From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by sourceware.org (Postfix) with ESMTPS id 7FC3B385085B for ; Wed, 8 Mar 2023 13:05:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7FC3B385085B Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-17671fb717cso17091732fac.8 for ; Wed, 08 Mar 2023 05:05:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1678280703; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=pGS4P34Rizh+BrihZG8t8wlKhKStMwMB/odDmaMSPi8=; b=asdl/TRn6s6Xr2PrudjF+tprq8GlA4Pn25WgzgwPqxcBMDyXbGrdCMwpotlKQxL+ut lVw+uCEL7PwxANENCiLxfl8Ft+cG3PA+fvpqiLQqlcSh/m4TWwB9FqdlGckIyVA5Zo49 sabp6kQNIgyE6tGcYoqOncqYbKNVXmTxrM+8L6dHdCbgA+C3LU20CW2D1UUENwJ3P1YV deHQl00zqI/reRu7aatByxNeexUfBN8KK8GvNPUpcTdVN9TuY3XCyTBzUB8RMTcB7ktz ZTxKgPeS6mkAZoXi/CPn3eTd1Sqw85KD0BrBWT82scCMaoKmDeMDanJIoR2pBT3Pk4u3 upsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678280703; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pGS4P34Rizh+BrihZG8t8wlKhKStMwMB/odDmaMSPi8=; b=XOM6HRbZetx8zQ2o47wuLqasyvsfzdTongIjF2pRYszMJtLRBdmNj1+Y19L2r1G5sB AtKrAzd1JL2nixEACHbIvjFmIrj+Y9nrj6UJQuG/f6SkRtBPIYmKbc1rJJhIvahVGY8G h9lg9ScXOdz5AbqsifqxptRap1F14kfT23V8a7yczG2IeD42qc65Sm145nnoIAVv8pSr Zyn4gzZw709N6sT/TXXNHmxTDERN34UttuxucApkLP5XN5o/01kTLKDdrtSLGIp9U7kr 5idH9befC3oYeLz+5bg9dXM5hcR1uNN/g5OG02D8b0MQIWbOkZP73/VJJ8eRWmH0vCI5 ZNSw== X-Gm-Message-State: AO0yUKX3MURIBfNDGKCItF0X3DbF405HzVWZN/LGZK5jM2aJBfxfjDhA ElYS4De+H3AQFL5Smt8+VzBwzA== X-Google-Smtp-Source: AK7set84YRIi6Xot7rBx5fYkd5KIIPazECnbTY4NKMQmg/9o3ZkSJxNRRgSw9/Ne8LFFVGtiql5VeA== X-Received: by 2002:a05:6870:d38a:b0:176:2383:c160 with SMTP id k10-20020a056870d38a00b001762383c160mr11198039oag.52.1678280702714; Wed, 08 Mar 2023 05:05:02 -0800 (PST) Received: from ?IPV6:2804:1b3:a7c0:544b:655d:5559:758d:90f7? ([2804:1b3:a7c0:544b:655d:5559:758d:90f7]) by smtp.gmail.com with ESMTPSA id g2-20020a056870c38200b0017703b8a5f8sm1517369oao.49.2023.03.08.05.05.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Mar 2023 05:05:01 -0800 (PST) Message-ID: Date: Wed, 8 Mar 2023 10:04:59 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH] RFC: Provide a function to reset IFUNC PLTs Content-Language: en-US To: Jan Kratochvil Cc: Florian Weimer , libc-alpha@sourceware.org, Anton Kozlov References: <87v8jdq7ht.fsf@oldenburg.str.redhat.com> <2659aadc-6518-cc0e-d103-84eafcbdc3f9@linaro.org> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 08/03/23 07:21, Jan Kratochvil wrote: > On Tue, 07 Mar 2023 21:07:58 +0800, Adhemerval Zanella Netto wrote: >> I am not sure if the ifunc reset will be really safe without adding CRIU >> migrate sync points, to avoid suspend execution in a context that the >> ifunc variants are already being executed or its address is being in a >> function point (for instance in PLT code). > > You are right but I left the thread safety up to the caller ("Freezer"): > https://github.com/openjdk/crac/pull/41/files#diff-aeec57d804d56002f26a85359fc4ac8b48cfc249d57c656a30a63fc6bf3457adR6029 > > It could be moved to the glibc part. > > >> Besides, I also not sure if adding way to remove RELRO protection won't >> add more security issues (we can disable for sesuid binaries, but even >> though it is not a good security practice). > > RELRO is removed only temporarily, it gets re-engaged. And that time other > threads should be even stopped (see above). Is it still a security issues? Yes, without a stop-the-world scheme where a helper thread sets PR_GET_DUMPABLE and PTRACE_ATTACH the process can not really be sure that any new thread will not be created between the time you enumerate the process threads and call the 'freeze' function. I really don't think glibc should provide an interface to temporary disable any security hardening, it should always opt-in at either program startup or by building time. The ifunc mechanism is already full or corner cases and I think adding a runtime mechanism to reset them is *not* a way forward. As I said, I think CRIU heterogeneity should be handled by masking off the higher cpu features. I am not if ARCH_SET_CPUID would a solution here, it means that we will need to handle SIGSEGV in the loader and come up with a sane subset in case of failure (we now have x86_64-vx, so we can use it as default). But as Florian has said, fixing on glibc won't work consistently on other libraries that uses cpuid instruction. And yes, I am aware we are discussing glibc, but I prefer a composable solution (like adding proper cpuid maskoff in the kernel) to add an ah-hoc one.