n.S: Include <sysdep.h>, instead of
"sysdep.h".
(__mpn_sub_n): Save and restore %ebx if __IBT__ is defined.
Add _CET_ENDBR to indirect jump targets and adjust jump
destination for _CET_ENDBR.
commit f1d0a8aea279a84b9ec0e01cb691d4310f58ca4b
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Tue Mar 6 04:31:30 2018 -0800
x86-64: Add _CET_ENDBR to STRCMP_SSE42
Add _CET_ENDBR to STRCMP_SSE42, which is called indirectly, to support
IBT.
* sysdeps/x86_64/multiarch/strcmp-sse42.S (STRCMP_SSE42): Add
_CET_ENDBR.
commit 3be406ae1d509fc34d617c85cec65b82c62ea18b
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jan 8 10:42:34 2018 -0800
x86: Add _CET_ENDBR to functions in dl-tlsdesc.S
Add _CET_ENDBR to functions in dl-tlsdesc.S, which are called indirectly,
to support IBT.
Tested on i686 and x86-64.
* sysdeps/i386/dl-tlsdesc.S (_dl_tlsdesc_return): Add
_CET_ENDBR.
(_dl_tlsdesc_undefweak): Likewise.
(_dl_tlsdesc_dynamic): Likewise.
(_dl_tlsdesc_resolve_abs_plus_addend): Likewise.
(_dl_tlsdesc_resolve_rel): Likewise.
(_dl_tlsdesc_resolve_rela): Likewise.
(_dl_tlsdesc_resolve_hold): Likewise.
* sysdeps/x86_64/dl-tlsdesc.S (_dl_tlsdesc_return): Likewise.
(_dl_tlsdesc_undefweak): Likewise.
(_dl_tlsdesc_dynamic): Likewise.
(_dl_tlsdesc_resolve_rela): Likewise.
(_dl_tlsdesc_resolve_hold): Likewise.
commit 5ade3020da8b652d7ba65b711dbb07fa0edcf545
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Jan 17 12:00:48 2018 -0800
x86: Add _CET_ENDBR to functions in crti.S
Add _CET_ENDBR to functions in crti.S, which are called indirectly, to
support IBT.
Tested on i686 and x86-64.
* sysdeps/i386/crti.S (_init): Add _CET_ENDBR.
(_fini): Likewise.
* sysdeps/x86_64/crti.S (_init): Likewise.
(_fini): Likewise.
commit 41ea7fa3967c73a0a3f7b46a23ce5a5ea95e2b8c
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jun 22 04:15:39 2017 -0700
x86: Support IBT and SHSTK in Intel CET [BZ #21598]
Intel Control-flow Enforcement Technology (CET) instructions:
https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-en
forcement-technology-preview.pdf
includes Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK).
GNU_PROPERTY_X86_FEATURE_1_IBT is added to GNU program property to
indicate that all executable sections are compatible with IBT when
ENDBR instruction starts each valid target where an indirect branch
instruction can land. Linker sets GNU_PROPERTY_X86_FEATURE_1_IBT on
output only if it is set on all relocatable inputs.
On an IBT capable processor, the following steps should be taken:
1. When loading an executable without an interpreter, enable IBT and
lock IBT if GNU_PROPERTY_X86_FEATURE_1_IBT is set on the executable.
2. When loading an executable with an interpreter, enable IBT if
GNU_PROPERTY_X86_FEATURE_1_IBT is set on the interpreter.
a. If GNU_PROPERTY_X86_FEATURE_1_IBT isn't set on the executable,
disable IBT.
b. Lock IBT.
3. If IBT is enabled, when loading a shared object without
GNU_PROPERTY_X86_FEATURE_1_IBT:
a. If legacy interwork is allowed, then mark all pages in executable
PT_LOAD segments in legacy code page bitmap. Failure of legacy code
page bitmap allocation causes an error.
b. If legacy interwork isn't allowed, it causes an error.
GNU_PROPERTY_X86_FEATURE_1_SHSTK is added to GNU program property to
indicate that all executable sections are compatible with SHSTK where
return address popped from shadow stack always matches return address
popped from normal stack. Linker sets GNU_PROPERTY_X86_FEATURE_1_SHSTK
on output only if it is set on all relocatable inputs.
On a SHSTK capable processor, the following steps should be taken:
1. When loading an executable without an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on the executable.
2. When loading an executable with an interpreter, enable SHSTK if
GNU_PROPERTY_X86_FEATURE_1_SHSTK is set on interpreter.
a. If GNU_PROPERTY_X86_FEATURE_1_SHSTK isn't set on the executable
or any shared objects loaded via the DT_NEEDED tag, disable SHSTK.
b. Otherwise lock SHSTK.
3. After SHSTK is enabled, it is an error to load a shared object
without GNU_PROPERTY_X86_FEATURE_1_SHSTK.
To enable CET support in glibc, --enable-cet is required to configure
glibc. When CET is enabled, both compiler and assembler must support
CET. Otherwise, it is a configure-time error.
To support CET run-time control,
1. _dl_x86_feature_1 is added to the writable ld.so namespace to indicate
if IBT or SHSTK are enabled at run-time. It should be initialized by
init_cpu_features.
2. For dynamic executables:
a. A l_cet field is added to struct link_map to indicate if IBT or
SHSTK is enabled in an ELF module. The optional DL_PROCESS_PT_NOTE
is called to process PT_NOTE segment for GNU program property and
set l_cet.
b. _dl_start_user calls _dl_cet_init, instead of _dl_init, which sets
up IBT and SHSTK.
c. DL_OPEN_CHECK is added to check IBT and SHSTK compatibilty when
dlopening a shared object.
3. Replace i386 _dl_runtime_resolve and _dl_runtime_profile with
_dl_runtime_resolve_shstk and _dl_runtime_profile_shstk, respectively if
SHSTK is enabled.
<cet.h> from CET-enabled GCC is automatically included by assembly codes
to add GNU_PROPERTY_X86_FEATURE_1_IBT and GNU_PROPERTY_X86_FEATURE_1_SHSTK
to GNU program property. _CET_ENDBR is added at the entrance of all
assembly functions whose address may be taken. _CET_NOTRACK is used to
insert NOTRACK prefix with indirect jump table to support IBT. It is
defined as notrack when _CET_NOTRACK is defined in <cet.h>.
[BZ #21598]
* config.h.in (ENABLE_CET): New #undef.
* configure.ac: Add --enable-cet.
* configure: Regenerated.
* elf/dl-load.c (filebuf): Moved before "dynamic-link.h".
(_dl_map_object_from_fd): Call DL_PROCESS_PT_NOTE on PT_NOTE
segment if DL_PROCESS_PT_NOTE is defined.
* elf/rtld.c (dl_main): Likewise.
* elf/dl-open.c (dl_open_worker): Call DL_OPEN_CHECK if it is
defined.
* sysdeps/unix/sysv/linux/i386/dl-cet.c: New file.
* sysdeps/unix/sysv/linux/i386/dl-machine.h: Likewise.
* sysdeps/unix/sysv/linux/x86/check-cet.awk: Likewise.
* sysdeps/unix/sysv/linux/x86/configure: Likewise.
* sysdeps/unix/sysv/linux/x86/configure.ac: Likewise.
* sysdeps/unix/sysv/linux/x86/dl-cet.c: Likewise.
* sysdeps/unix/sysv/linux/x86/dl-cet.h: Likewise.
* sysdeps/unix/sysv/linux/x86/dl-procruntime.c: Likewise.
* sysdeps/unix/sysv/linux/x86/ldsodefs.h: Likewise.
* sysdeps/unix/sysv/linux/x86/link_map.h: Likewise.
* sysdeps/unix/sysv/linux/x86_64/dl-machine.h: Likewise.
* sysdeps/i386/dl-machine.h (DL_INIT): New.
(_dl_start_user): Replace _dl_init with DL_INIT.
* sysdeps/i386/dl-trampoline.S (_dl_runtime_resolve): Add
_CET_ENDBR.
(_dl_runtime_profile): Likewise.
(_dl_runtime_resolve_shstk): New.
(_dl_runtime_profile_shstk): Likewise.
* sysdeps/unix/sysv/linux/x86/Makefile (sysdep-dl-routines): Add
dl-cet if CET is enabled.
(CFLAGS-.o): Add -fcf-protection -mcet if CET is enabled.
(CFLAGS-.os): Likewise.
(CFLAGS-.op): Likewise.
(CFLAGS-.oS): Likewise.
(asm-CPPFLAGS): Add -fcf-protection -mcet -include cet.h if CET
is enabled.
(tests-special): Add $(objpfx)check-cet.out.
(cet-built-dso): New.
(+$(cet-built-dso:=.note)): Likewise.
(common-generated): Add $(cet-built-dso:$(common-objpfx)%=%.note).
($(objpfx)check-cet.out): New.
(generated): Add check-cet.out.
* sysdeps/x86/sysdep.h (_CET_NOTRACK): New.
(_CET_ENDBR): Define if not defined.
(ENTRY): Add _CET_ENDBR.
* sysdeps/x86_64/dl-machine.h (DL_INIT): New.
(_dl_start_user): Replace _dl_init with DL_INIT.
* sysdeps/x86_64/x32/dl-machine.h (_dl_start_user): Likewise.
* sysdeps/x86_64/dl-trampoline.h (_dl_runtime_resolve): Add
_CET_ENDBR.
(_dl_runtime_profile): Likewise.
commit dea7a9082027b6bc5af5caf8e22ce77853197ca4
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Tue Dec 5 11:58:23 2017 -0800
x86: Support shadow stack pointer in setjmp/longjmp
Save and restore shadow stack pointer in setjmp and longjmp to support
shadow stack in Intel CET. Use feature_1 in tcbhead_t to check if
shadow stack is enabled before saving and restoring shadow stack
pointer so that it works with the old smaller cancel_jmp_buf which
doesn't have space for shadow stack pointer.
2017-12-07 Igor Tsimbalist <igor.v.tsimbalist@intel.com>
H.J. Lu <hongjiu.lu@intel.com>
* sysdeps/i386/__longjmp.S: Include <jmp_buf-ssp.h>.
(__longjmp): Restore shadow stack pointer if shadow stack is
enabled, SHADOW_STACK_POINTER_OFFSET is defined and __longjmp
isn't defined for __longjmp_cancel.
* sysdeps/i386/bsd-_setjmp.S: Include <jmp_buf-ssp.h>.
(_setjmp): Save shadow stack pointer if shadow stack is enabled
and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/i386/bsd-setjmp.S: Include <jmp_buf-ssp.h>.
(setjmp): Save shadow stack pointer if shadow stack is enabled
and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/i386/setjmp.S: Include <jmp_buf-ssp.h>.
(__sigsetjmp): Save shadow stack pointer if shadow stack is
enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/unix/sysv/linux/i386/____longjmp_chk.S: Include
<jmp_buf-ssp.h>.
(____longjmp_chk): Restore shadow stack pointer if shadow stack
is enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/unix/sysv/linux/x86/Makefile (gen-as-const-headers):
Remove jmp_buf-ssp.sym.
* sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S: Include
<jmp_buf-ssp.h>.
(____longjmp_chk): Restore shadow stack pointer if shadow stack
is enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/x86/Makefile (gen-as-const-headers): Add
jmp_buf-ssp.sym.
* sysdeps/x86/jmp_buf-ssp.sym: New dummy file.
* sysdeps/x86_64/__longjmp.S: Include <jmp_buf-ssp.h>.
(__longjmp): Restore shadow stack pointer if shadow stack is
enabled, SHADOW_STACK_POINTER_OFFSET is defined and __longjmp
isn't defined for __longjmp_cancel.
* sysdeps/x86_64/setjmp.S: Include <jmp_buf-ssp.h>.
(__sigsetjmp): Save shadow stack pointer if shadow stack is
enabled and SHADOW_STACK_POINTER_OFFSET is defined.
commit 8095e9587589d7cb098602bb8557d5f0e5e58bba
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Dec 7 05:47:21 2017 -0800
x86: Add feature_1 to tcbhead_t [BZ #22563]
This will be used by CET run-time control.
[BZ #22563]
* nptl/pthread_create.c (__pthread_create_2_1): Use
THREAD_COPY_ADDITONAL_INFO to copy additonal info if defined.
* sysdeps/i386/nptl/tcb-offsets.sym (FEATURE_1_OFFSET): New.
* sysdeps/i386/nptl/tls.h (tcbhead_t): Add feature_1.
* sysdeps/unix/sysv/linux/x86/pthreaddef.h: New file.
* sysdeps/x86_64/nptl/tcb-offsets.sym (FEATURE_1_OFFSET): New.
* sysdeps/x86_64/nptl/tls.h (tcbhead_t): Rename __glibc_unused1
to feature_1.
commit 45b3bf8a0c01514ab4fc61a591675512e275c6af
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Sat Feb 24 17:23:54 2018 -0800
x86: Use pad in pthread_unwind_buf to preserve shadow stack register
The pad array in struct pthread_unwind_buf is used by setjmp to save
shadow stack register. We assert that size of struct pthread_unwind_buf
is no less than offset of shadow stack pointer + shadow stack pointer
size.
Since functions, like LIBC_START_MAIN, START_THREAD_DEFN as well as
these with thread cancellation, call setjmp, but never return after
__libc_unwind_longjmp, __libc_unwind_longjmp, which is defined as
__libc_longjmp on x86, doesn't need to restore shadow stack register.
__libc_longjmp, which is a private interface for thread cancellation
implementation in libpthread, is changed to call __longjmp_cancel,
instead of __longjmp. __longjmp_cancel is a new internal function
in libc, which is similar to __longjmp, but doesn't restore shadow
stack register.
The compatibility longjmp and siglongjmp in libpthread.so are changed
to call __libc_siglongjmp, instead of __libc_longjmp, so that they will
restore shadow stack register.
Tested with build-many-glibcs.py.
* nptl/pthread_create.c (START_THREAD_DEFN): Clear previous
handlers after setjmp.
* setjmp/longjmp.c (__libc_longjmp): Don't define alias if
defined.
* sysdeps/unix/sysv/linux/x86/setjmpP.h (_JUMP_BUF_SIGSET_NSIG):
Changed to 97.
* sysdeps/x86/Makefile (sysdep_routines): Add __longjmp_cancel.
* sysdeps/x86/__longjmp_cancel.S: New file.
* sysdeps/x86/longjmp.c: Likewise.
* sysdeps/x86/nptl/pt-longjmp.c: Likewise.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-06 2:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-29 14:32 PING: [PATCH] x86: Add __sigsetjmp_cancel and __setjmp_cancel H.J. Lu
2018-03-29 17:37 ` Zack Weinberg
2018-03-29 17:48 ` Zack Weinberg
2018-03-29 19:58 ` H.J. Lu
2018-04-06 2:41 ` Carlos O'Donell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).