From patchwork Thu Dec 26 17:57:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 853698 Delivered-To: patch@linaro.org Received: by 2002:a5d:4888:0:b0:385:e875:8a9e with SMTP id g8csp4891371wrq; Thu, 26 Dec 2024 09:59:12 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVkKitqfyiO0wVqqQRxAjITpmMa5kn0qTNjpv4WVlZnvgb/v81Ue7Zd4k1t1jbYstYpbd0njQ==@linaro.org X-Google-Smtp-Source: AGHT+IEqzTmSSiCfxl6O0s4wjfEVo670QVaKxOQJGE5ygG0+AHrxpvxGZ+taMdrvJtQr/xByMTAY X-Received: by 2002:a05:620a:bcb:b0:7b6:db05:12a9 with SMTP id af79cd13be357-7b9ba7eaf13mr3480782785a.39.1735235952044; Thu, 26 Dec 2024 09:59:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1735235952; cv=pass; d=google.com; s=arc-20240605; b=PAdfOAl6gK6/khfqlWZ4QBipTgxPkTInjPQs+klLTanVv6WIkvVVRvxpWWV7Vw+dCz tjv3it0xt+EaSpuwgnPS2UM6+qSe3tojEnrowIOYvni7DbDDy30lEke/2WBHYpJuopbr z3T6iT8xyWJ6G+1yfIi8eymFJYG9GsOrYxIogPI8s4ibROwdihCjP+PyZnzKiCFwWWHU HZuF9RgZWjCVJ2nVGbyEV8VywF7+cNefvXoHjOhS2Q51a0UaccnAyUtuhvTAD6e2Ha42 s3pZEvzSfknzPfCLSwTMP8rA8DCOc5UcbpGiXGwXlvr+421TSrogh+Strbv5fnadfpfd D2LA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :dkim-filter:arc-filter:dmarc-filter:delivered-to:dkim-filter; bh=NworML2fq5pgwbkAjRnNWJAxD2S5jbmjbvjJlOXOcH8=; fh=xV8Gp349bHw1ljD2lFQRwhGaJ4bIEzpeFyS/N97S3Sw=; b=R3AVHQ/Wq3wBO1+6plBuxGo9cYmnGjHutfmwu8ovhNA8NBMkA3hmFX0v+LHTcehAlF Q3cYztkdWqrC2oCKaaDcToSNKxFWHmaByqga8tZqSSA5MFOtq8EomG1VYdaCXflFZcjl yE6mPcVI3OTYU8C5QVhCgRUTxDaiTHjVcAjPv2uba00m77Op8smLh5yS+LruJnt+/838 fzm+QGyLAsdVHv58W29J9Hky+sIOnX2OgyrRufvOQhCTQXsGLPH0itRBdGcEBx0t5pkk p99VV/1kyJizQThU3YSGWFJuhD3gvKYuO9WOOG89CL/tvbuydCPlStqFTt4h6e7ww7nv lyKg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Oc/JY9VM"; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id af79cd13be357-7b9ac4f26e6si1895041585a.525.2024.12.26.09.59.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Dec 2024 09:59:12 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Oc/JY9VM"; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 711693858C31 for ; Thu, 26 Dec 2024 17:59:11 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 711693858C31 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=Oc/JY9VM X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by sourceware.org (Postfix) with ESMTPS id AA9BA3858D20 for ; Thu, 26 Dec 2024 17:58:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AA9BA3858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org AA9BA3858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::102a ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1735235923; cv=none; b=o6aeOwj2CEDveCAqnnDAdbx6fzMnur5+dKgH5JNLAWFEOih0ZMSqclINCKb3lRzm2o4RWhMArfXpk2OwhYbIely8sqeKzIbDAeqKzBfTfUikybpVskItJnwWISiLo8/kPr420UN0qg7L6QjIoAXcIHvnGjhUwcWvM0R0IZVISIU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1735235923; c=relaxed/simple; bh=Nf5eCjz+CGFAIQ+PMtD4OApL6R62DhBbXB+I7p3zjdo=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=JLyZTSJ6YqTwyvg5Z5BPsJPJ1jXr08k3YkH67jQUuRZX3YzdIvNIkr1CmCZYyF9vmVvuOqyXjxwy7HVYHk0GyHSad6uXbpVuQyIZtf+RG8+YDHjZbCPYx4VMTWTxyujOUucPoZPxqvs/T8oLGK1n6br8SdWVQXZYCWuuO+dzjsg= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AA9BA3858D20 Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-2f42992f608so6197013a91.0 for ; Thu, 26 Dec 2024 09:58:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1735235922; x=1735840722; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=NworML2fq5pgwbkAjRnNWJAxD2S5jbmjbvjJlOXOcH8=; b=Oc/JY9VMGx0VEZtOub+QeRh9738eU8YI5BZ8cEIXaoBKPobrdG7Vq+7sx2baKZPmoY zfhF4B74qe0a5jh7LW7uT/xMR/l43ggpWxnauRdUjLF4aGIPABazADR/tZWhm9B2k5ob LXKkp2ymZu9dQ4u2fQgovU3re5DVIcuS7/FGxT3Y0ENJyqqu5YrTegukgDMnt1HI2jX1 ZgyaaxWH2n1mQktvFdy2kfJzeZYG1OJNsM7ZQkUgvEW10dTrsCd2bn1f4Q+J+nQO1OZJ VUcKCL7gxDoP3sVhVrEUOjJGFs7GlSfLCZN1pB8Y1wcwVwN3y7JQIkhxcyGgnUFbKpyy KojQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735235922; x=1735840722; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NworML2fq5pgwbkAjRnNWJAxD2S5jbmjbvjJlOXOcH8=; b=C9JyjFEz8CAsWynRJxVKxZZj0mKyQWx0+HTNLvPB7Zdq3D523ZD/cLLKJuV/w83151 KKFy9Hch/ih967Ve6qg02ejauNmfGvB6ovVvAPDv39qhNlK9zzUOFvVsbcz0LwqBP914 UuTJp0BLtfo+x/qz5xhavKa1y10Z8KK8fH+7q+YEEDHmLzkRgi9L/WV/XpYfHvVuVevA kps5LmjTW1XlscfyTyvvIXEdYZ9100LVrCpmdPWY39Ts2u6wjg9ullsucgDq+M4fLFVH ii7/hs7/7C95HVeOaa54g2al4SZUk7gBchuy4X9OB3iqNjfn2XAJTay8Nkbb76qVv7cA WCKg== X-Gm-Message-State: AOJu0Yz1ARi/nJuJ1COuw2WioeqHwbqXTArjsSHBtrfwXMS5wOeVYQ/m SdTc2X9o49HKeJLBfpSqgwQcNQWZV0h6uW+1RYjwtDB0J4/diQ4sXYKyCgXq/4CBNvfY7Qw3Db0 Q X-Gm-Gg: ASbGncvor7cHIsBMXwRan7ZnyebDrtFA+iA4t+pvVHUDoI1xi07QW7DpZAmmYMZ1fSu QJEV8Wo5n5t53R2YXV8jsqIgZi2B9FqEduhJfvLD7zn2GqXdk5Gj4mMa2JM6U5qp/1CyBnITSha 5YgVXDJgXR7Ac3ZC1G+ftY0T0uYKJUaR8Vyeas0l+t5yNVSEvNQcyHfDm4qM3JItjMvD/J7iH9d qmxRneghV5/r56sN22qHaIkF36VanPtaRpfRf+kOuj4KMH+ytPCFEvM3iJYPfKml2pejJ5Md/9R ZddPv662nygMZPKMuP6V0KX26Yn5 X-Received: by 2002:a17:90b:538e:b0:2ee:f80c:6884 with SMTP id 98e67ed59e1d1-2f452eed77emr36097963a91.33.1735235922045; Thu, 26 Dec 2024 09:58:42 -0800 (PST) Received: from ubuntu-vm.. (201-92-184-234.dsl.telesp.net.br. [201.92.184.234]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-219dca031besm119484645ad.281.2024.12.26.09.58.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Dec 2024 09:58:41 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Florian Weimer , Adhemerval Zanella Subject: [PATCH v7 0/4] Improve executable stack handling Date: Thu, 26 Dec 2024 14:57:41 -0300 Message-ID: <20241226175834.2531046-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org If some shared library loaded with dlopen/dlmopen requires an executable stack, either implicitly because of a missing GNU_STACK ELF header (where the ABI default flags implies in the executable bit) or explicitly because of the executable bit from GNU_STACK; the loader will try to set the both the main thread and all thread stacks (from the pthread cache) as executable. Besides the issue where any executable stack transition failure does not undo the previous transitions (meaning that if the library fails to load, there can be thread stacks with executable stacks), this behavior was used on recent CVE [1] as a vector for RCE. The patchset changes the behavior where if a shared library requires an executable stack, and the current stack is not executable, dlopen fails. The change is done only for dynamically loaded modules, if the program or any dependency requires an executable stack, the loader will still change the main thread before program execution and any thread created with default stack configuration. The patchset also adds a tunable, glibc.rtld.execstack, which can control whether executable stacks are allowed from either the main program or dependencies. The default is to enable executable stacks. The executable stacks default permission is checked against the one provided by the PT_GNU_STACK from program headers (if present). The tunable also disables the stack permission change if any dependency requires an executable stack at loading time. [1] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt --- Changes from v6: - Split tst-execstack.c cleanup from required changes. - Reword NEWS entry, improve comments on tests. - Improve manual wording. Changes from v5: - Rebased against master. Changes from v4: - Rebased against master. - Also adapt the new semantic for Hurd. - Fixed the new tests to only run is make check is instructed to run the tests. Changed from v3: - Rebased against master. - Improve the NEWS entry wording. Changes from v2: - Removed the dlopen executable stack support. - Allow program and dependencies with executable stack as default. - Rename tunable from glibc.rtld.noexecstack to glibc.rtld.execstack. Changes from v1: - Fixed tests invocation without --enable-hardcoded-path-in-tests. - Added hurd, hppa, mips exceptions. Adhemerval Zanella (4): elf: Consolidate stackinfo.h elf: Do not change stack permission on dlopen/dlmopen elf: Add tst-execstack-prog-static elf: Add glibc.rtld.execstack Adhemerval Zanella (3): elf: Do not change stack permission on dlopen/dlmopen elf: Add tst-execstack-prog-static elf: Add glibc.rtld.execstack Adhemerval Zanella (4): elf: Cleanup and improve tst-execstack elf: Do not change stack permission on dlopen/dlmopen elf: Add tst-execstack-prog-static elf: Add glibc.rtld.execstack NEWS | 11 ++ elf/Makefile | 51 +++++ elf/dl-load.c | 15 +- elf/dl-support.c | 9 +- elf/dl-tunables.list | 6 + elf/rtld.c | 10 +- elf/tst-execstack-prog-static.c | 1 + elf/tst-execstack.c | 258 ++++++++++++------------- elf/tst-rtld-list-tunables.exp | 1 + manual/tunables.texi | 28 +++ nptl/allocatestack.c | 19 -- sysdeps/generic/ldsodefs.h | 22 +-- sysdeps/mach/hurd/Makefile | 2 + sysdeps/mach/hurd/dl-execstack.c | 1 - sysdeps/nptl/pthreadP.h | 6 - sysdeps/unix/sysv/linux/Versions | 3 - sysdeps/unix/sysv/linux/dl-execstack.c | 67 +------ sysdeps/unix/sysv/linux/mips/Makefile | 7 + 18 files changed, 258 insertions(+), 259 deletions(-) create mode 100644 elf/tst-execstack-prog-static.c