[PATCH] Add support for PaX enable kernels (MPROTECT)

[PATCH] Add support for PaX enable kernels (MPROTECT)

[Magnus Granberg]

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

Hi

When we use the libffi on PaX enable kernels with MPROTECT enable we can't use 
PROT_EXEC for it get killed. We use the EMUTRAMP Option in PaX enable kernels 
to make it work and we need some code added to the src/closures.c to make it
work.The new configure option will turn the code of or on.
You can read more of the problem we have on 
https://bugs.gentoo.org/show_bug.cgi?id=329499

Gentoo Hardened Project
Magnus Granberg

Changelog

2012-09-22		Magnus Granberg <zorry@gentoo.org>
					Pavel Labushev <pavel.labushev@runbox.ru>

			* configure.ac		New options pax_emutramp
			* configure			Regenrated
			* fficonfig.h.in		Regenrated
		/src
			* closures.c			New function emutramp_enabled_check() and checks

----

[-- Attachment #2: libffi-pax-emutramp.patch --]
[-- Type: text/x-patch, Size: 1824 bytes --]

--- a/configure.ac	2012-09-17 16:51:53.188615663 +0200
+++ b/configure.ac	2012-09-19 23:20:49.321666120 +0200
@@ -347,6 +347,13 @@ if test x$TARGET = xX86_WIN64; then
     fi
 fi
 
+# On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC.
+AC_ARG_ENABLE(pax_emutramp,
+  [  --enable-pax_emutramp       enable pax emulated trampolines, for we can't use PROT_EXEC],
+  if test "$enable_pax_emutramp" = "yes"; then
+    AC_DEFINE(FFI_MMAP_EXEC_EMUTRAMP_PAX, 1,
+      [Define this if you want to enable pax emulated trampolines])
+  fi)
 
 FFI_EXEC_TRAMPOLINE_TABLE=0
 case "$target" in
--- a/src/closures.c	2012-09-19 23:37:09.648695333 +0200
+++ b/src/closures.c	2012-09-19 23:19:30.000000000 +0200
@@ -172,6 +172,27 @@ selinux_enabled_check (void)
 
 #endif /* !FFI_MMAP_EXEC_SELINUX */
 
+/* On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC. */
+#ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX
+#include <stdlib.h>
+
+static int emutramp_enabled = -1;
+
+static int
+emutramp_enabled_check (void)
+{
+  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+    return 1;
+  else
+    return 0;
+}
+
+#define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
+                               : (emutramp_enabled = emutramp_enabled_check ()))
+#else
+#define is_emutramp_enabled() 0
+#endif /* FFI_MMAP_EXEC_EMUTRAMP_PAX */
+
 #elif defined (__CYGWIN__) || defined(__INTERIX)
 
 #include <sys/mman.h>
@@ -458,6 +479,12 @@ dlmmap (void *start, size_t length, int
   printf ("mapping in %zi\n", length);
 #endif
 
+  if (execfd == -1 && is_emutramp_enabled ())
+    {
+      ptr = mmap (start, length, prot & ~PROT_EXEC, flags, fd, offset);
+      return ptr;
+    }
+
   if (execfd == -1 && !is_selinux_enabled ())
     {
       ptr = mmap (start, length, prot | PROT_EXEC, flags, fd, offset);

Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Magnus Granberg]

lördag 22 september 2012 16.08.18 skrev  Magnus Granberg:
> Hi
> 
> When we use the libffi on PaX enable kernels with MPROTECT enable we can't
> use PROT_EXEC for it get killed. We use the EMUTRAMP Option in PaX enable
> kernels to make it work and we need some code added to the src/closures.c
> to make it work.The new configure option will turn the code of or on.
> You can read more of the problem we have on
> https://bugs.gentoo.org/show_bug.cgi?id=329499
> 
......
Can the patch be included in next version of libffi?

Gentoo Hardened Project
Magnus Granberg

Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Anthony Green]

Hi Magnus,

  I'm OK with this change.  Does the PaX kernel feature really
identify libffi trampolines, or do they look enough like the GCC
nested function trampolines that it just works?

  I would like an explanation for FFI_DISABLE_EMUTRAMP.   Why would I
want to disable this at runtime?  Please also send me a patch for the
README explaining its use.

Thanks!

Anthony Green


On Wed, Sep 26, 2012 at 7:47 PM, Magnus Granberg <zorry@gentoo.org> wrote:
> lördag 22 september 2012 16.08.18 skrev  Magnus Granberg:
>> Hi
>>
>> When we use the libffi on PaX enable kernels with MPROTECT enable we can't
>> use PROT_EXEC for it get killed. We use the EMUTRAMP Option in PaX enable
>> kernels to make it work and we need some code added to the src/closures.c
>> to make it work.The new configure option will turn the code of or on.
>> You can read more of the problem we have on
>> https://bugs.gentoo.org/show_bug.cgi?id=329499
>>
> ......
> Can the patch be included in next version of libffi?
>
> Gentoo Hardened Project
> Magnus Granberg

Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Magnus Granberg]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

tisdag 30 oktober 2012 14.10.29 skrev  Anthony Green:
> Hi Magnus,
> 
>   I'm OK with this change.  Does the PaX kernel feature really
> identify libffi trampolines, or do they look enough like the GCC
> nested function trampolines that it just works?

Yes, it identify both libffi trampolines and GCC
nested function trampolines.
 
>   I would like an explanation for FFI_DISABLE_EMUTRAMP.   Why would I
> want to disable this at runtime?  

To increase performance in some use cases, because EMUTRAMP is slower than 
native code execution.

> Please also send me a patch for the
> README explaining its use.
> 
> Thanks!
> 
> Anthony Green
> 

Gentoo Hardened Project
Magnus Granberg

New Changelog

2012-11-07  Magnus Granberg  <zorry@gentoo.org>
                    Pavel Labushev  <pavel.labushev@runbox.no>

       * configure.ac: Add --enable-pax_emutramp for PaX enable kernels.
       * src/closures.c: Add emutramp_enabled_check. Don't mmap with PROT_EXEC
          on PaX enable Kernels.
       * README: Add description for --enable-pax_emutramp.
       * fficonfig.h.in: Rebuilt.
       * configure.ac: Rebuilt.

------

[-- Attachment #2: libffi-pax-emutramp.patch --]
[-- Type: text/x-patch, Size: 2589 bytes --]

--- a/configure.ac	2012-09-17 16:51:53.188615663 +0200
+++ b/configure.ac	2012-09-19 23:20:49.321666120 +0200
@@ -347,6 +347,13 @@ if test x$TARGET = xX86_WIN64; then
     fi
 fi
 
+# On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC.
+AC_ARG_ENABLE(pax_emutramp,
+  [  --enable-pax_emutramp       enable pax emulated trampolines, for we can't use PROT_EXEC],
+  if test "$enable_pax_emutramp" = "yes"; then
+    AC_DEFINE(FFI_MMAP_EXEC_EMUTRAMP_PAX, 1,
+      [Define this if you want to enable pax emulated trampolines])
+  fi)
 
 FFI_EXEC_TRAMPOLINE_TABLE=0
 case "$target" in
--- a/src/closures.c	2012-09-19 23:37:09.648695333 +0200
+++ b/src/closures.c	2012-09-19 23:19:30.000000000 +0200
@@ -172,6 +172,27 @@ selinux_enabled_check (void)
 
 #endif /* !FFI_MMAP_EXEC_SELINUX */
 
+/* On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC. */
+#ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX
+#include <stdlib.h>
+
+static int emutramp_enabled = -1;
+
+static int
+emutramp_enabled_check (void)
+{
+  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
+    return 1;
+  else
+    return 0;
+}
+
+#define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
+                               : (emutramp_enabled = emutramp_enabled_check ()))
+#else
+#define is_emutramp_enabled() 0
+#endif /* FFI_MMAP_EXEC_EMUTRAMP_PAX */
+
 #elif defined (__CYGWIN__) || defined(__INTERIX)
 
 #include <sys/mman.h>
@@ -458,6 +479,12 @@ dlmmap (void *start, size_t length, int
   printf ("mapping in %zi\n", length);
 #endif
 
+  if (execfd == -1 && is_emutramp_enabled ())
+    {
+      ptr = mmap (start, length, prot & ~PROT_EXEC, flags, fd, offset);
+      return ptr;
+    }
+
   if (execfd == -1 && !is_selinux_enabled ())
     {
       ptr = mmap (start, length, prot | PROT_EXEC, flags, fd, offset);
--- a/README	2012-09-17 16:51:53.172615663 +0200
+++ b/README	2012-11-07 00:21:24.446551682 +0100
@@ -118,6 +118,12 @@ will add some extra code which will supp
 are using Purify with libffi. Only use this switch when using 
 Purify, as it will slow down the library.
 
+If you want to enable support for emulated trampolines on PaX-enabled
+Linux kernels, use the --enable-pax-emutramp configure switch. It will also
+prevent libffi from allocating memory that is both writable and executable
+on the Linux target architectures for which libffi doesn't use executable
+trampolines at all.
+
 It's also possible to build libffi on Windows platforms with
 Microsoft's Visual C++ compiler.  In this case, use the msvcc.sh
 wrapper script during configuration like so:

[LIBFFI] Re: Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Dave Korn]

[-- Attachment #1: Type: text/plain, Size: 2023 bytes --]

On 07/11/2012 00:14, Magnus Granberg wrote:

> 2012-11-07  Magnus Granberg  <zorry@gentoo...
>                     Pavel Labushev  <pavel.labushev@runbox...
> 
>        * configure.ac: Add --enable-pax_emutramp for PaX enable kernels.
>        * src/closures.c: Add emutramp_enabled_check. Don't mmap with PROT_EXEC
>           on PaX enable Kernels.
>        * README: Add description for --enable-pax_emutramp.
>        * fficonfig.h.in: Rebuilt.
>        * configure.ac: Rebuilt.

    Hi lists,

  There was a small problem with this (upstream relative to gcc) libffi
patch(*).  The entire #ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX clause is contained
within an outer #if !defined(X86_WIN32) && !defined(X86_WIN64) clause.  That
means that Windows platforms don't get the default definition of
is_emutramp_enabled() supplied by the #else clause.  However,
is_emutramp_enabled() is unconditionally referenced in dlmmap(), and without
this default definition Windows targets fail to compile.

  The attached patch fixes this by moving the #else clause with the default
is_emutramp_enabled() definition to a standalone #ifndef clause outside any
enclosing conditional compilation test.  I couldn't think of a better way to
do it; the #if !(windows) clause is followed by a #elif (cygwin/interix)
clause, so I'd have had to put a default definition in there and also a second
one in a subsequent unconditional #else if I didn't move it out of the
enclosing #if scope altogether.

  Gcc-patches: Assuming AG approves, can we commit this without waiting for an
upstream libffi release and doing a full merge?  Currently GCC HEAD won't
build libffi (and hence libjava) without it.

2013-02-21  Dave Korn  <dave.korn.cygwin@gmail.com>

	* src/closures.c (is_emutramp_enabled [!FFI_MMAP_EXEC_EMUTRAMP_PAX]):
	Move default definition outside enclosing #if scope.

    cheers,
      DaveK
-- 
(*) - Patch: http://sourceware.org/ml/libffi-discuss/2012/msg00269.html
- Thread: http://sourceware.org/ml/libffi-discuss/2012/threads.html#00247

[-- Attachment #2: libffi-emutramp-fix.diff --]
[-- Type: text/x-c, Size: 850 bytes --]

Index: src/closures.c
===================================================================
--- src/closures.c	(revision 196167)
+++ src/closures.c	(working copy)
@@ -189,8 +189,6 @@ emutramp_enabled_check (void)
 
 #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
                                : (emutramp_enabled = emutramp_enabled_check ()))
-#else
-#define is_emutramp_enabled() 0
 #endif /* FFI_MMAP_EXEC_EMUTRAMP_PAX */
 
 #elif defined (__CYGWIN__) || defined(__INTERIX)
@@ -202,6 +200,10 @@ emutramp_enabled_check (void)
 
 #endif /* !defined(X86_WIN32) && !defined(X86_WIN64) */
 
+#ifndef FFI_MMAP_EXEC_EMUTRAMP_PAX
+#define is_emutramp_enabled() 0
+#endif /* FFI_MMAP_EXEC_EMUTRAMP_PAX */
+
 /* Declare all functions defined in dlmalloc.c as static.  */
 static void *dlmalloc(size_t);
 static void dlfree(void*);

Re: [LIBFFI] Re: Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Anthony Green]

On Thu, Feb 21, 2013 at 2:22 PM, Dave Korn <dave.korn.cygwin@gmail.com> wrote:
>   Gcc-patches: Assuming AG approves, can we commit this without waiting for an
> upstream libffi release and doing a full merge?  Currently GCC HEAD won't
> build libffi (and hence libjava) without it.

This patch looks fine, thanks.  I don't plan to merge back into GCC
for at least a week or two, so I think you should commit it to the GCC
tree independently.

This means that 3.0.12 is broken for Cygwin.  Are you able to produce
test results once you apply this change?  I should probably issue a
quick 3.0.13 if the results are decent.

Thanks,

AG


>
> 2013-02-21  Dave Korn  <dave.korn.cygwin@gmail.com>
>
>         * src/closures.c (is_emutramp_enabled [!FFI_MMAP_EXEC_EMUTRAMP_PAX]):
>         Move default definition outside enclosing #if scope.
>
>     cheers,
>       DaveK
> --
> (*) - Patch: http://sourceware.org/ml/libffi-discuss/2012/msg00269.html
> - Thread: http://sourceware.org/ml/libffi-discuss/2012/threads.html#00247

Re: [LIBFFI] Re: Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Dave Korn]

On 21/02/2013 19:35, Anthony Green wrote:
> On Thu, Feb 21, 2013 at 2:22 PM, Dave Korn wrote:
>>   Gcc-patches: Assuming AG approves, can we commit this without waiting for an
>> upstream libffi release and doing a full merge?  Currently GCC HEAD won't
>> build libffi (and hence libjava) without it.
> 
> This patch looks fine, thanks.  I don't plan to merge back into GCC
> for at least a week or two, so I think you should commit it to the GCC
> tree independently.
> 
> This means that 3.0.12 is broken for Cygwin.  Are you able to produce
> test results once you apply this change?  I should probably issue a
> quick 3.0.13 if the results are decent.

  Yes, the tests run fine (using libffi git HEAD from yesterday):

> Native configuration is i686-pc-cygwin
> 
>                 === libffi tests ===
> 
> 
> Running target unix
> FAIL: libffi.call/closure_thiscall.c (test for excess errors)
> WARNING: libffi.call/closure_thiscall.c compilation failed to produce executable
> 
> FAIL: libffi.call/closure_thiscall.c (test for excess errors)
> WARNING: libffi.call/closure_thiscall.c compilation failed to produce executable
> 
> FAIL: libffi.call/closure_thiscall.c (test for excess errors)
> WARNING: libffi.call/closure_thiscall.c compilation failed to produce executable
> 
> FAIL: libffi.call/closure_thiscall.c (test for excess errors)
> WARNING: libffi.call/closure_thiscall.c compilation failed to produce executable
> 
> FAIL: libffi.call/closure_thiscall.c (test for excess errors)
> WARNING: libffi.call/closure_thiscall.c compilation failed to produce executable
> 
> 
>                 === libffi Summary ===
> 
> # of expected passes            1924
> # of unexpected failures        5

  I was using gcc-4.5.3, which is from before thiscall support was added, so
those compile failures are unremarkable and expected.  Given that, we have a
clean sweep.

    cheers,
      DaveK

Re: [LIBFFI] Re: Re: [PATCH] Add support for PaX enable kernels (MPROTECT)

[Dave Korn]

On 21/02/2013 19:35, Anthony Green wrote:

> This patch looks fine, thanks.  I don't plan to merge back into GCC
> for at least a week or two, so I think you should commit it to the GCC
> tree independently.

  Committed to GCC revision 196527.  Thanks!

    cheers,
      DaveK