From patchwork Tue Jun 18 19:40:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 805287 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:144:b0:362:4979:7f74 with SMTP id r4csp359292wrx; Tue, 18 Jun 2024 12:41:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWm4DNXFVhSYa/5gCuXmTomepdpfrbLWnffaS+GeF7WaZ2Zfg0WLKKkFSvf/oxyb1zOk7fnwlUQJcPwZeaUJnq+ X-Google-Smtp-Source: AGHT+IFD8c+FZNR6adGP2pjrcY2rlRKb2g2WMbjPS9DjGAdCBH38ojNhD54c4/fwdj6ZZJGE9tVC X-Received: by 2002:a05:620a:31a6:b0:795:504c:8fae with SMTP id af79cd13be357-79bb3ece1d2mr73575885a.51.1718739685220; Tue, 18 Jun 2024 12:41:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718739685; cv=pass; d=google.com; s=arc-20160816; b=1Bpey7g7JxeIlGezFaZ6qyPrVWn0of7r1k9myv1PkYTKyGxyC1BdeQ+c92nJ+M336I BXYDRmDsm3zn6IVktG3TNkbBi+BS7Dil9y5dynezhKpdQmebuQnocW2gazjga22XjQuA i7SX+GrY4y3V1cKgBwC9dkVthMYS2ctFhSbjFUNaQax2xGWLSGq6rzcxByMInA2v2no2 Q4nfqJkknZ7HJ2Y/TwepkRWa5G/fpU++/zz/fEObIQ0y5LdxfA0wl1qJVTg7ukUFDHpt ok++iPWSbCRx8cvD1PeU6/9sauvO5Ye4vVoC5V9oR/n2vGw1VdsnvOFrZ0in/3svllEi rRTQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=bN7G29+z7lgp1kTkeN8mK+joERncOFELZEajMRDEBJE=; fh=GBLwcZa3Ar5g+0nFTVWUSbowptRVTzvTc/MV+A3rhh4=; b=MPUNoo9uLujHQSFdQv/9X+qG/PVZUw2USAHSOuasYmYXBBlxAzy7iwhmtfMFC2n7yl jgNkKaqxa33FRQev/m6OOZtZphqIvZQ2rP238205FRi2Af55V4a63AIGYkTeNI6kkmRr tcGUGZ3J5yraGxGX8uTkvavBpE5+CHXpksavCWht1xIIdcUuVzycXL7jksL4MjjTvpIl 3XRrXv5BBcHOn7MIXpJEv4MI/mjvy/wGjKqyVeANM4iypU/wNmXWl0M74ci8q4rB9FFk NwmPf06v33O5sS3MwWiAh/AVoEhv0xkF8d3Zo8mHvVQT7CzfGoVw0tRghHUQ1wqvMNau Pf/Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Qq9TaRZi; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id af79cd13be357-798ac088130si1375499285a.716.2024.06.18.12.41.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Jun 2024 12:41:25 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Qq9TaRZi; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id CDCBE388300D for ; Tue, 18 Jun 2024 19:41:24 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by sourceware.org (Postfix) with ESMTPS id 57FE53882AFA for ; Tue, 18 Jun 2024 19:41:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 57FE53882AFA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 57FE53882AFA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::1032 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718739673; cv=none; b=ZJuEJ21T/M+Q3Vg+kAmj5hfVkm8kBe0cFbMcD3HRhF0Ofj2m2Kx1NR2eYkWAsuz7j4pVZOJwip8wZM5j+afQH2K6O9I6gwJv1wkxfcPk3NHX37fzaAxL4zYCs3AfLGkug9VzxOMoesVjh/XVdJ81/IdqSPawZtXeph53TTGr1DE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718739673; c=relaxed/simple; bh=Xn1AQquyRILxrXtWl5KBRBzPZBKaFKOCmeScS3/kEVM=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=KQ813nA2WtwmjfE2IYAepUG0KRY6g/kt9Wd2y0LQeQYhZIuGra+MMSC6imJ6JOYK0ZuV7a4ptOvn+3BWUacZjUKp6yOcJBD9tddABa0bF5bGnnkNXFAnBnB+UAJ4FslvHkxpL6HLdEgn6SO0GyjZ9Fa+8fG1tMOjbTBTOrUn7mk= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-2c2c6277ef3so4709940a91.3 for ; Tue, 18 Jun 2024 12:41:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718739668; x=1719344468; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bN7G29+z7lgp1kTkeN8mK+joERncOFELZEajMRDEBJE=; b=Qq9TaRZiSuQx8jvUfl094h1pXrj0PksTzIiNGFpIr3k+f6YeITC+DmY+kParswv29D o/WQHuu13hTYSmWHDuBXa6yRH3v02E0ih8rhdo4b4wbCCTGHsf7o34UAFNAyMv25uqco COHHwnnhrXOJcrVptmwg0BldPQlPCshhGviqkC7BcQOtupLiBSMo8Wq0NXz5zJOwLsa4 9P6BjeEeAKA/+WaqElnPwSQW4Oj7nfBQRACXLWTv1oGG7gyrY2ksxfIwcaFs9qYlSTsM 4scl7dMqNd9KSdzxr+2Jy0lxGYiV++zpL6Rz3uTnWwaiX3IFfiUwNcEbwClzMa3n5mJZ JJMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718739668; x=1719344468; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bN7G29+z7lgp1kTkeN8mK+joERncOFELZEajMRDEBJE=; b=p0zdUoAMOo47JGG5hGrFsbWqOn6ZakGPevyoOOyx5RiRqnLu6YRcVV+uTUnOwEoV0a BkBDj7iYIpW/QzpV1ANuoWyaPNHKokbXQZeaoTRMHmIuxzRZB8Fb6CbmJLOdIxky6Jer HTfHo0wJ+kLrE/SFSggUxsgD/IbZVox0PCZ5ROFyRFzX+b/KOMwgCGlKs4nWUuWjTljY tPHcjBBlUFr0OU9PF7IKhdIJUKz3MCXN4egad2pjhSiDdJYepAzuREfw6KeqBWeQq7mP NICpkx5+IvyDBYD7zMTRrN0sV3kndiwAbFjXBopbc11f7h0KvwFUyfRZawKiWw3RkIPq zgJw== X-Gm-Message-State: AOJu0YxrUajO9gMjPps/cPuiSpqWy7S1i42VPnwy+Mm5QG6dGL4yOu+l ZVjlp5Aha29N98dD2933JzEMgVL0NuomKuzp74SX669YKZVD1KhHcCsY/LP+p5Suoxc4GyThmqv O X-Received: by 2002:a17:90b:f94:b0:2c2:daf4:5e5d with SMTP id 98e67ed59e1d1-2c7b5ccf8f2mr651768a91.24.1718739668165; Tue, 18 Jun 2024 12:41:08 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:5c0d:de56:b6f3:eeae:13e7]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2c50c4ce173sm6209093a91.23.2024.06.18.12.41.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Jun 2024 12:41:07 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: "H . J . Lu" , Florian Weimer , Zack Weinberg Subject: [PATCH v3 0/4] Improve executable stack handling Date: Tue, 18 Jun 2024 16:40:18 -0300 Message-ID: <20240618194102.2059389-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org If some shared library loaded with dlopen/dlmopen requires an executable stack, either implicitly because of a missing GNU_STACK ELF header (where the ABI default flags implies in the executable bit) or explicitly because of the executable bit from GNU_STACK; the loader will try to set the both the main thread and all thread stacks (from the pthread cache) as executable. Besides the issue where any executable stack transition failure does not undo the previous transitions (meaning that if the library fails to load, there can be thread stacks with executable stacks), this behavior was used on recent CVE [1] as a vector for RCE. The second patch changes the behavior where if a shared library requires an executable stack, and the current stack is not executable, dlopen fails. The change is done only for dynamically loaded modules, if the program or any dependency requires an executable stack, the loader will still change the main thread before program execution and any thread created with default stack configuration. The fourth patch also adds a tunable, glibc.rtld.execstack, which can be used to control whether executable stacks are allowed from either the main program or dependencies. The default is to allow executable stacks. The executable stacks default permission is checked against the one provided by the PT_GNU_STACK from program headers (if present). The tunable also disables the stack permission change if any dependency requires an executable stack at loading time. * Changes from v2: - Removed the dlopen executable stack support. - Allow program and dependencies with executable stack as default. - Rename tunable from glibc.rtld.noexecstack to glibc.rtld.execstack. * Changes from v1: - Fixed tests invocation without --enable-hardcoded-path-in-tests. - Added hurd, hppa, mips exceptions. Adhemerval Zanella (4): elf: Consolidate stackinfo.h elf: Do not change stack permission on dlopen/dlmopen elf: Add tst-execstack-prog-static elf: Add glibc.rtld.execstack NEWS | 12 ++ elf/Makefile | 49 +++++++ elf/dl-load.c | 13 +- elf/dl-support.c | 5 + elf/dl-tunables.list | 6 + elf/rtld.c | 4 + elf/tst-execstack-prog-static.c | 1 + elf/tst-execstack.c | 142 ++++++++------------ elf/tst-rtld-list-tunables.exp | 1 + manual/tunables.texi | 19 +++ nptl/allocatestack.c | 19 --- sysdeps/aarch64/stackinfo.h | 33 ----- sysdeps/arc/stackinfo.h | 33 ----- sysdeps/csky/stackinfo.h | 29 ---- sysdeps/generic/stackinfo.h | 15 ++- sysdeps/loongarch/stackinfo.h | 33 ----- sysdeps/nios2/stackinfo.h | 33 ----- sysdeps/nptl/pthreadP.h | 6 - sysdeps/powerpc/{ => powerpc32}/stackinfo.h | 8 +- sysdeps/riscv/stackinfo.h | 33 ----- sysdeps/unix/sysv/linux/Versions | 3 - sysdeps/unix/sysv/linux/dl-execstack.c | 67 +-------- sysdeps/unix/sysv/linux/mips/Makefile | 7 + 23 files changed, 183 insertions(+), 388 deletions(-) create mode 100644 elf/tst-execstack-prog-static.c delete mode 100644 sysdeps/aarch64/stackinfo.h delete mode 100644 sysdeps/arc/stackinfo.h delete mode 100644 sysdeps/csky/stackinfo.h delete mode 100644 sysdeps/loongarch/stackinfo.h delete mode 100644 sysdeps/nios2/stackinfo.h rename sysdeps/powerpc/{ => powerpc32}/stackinfo.h (82%) delete mode 100644 sysdeps/riscv/stackinfo.h