From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by sourceware.org (Postfix) with ESMTPS id 834823858C98 for ; Tue, 16 Jan 2024 17:36:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 834823858C98 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 834823858C98 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::532 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705426607; cv=none; b=EEOp4AmH/TYMcWtUY5euIfq6ZNnfW09mpdyIeG8ytsqeUen/Se6hQtIuUsbsE1rAQzWS+D4SDh5SMKkH0evFxJ1lcSM9MFtWyhI1vfBo0F3KHaWeOiJ9f9zy1GGIMnR4kQoCvZecF1tla3jJPBSMv5oKsB3BaWynqFq5G/1WnJA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1705426607; c=relaxed/simple; bh=sm+OFBqN3KGJ9+6bVHu3Ajt6ga74DhnEyST22SoKLZk=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=UbyZVpG3TFcCCB4zfCTays7Oh+4fg/18djTWL0BCwH5bj2kNZ9qQJsym8qyakqY9mFIdX/RElY2dL+v4HXMCdw4HSI6fRqMLg/bTZzWCWvOVj9SN19dJ7Ueqwq7crp6l6LSF0HnIW1fuUwbZYN/Xtl4bKhXi0gxGfunfQ5jAD/k= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-5cf6d5117f9so1436767a12.2 for ; Tue, 16 Jan 2024 09:36:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1705426604; x=1706031404; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=k7BlYrjOpy0tMcII5taDK63pwH7C7KTm+gcB2qof6nA=; b=ZwQL/afP5Qu6J9BBiEFLR1gv9YPzCBYp/VHCT/5v/cWAqppA65yxpScoGxjMQjNCzd z9sDpVcVq+HmvIuUKIivMUnjF/fhXwLvCgdIV5T3WSrrvvYE2Dz6kPb+7Yn5/jvMET5L 7VTeuM60dMmejsZ40oomP8024Pi+vI0zz2TyI+iiLLlHvQsdmM6e4/YSvpC3uc0CHziX XFyfZwO5OjX30N/vBbhVRD5o+NJQ0u2DWBjBK4qqaKCa6b/JWBnDjTOKtH5F6ElbltE3 gu5QveHoj+jJVUKcXc2Y8SDplv8GHxAN1xh2ef8kHrmwXndxvE+5lCZuXFAHxmq5/Kx0 VnLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705426604; x=1706031404; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=k7BlYrjOpy0tMcII5taDK63pwH7C7KTm+gcB2qof6nA=; b=RY99jj+rPGnEo11AiLdhuP/xM4RehrM647YOPimzCPTi5Hg2JDyPP028NpyMaKO1zM fFNf2598tmzxjAxKAh3jVic2wyTDggwbIiHz5zvLLt8N/Cy0oTk9PRZRIbQBfy71uXhq KAMlAxWawme0cOV9fHHKRrngaIwPm4lvnYp9v3C3kalHjOda0c5eQ8i3Gdf/kSCIPCke 3nL066oxf9yHMic4x5YhBuG2xRxS+f0C3kkkZ78290nPeMXapG5stZriIUGLrI3BMQ50 iCMBBChik+Mkhpoav2y7VIBvBZTdBb1y7dRygnhgyWbJkgfqB7dOa97AZ4y7XvJ6wdm/ epfg== X-Gm-Message-State: AOJu0Yyku8qs0wsS5W0FB/NMVRTyBzmdERce/tL6aJRXLNUrUDoJiL4C iRSVKWxSNukHIBIWn3JDWZP/8qsyVgerFmbpNTh77nMdCZ0= X-Google-Smtp-Source: AGHT+IFBrUBy+TyS1U+btWAuHBRx/HhXf6ACjmF7kkEBR5NplBmRtlHWyHQsxhidrxL8LEXTtFEUnA== X-Received: by 2002:a05:6a20:da99:b0:199:9c5e:5d0f with SMTP id iy25-20020a056a20da9900b001999c5e5d0fmr3879173pzb.23.1705426604468; Tue, 16 Jan 2024 09:36:44 -0800 (PST) Received: from ?IPV6:2804:1b3:a7c2:2787:344c:b1eb:d47b:fe5e? ([2804:1b3:a7c2:2787:344c:b1eb:d47b:fe5e]) by smtp.gmail.com with ESMTPSA id fm26-20020a056a002f9a00b006d9b30b33b0sm9529675pfb.196.2024.01.16.09.36.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Jan 2024 09:36:43 -0800 (PST) Message-ID: Date: Tue, 16 Jan 2024 14:36:40 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] x86-64: Check if mprotect works before rewriting PLT Content-Language: en-US To: "H.J. Lu" , libc-alpha@sourceware.org, Rich Felker References: <20240112181941.3536012-1-hjl.tools@gmail.com> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <20240112181941.3536012-1-hjl.tools@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 12/01/24 15:19, H.J. Lu wrote: > Systemd execution environment configuration may prohibit changing a memory > mapping to become executable: > > MemoryDenyWriteExecute= > Takes a boolean argument. If set, attempts to create memory mappings > that are writable and executable at the same time, or to change existing > memory mappings to become executable, or mapping shared memory segments > as executable, are prohibited. > > When it is set, systemd service stops working if PLT rewrite is enabled. > Check if mprotect works before rewriting PLT. This fixes BZ #31230. > This also works with SELinux when deny_execmem is on. On musl channel Rich has raised some points for this optimization that made me curious. His main points are this should not be faster than -fno-plt, so the main advantage is for old binaries or environments where PLT is required (either for audit or any other instrumentation). Since this new tunable requires more resources (either for the probing, plus the setup itself, and the extra VMA for the new PLT rewrite), with recent Linux security modules that would most likely to prevent it in a lot of deployments; the question is how really useful this would be and whether this is really more like an experiment to show a new x86 feature.