From patchwork Fri Jul 7 18:50:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 1805039 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=cu063UtZ; dkim-atps=neutral Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QyMwC1HXDz20WT for ; Sat, 8 Jul 2023 04:52:43 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 30E22382DD15 for ; Fri, 7 Jul 2023 18:52:41 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 30E22382DD15 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1688755961; bh=+SFAmYHAL2trgy3R/j28k2HTTqW6dHWWW1Yd6vc7lLc=; h=To:Subject:In-Reply-To:References:Date:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=cu063UtZiyk3Z/rZ/eLv6aKzgsE6U64l9ln7uVQNQswSVKziqNVZwNJSdVVjRpJBT vitWto6Oy2IOE8yLtkuNhmjdiQ8fqKsQTweeJPibbz0PGIrQ0WjbqW3aZiXzgCK/I9 F1jm1bDREwOx8B7bzwotjVqQotDpAcj8URo8x/Rk= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 2A6B03848BBD for ; Fri, 7 Jul 2023 18:50:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2A6B03848BBD Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-596-vUg-TlbaNzWYAW2YQdb-bw-1; Fri, 07 Jul 2023 14:50:17 -0400 X-MC-Unique: vUg-TlbaNzWYAW2YQdb-bw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 539F128EC10E for ; Fri, 7 Jul 2023 18:50:17 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.2.16.31]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7BA664087C6A for ; Fri, 7 Jul 2023 18:50:16 +0000 (UTC) To: libc-alpha@sourceware.org Subject: [PATCH v2 30/32] elf: Put critical _dl_find_object pointers into protected memory area In-Reply-To: Message-ID: References: X-From-Line: e0099a8c928680f41dd968bc39ccd3491089d4c7 Mon Sep 17 00:00:00 2001 Date: Fri, 07 Jul 2023 20:50:14 +0200 User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Florian Weimer via Libc-alpha From: Florian Weimer Reply-To: Florian Weimer Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" With this change, all control data for _dl_find_object is either RELRO data, or in the protected area, or tightly constrained (the version counter is always masked using & 1 before array indexing). This commit can serve as an example how to extend the protected memory area. --- elf/dl-find_object.c | 39 +++++++++++++++++++------------------- sysdeps/generic/ldsodefs.h | 9 +++++++++ 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/elf/dl-find_object.c b/elf/dl-find_object.c index 82f493d817..baab80fdb7 100644 --- a/elf/dl-find_object.c +++ b/elf/dl-find_object.c @@ -120,13 +120,6 @@ struct dlfo_mappings_segment struct dl_find_object_internal objects[]; /* Read in the TM region. */ }; -/* To achieve async-signal-safety, two copies of the data structure - are used, so that a signal handler can still use this data even if - dlopen or dlclose modify the other copy. The the least significant - bit in _dlfo_loaded_mappings_version determines which array element - is the currently active region. */ -static struct dlfo_mappings_segment *_dlfo_loaded_mappings[2]; - /* Returns the number of actually used elements in all segments starting at SEG. */ static inline size_t @@ -192,10 +185,17 @@ _dlfo_mappings_segment_allocate (size_t size, } /* Monotonic counter for software transactional memory. The lowest - bit indicates which element of the _dlfo_loaded_mappings contains - up-to-date data. */ + bit indicates which element of the GLPM (dlfo_loaded_mappings) + contains up-to-date data. This achieves async-signal-safety for + _dl_find_object: a signal handler can still use the + GLPM (dlfo_loaded_mappings) data even if dlopen or dlclose + modify the other copy. */ static __atomic_wide_counter _dlfo_loaded_mappings_version; +#ifndef SHARED +struct dlfo_mappings_segment *_dlfo_loaded_mappings[2]; +#endif + /* TM version at the start of the read operation. */ static inline uint64_t _dlfo_read_start_version (void) @@ -263,7 +263,7 @@ _dlfo_read_success (uint64_t start_version) static struct dlfo_mappings_segment * _dlfo_mappings_active_segment (uint64_t start_version) { - return _dlfo_loaded_mappings[start_version & 1]; + return GLPM (dlfo_loaded_mappings)[start_version & 1]; } /* Searches PC among the address-sorted array [FIRST1, FIRST1 + @@ -472,10 +472,10 @@ _dlfo_process_initial (void) } else if (l->l_type == lt_loaded) { - if (_dlfo_loaded_mappings[0] != NULL) + if (GLPM (dlfo_loaded_mappings)[0] != NULL) /* Second pass only. */ _dl_find_object_from_map - (l, &_dlfo_loaded_mappings[0]->objects[loaded]); + (l, &GLPM (dlfo_loaded_mappings)[0]->objects[loaded]); ++loaded; } } @@ -535,10 +535,10 @@ _dl_find_object_init (void) = _dl_protmem_allocate (_dlfo_nodelete_mappings_size * sizeof (*_dlfo_nodelete_mappings)); if (loaded_size > 0) - _dlfo_loaded_mappings[0] + GLPM (dlfo_loaded_mappings)[0] = _dlfo_mappings_segment_allocate (loaded_size, NULL); if (_dlfo_nodelete_mappings == NULL - || (loaded_size > 0 && _dlfo_loaded_mappings[0] == NULL)) + || (loaded_size > 0 && GLPM (dlfo_loaded_mappings)[0] == NULL)) _dl_fatal_printf ("\ Fatal glibc error: cannot allocate memory for find-object data\n"); /* Fill in the data with the second call. */ @@ -554,8 +554,8 @@ Fatal glibc error: cannot allocate memory for find-object data\n"); _dlfo_nodelete_mappings_end = _dlfo_nodelete_mappings[last_idx].map_end; } if (loaded_size > 0) - _dlfo_sort_mappings (_dlfo_loaded_mappings[0]->objects, - _dlfo_loaded_mappings[0]->size); + _dlfo_sort_mappings (GLPM (dlfo_loaded_mappings)[0]->objects, + GLPM (dlfo_loaded_mappings)[0]->size); } static void @@ -609,11 +609,11 @@ _dl_find_object_update_1 (struct link_map_private **loaded, size_t count) int active_idx = _dlfo_read_version_locked () & 1; struct dlfo_mappings_segment *current_seg - = _dlfo_loaded_mappings[active_idx]; + = GLPM (dlfo_loaded_mappings)[active_idx]; size_t current_used = _dlfo_mappings_segment_count_used (current_seg); struct dlfo_mappings_segment *target_seg - = _dlfo_loaded_mappings[!active_idx]; + = GLPM (dlfo_loaded_mappings)[!active_idx]; size_t remaining_to_add = current_used + count; /* Ensure that the new segment chain has enough space. */ @@ -634,7 +634,8 @@ _dl_find_object_update_1 (struct link_map_private **loaded, size_t count) /* The barrier ensures that a concurrent TM read or fork does not see a partially initialized segment. */ - atomic_store_release (&_dlfo_loaded_mappings[!active_idx], target_seg); + atomic_store_release (&GLPM (dlfo_loaded_mappings)[!active_idx], + target_seg); } else /* Start update cycle without allocation. */ diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h index 7719e3af26..c13a686267 100644 --- a/sysdeps/generic/ldsodefs.h +++ b/sysdeps/generic/ldsodefs.h @@ -523,6 +523,8 @@ extern struct rtld_global _rtld_global __rtld_global_attribute__; # undef __rtld_global_attribute__ #endif +struct dlfo_mappings_segment; + #ifdef SHARED /* Implementation structure for the protected memory area. In static builds, the protected memory area is just regular (.data) memory, @@ -532,6 +534,13 @@ struct rtld_protmem { /* Structure describing the dynamic linker itself. */ EXTERN struct link_map_private _dl_rtld_map; +#endif /* SHARED */ + + /* Two copies of the data structures for _dl_find_object. See + _dlfo_loaded_mappings_version in dl-find_object.c. */ + EXTERN struct dlfo_mappings_segment *_dlfo_loaded_mappings[2]; + +#ifdef SHARED }; #endif /* SHARED */