From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32617 invoked by alias); 26 Aug 2013 04:15:24 -0000 Mailing-List: contact libc-ports-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: libc-ports-owner@sourceware.org Received: (qmail 32608 invoked by uid 89); 26 Aug 2013 04:15:24 -0000 Received: from mail-vc0-f181.google.com (HELO mail-vc0-f181.google.com) (209.85.220.181) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Mon, 26 Aug 2013 04:15:24 +0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.3.2 X-HELO: mail-vc0-f181.google.com Received: by mail-vc0-f181.google.com with SMTP id hz10so1799374vcb.12 for ; Sun, 25 Aug 2013 21:15:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Rx4nGoRHX/3PNtHWRvPqhDbWWhG4QQrLmHIU8w8aNb0=; b=by2SWPwh2SM1zLsmIVuKxVWGJmfQ6mfPoInVxjioBcI0DgbeJggFBZ0iNPhUtbyOGE jkBq4nAoSMuNWZF3fAkld8RPYtGDWAXqMcH9DQEIwyfpflpmAKA/MHJIHtPZ0lT/z0wv bRqn1xF1MzH5ZHvZRkBswnZVLeREC8YFuRATTvKBmfQ9DYLYjS8tw3WFLLBENRRM8/vx oCt/Wm/BIqFcMaItDPmyCDEeywrtSbFfSWL2kpwU7UVZg1zCAk2Vrqa7Pwzkd88W3w0F /fTjsgpTXN9w4eFGNKylbjxpbJyvzL665YQNedNDaye0JsHpxsKgtnPE4jJKrJsA3PeV MkZQ== X-Gm-Message-State: ALoCoQldGhpc888d2zuYxQ54Y98T6DKf47g1NjIErU42ba65/Wm5HwYUEi0U8PW7ramWPBAPnFBw MIME-Version: 1.0 X-Received: by 10.58.246.8 with SMTP id xs8mr13203078vec.9.1377490515647; Sun, 25 Aug 2013 21:15:15 -0700 (PDT) Received: by 10.220.44.84 with HTTP; Sun, 25 Aug 2013 21:15:15 -0700 (PDT) Date: Mon, 26 Aug 2013 04:15:00 -0000 Message-ID: Subject: [RFC] [PATCH] [Aarch64] : Stack guard support in glibc From: Venkataramanan Kumar To: libc-ports@sourceware.org, Marcus Shawcroft , Marcus Shawcroft , Patch Tracking Content-Type: multipart/mixed; boundary=047d7bdc79c0ddf00804e4d200c0 X-SW-Source: 2013-08/txt/msg00044.txt.bz2 --047d7bdc79c0ddf00804e4d200c0 Content-Type: text/plain; charset=ISO-8859-1 Content-length: 2447 Hi Maintainers, Attached is RFC patch that adds stack guard support in glibc for Aarch64 for review. The TCB is 16 bytes in Aarch64 and tp points to the dtvt. Before the TCB, the pthread structure is placed. This patch places the stack guard (SG) and pointer gaurd variable (PG) between the TCB and pthread structures. We can access thread pointer using "msr" instruction, the compiler will generate the following assembly to access the stack guard placed before the TCB . msr tpidr_el0, x0 ldr x1, [x0-8] tp | pthread v ----------------------------- | |PG|SG| dtvt| | ------------------------------ TCB I did a quick check by building eglibc and moving the built runtime linker ld-linux-aarch64.so,1 and libc "libc.so.2.17.90" to the V8 model running open embedded image. And ran the following test case using "ld-linux-aarch64.so.1 --library ./libc.so test.out 1" where libc.so points to newly built one. ---test.c--- #include #include void test_stack_smashing(int corrupt) { long stack_val,temp; char arr[5]; char * ptr = arr; if (!corrupt) { strcpy( ptr,"abcd"); printf("copied string is %s\n",ptr); } else { printf("overflowing the buffer and hitting the canary now\n"); memset (ptr,0,12); printf("Overwritten the buffer\n" ); asm("mrs %0, tpidr_el0\n" "ldr %1, [%0,-8]\n" : "=r" (stack_val) : "r" (temp)); printf(" Canary value is %x\n", stack_val); } } int main(char *argc, char *argv[]) { if (0 == strcmp(argv[1],"0")) { test_stack_smashing(0); printf("Passed Canary test\n"); } else { test_stack_smashing(1); printf("Failed Canary test\n"); } return 0; } And without patch I got: (Snip) overflowing the buffer and hitting the canary now Overwritten the buffer Canary value is 0 Failed Canary test (Snip) Canary value is zero and this happens without my change because I believe there is already space between TCB and pthread nodes due to alignment enforcement. With the path: (Snip) overflowing the buffer and hitting the canary now Overwritten the buffer Canary value is 9900cf00 *** stack smashing detected ***: ./a.out terminated Aborted (Snip) I also checked the canary value and keeps changing from run to run. regards, Venkat. --047d7bdc79c0ddf00804e4d200c0 Content-Type: application/octet-stream; name="glibc.tls.stack.guard.aarch64.diff" Content-Disposition: attachment; filename="glibc.tls.stack.guard.aarch64.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hkt607rx0 Content-length: 2916 SW5kZXg6IHRscy5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHRscy5o CShyZXZpc2lvbiAyMzc0MikKKysrIHRscy5oCSh3b3JraW5nIGNvcHkpCkBA IC02OCwxMCArNjgsMTUgQEAKICMgZGVmaW5lIFRMU19UQ0JfU0laRQkJc2l6 ZW9mICh0Y2JoZWFkX3QpCiAKIC8qIFRoaXMgaXMgdGhlIHNpemUgd2UgbmVl ZCBiZWZvcmUgVENCLiAgKi8KLSMgZGVmaW5lIFRMU19QUkVfVENCX1NJWkUJ c2l6ZW9mIChzdHJ1Y3QgcHRocmVhZCkKKyMgZGVmaW5lIFRMU19QUkVfVENC X1NJWkUgXAorICAoc2l6ZW9mIChzdHJ1Y3QgcHRocmVhZCkgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgKyAo UFRIUkVBRF9TVFJVQ1RfRU5EX1BBRERJTkcgPCAyICogc2l6ZW9mICh1aW50 cHRyX3QpICAgICAgICAgICAgICAgXAorICAgICAgPyAoKDIgKiBzaXplb2Yg KHVpbnRwdHJfdCkgKyBfX2FsaWdub2ZfXyAoc3RydWN0IHB0aHJlYWQpIC0g MSkgICAgXAorICAgICAgICAgJiB+KF9fYWxpZ25vZl9fIChzdHJ1Y3QgcHRo cmVhZCkgLSAxKSkgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgICAg OiAwKSkKIAogLyogQWxpZ25tZW50IHJlcXVpcmVtZW50cyBmb3IgdGhlIFRD Qi4gICovCi0jIGRlZmluZSBUTFNfVENCX0FMSUdOCQlfX2FsaWdub2ZfXyAo dGNiaGVhZF90KQorIyBkZWZpbmUgVExTX1RDQl9BTElHTiBfX2FsaWdub2Zf XyAoc3RydWN0IHB0aHJlYWQpCiAKIC8qIEluc3RhbGwgdGhlIGR0diBwb2lu dGVyLiAgVGhlIHBvaW50ZXIgcGFzc2VkIGlzIHRvIHRoZSBlbGVtZW50IHdp dGgKICAgIGluZGV4IC0xIHdoaWNoIGNvbnRhaW4gdGhlIGxlbmd0aC4gICov CkBAIC05OCwxMiArMTAzLDI4IEBACiAKIC8qIFJldHVybiB0aGUgdGhyZWFk IGRlc2NyaXB0b3IgZm9yIHRoZSBjdXJyZW50IHRocmVhZC4gICovCiAjIGRl ZmluZSBUSFJFQURfU0VMRiBcCi0gKChzdHJ1Y3QgcHRocmVhZCAqKV9fYnVp bHRpbl90aHJlYWRfcG9pbnRlciAoKSAtIDEpCisgKChzdHJ1Y3QgcHRocmVh ZCAqKSgoY2hhciAqKSBfX2J1aWx0aW5fdGhyZWFkX3BvaW50ZXIgKCkgLSBU TFNfUFJFX1RDQl9TSVpFKSkKIAogLyogTWFnaWMgZm9yIGxpYnRocmVhZF9k YiB0byBrbm93IGhvdyB0byBkbyBUSFJFQURfU0VMRi4gICovCiAjIGRlZmlu ZSBEQl9USFJFQURfU0VMRiBcCi0gIENPTlNUX1RIUkVBRF9BUkVBICg2NCwg c2l6ZW9mIChzdHJ1Y3QgcHRocmVhZCkpCisgIENPTlNUX1RIUkVBRF9BUkVB ICg2NCwgVExTX1BSRV9UQ0JfU0laRSkKIAorLyogU2V0IHRoZSBzdGFjayBn dWFyZCBmaWVsZCBpbiBUQ0IgaGVhZC4gICovCisjZGVmaW5lIFRIUkVBRF9T RVRfU1RBQ0tfR1VBUkQodmFsdWUpIFwKKyAgKCgodWludHB0cl90ICopIF9f YnVpbHRpbl90aHJlYWRfcG9pbnRlciAoKSlbLTFdID0gKHZhbHVlKSkKKyNk ZWZpbmUgVEhSRUFEX0NPUFlfU1RBQ0tfR1VBUkQoZGVzY3IpIFwKKyAgKCgo dWludHB0cl90ICopICgoY2hhciAqKSAoZGVzY3IpICsgVExTX1BSRV9UQ0Jf U0laRSkpWy0xXSBcCisgICA9ICgodWludHB0cl90ICopIF9fYnVpbHRpbl90 aHJlYWRfcG9pbnRlciAoKSlbLTFdKQorCisvKiBTZXQgdGhlIHBvaW50ZXIg Z3VhcmQgZmllbGQgaW4gVENCIGhlYWQuICAqLworI2RlZmluZSBUSFJFQURf R0VUX1BPSU5URVJfR1VBUkQoKSBcCisgICgoKHVpbnRwdHJfdCAqKSBfX2J1 aWx0aW5fdGhyZWFkX3BvaW50ZXIgKCkpWy0yXSkKKyNkZWZpbmUgVEhSRUFE X1NFVF9QT0lOVEVSX0dVQVJEKHZhbHVlKSBcCisgICgoKHVpbnRwdHJfdCAq KSBfX2J1aWx0aW5fdGhyZWFkX3BvaW50ZXIgKCkpWy0yXSA9ICh2YWx1ZSkp CisjZGVmaW5lIFRIUkVBRF9DT1BZX1BPSU5URVJfR1VBUkQoZGVzY3IpIFwK KyAgKCgodWludHB0cl90ICopICgoY2hhciAqKSAoZGVzY3IpICsgVExTX1BS RV9UQ0JfU0laRSkpWy0yXSBcCisgICA9IFRIUkVBRF9HRVRfUE9JTlRFUl9H VUFSRCAoKSkKKwogLyogQWNjZXNzIHRvIGRhdGEgaW4gdGhlIHRocmVhZCBk ZXNjcmlwdG9yIGlzIGVhc3kuICAqLwogIyBkZWZpbmUgVEhSRUFEX0dFVE1F TShkZXNjciwgbWVtYmVyKSBcCiAgIGRlc2NyLT5tZW1iZXIK --047d7bdc79c0ddf00804e4d200c0--