From: "H.J. Lu" <hjl.tools@gmail.com>
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: libc-alpha@sourceware.org, Rich Felker <dalias@libc.org>
Subject: Re: [PATCH v2] x86-64: Check if mprotect works before rewriting PLT
Date: Tue, 16 Jan 2024 10:13:53 -0800 [thread overview]
Message-ID: <CAMe9rOr5nsTHcN2c2O=okX6Yz--a7jB-xKFhSHxwnAX94P56kA@mail.gmail.com> (raw)
In-Reply-To: <e041653f-fc26-4be2-b5ee-269f3ecfd5bb@linaro.org>
On Tue, Jan 16, 2024 at 9:36 AM Adhemerval Zanella Netto
<adhemerval.zanella@linaro.org> wrote:
>
>
>
> On 12/01/24 15:19, H.J. Lu wrote:
> > Systemd execution environment configuration may prohibit changing a memory
> > mapping to become executable:
> >
> > MemoryDenyWriteExecute=
> > Takes a boolean argument. If set, attempts to create memory mappings
> > that are writable and executable at the same time, or to change existing
> > memory mappings to become executable, or mapping shared memory segments
> > as executable, are prohibited.
> >
> > When it is set, systemd service stops working if PLT rewrite is enabled.
> > Check if mprotect works before rewriting PLT. This fixes BZ #31230.
> > This also works with SELinux when deny_execmem is on.
>
> On musl channel Rich has raised some points for this optimization that
> made me curious. His main points are this should not be faster than
> -fno-plt, so the main advantage is for old binaries or environments
That is true for most cases. But in some cases, direct call + direct
jump is faster than indirect call.
> where PLT is required (either for audit or any other instrumentation).
This is also true.
> Since this new tunable requires more resources (either for the probing,
> plus the setup itself, and the extra VMA for the new PLT rewrite), with
> recent Linux security modules that would most likely to prevent it in
> a lot of deployments; the question is how really useful this would be
This also applies to all JITs.
> and whether this is really more like an experiment to show a new x86
> feature.
This feature has a minimal performance impact for most people. But
it is very useful for cases where PLT performance is critical.
--
H.J.
prev parent reply other threads:[~2024-01-16 18:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-12 18:19 H.J. Lu
2024-01-15 14:51 ` Carlos O'Donell
2024-01-16 17:36 ` Adhemerval Zanella Netto
2024-01-16 18:13 ` H.J. Lu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMe9rOr5nsTHcN2c2O=okX6Yz--a7jB-xKFhSHxwnAX94P56kA@mail.gmail.com' \
--to=hjl.tools@gmail.com \
--cc=adhemerval.zanella@linaro.org \
--cc=dalias@libc.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).