From patchwork Thu Feb 13 17:02:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 864833 Delivered-To: patch@linaro.org Received: by 2002:a5d:47a6:0:b0:38f:210b:807b with SMTP id 6csp540205wrb; Thu, 13 Feb 2025 09:06:21 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVKKpT3Rzh3DAUT28y8+UwHhymCqORIX+T3eOEzb9VwOL9NBaT8YbpwXmz0f73AqF9ZV88/9g==@linaro.org X-Google-Smtp-Source: AGHT+IFjGfiOW9wlXq0hsSu0HnZVltWjFIQ12Yh0/bRWqN35wdt1aTpbQvEbIbf+iB2p+AiXFOPT X-Received: by 2002:a05:622a:189a:b0:46d:faa2:b6e0 with SMTP id d75a77b69052e-471bed5d5b3mr69683611cf.18.1739466381646; Thu, 13 Feb 2025 09:06:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1739466381; cv=pass; d=google.com; s=arc-20240605; b=LMUQih0vIaCDo47J1qHAEfrqe3zisIQPDXzFhttyL/vscoHfGY7CnUaew/sNhlYDmw IRsnEHjuSFLtc0/MVkhrsuFGvdv7Z2k+4vSdLLa5PA4yq3DVRdUn2u0AR4xk+qgYFzAt c4fInLXhgNHDlY08oiWdxDTJiHh1JNQ39v7hrPUJNuN2x2bpplK/J9dkyhHfhjzDjBsB 8OjPC5cAoEZu2bPVQQf54v4Q+W9TqB+KLBP06y+GBU6Z4vU3D/t7taTQrBuL5v5GWSWh 95K3zaalk2ATzUTkmosBy1D2powvf+mOroyRYuaooxmA4pkvsaTVEahoarHHx+oraDJG Z9BA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :dkim-filter:arc-filter:dmarc-filter:delivered-to:dkim-filter; bh=c58adgvLHd9ERlwCNOHE+rBpn35q5OO6bsb9gdY3pQs=; fh=rCa3ppVe5iCiIg2hlr/ZWmuMjHCO35lkvmJd+GFan0o=; b=WuU4+xkGI4yHeKRBi8Hhwl2ESZ/XvUrBnHygHk3+/NXv5/GlJWyX6Ba6yTkPhhKVrs 6gpQ9J5XJ2fQfihIGobiGtkDKe6SL0uoKy5tLX/+ioDYbMACMG8+HNkisaqWI1UjHTrn iVdh2n2BHXv32tEsstjpFSoNnBRyAXsmz+HA7FINIOpI/Q6A9qtlVU/BbX3/4Om6I/8Q 9YYSeOtaOr5tmyCCF3YmSFSLW6dXyiJ0doPJrblIcJIjJE8RZlc6zLPo2VNSCuRxwRgb lYeP3UURPxr63AMfGQXfkuWLkuT6XG+feWtKc4rMXqnP5+6FYyyZAsVTF6ZJwSkhonax b+rg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pPnhV9ZN; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id d75a77b69052e-471c29f0203si16444981cf.23.2025.02.13.09.06.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Feb 2025 09:06:21 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pPnhV9ZN; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 13E0E3858C35 for ; Thu, 13 Feb 2025 17:06:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 13E0E3858C35 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=pPnhV9ZN X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-oo1-xc32.google.com (mail-oo1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) by sourceware.org (Postfix) with ESMTPS id 387423858C31 for ; Thu, 13 Feb 2025 17:03:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 387423858C31 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 387423858C31 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::c32 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739466229; cv=none; b=KXckPC4AM1bqOnOrllP9i7laXo7b+ZXHpsgiP24ZLabWg/G51Kx25tGHAD3nGSXiQo6TW6ze/kXolcc5cC61byM7c322+4/zffCPCpcZhIunEuhs266JFFU9LyNAUxMBocSGrWBzL54px1iPtK8OdTcA18/ajUnJMmMDHhKmxBM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739466229; c=relaxed/simple; bh=4rc8EBj2XkxoxWGJnVwRZdszaQGkhJ2qGTO/2A5iLdc=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=ikPkUXrzKtf9rgGtMH2DNLhI5AQ5AdlgkJFoxReQ/GlmazYeF/dklmKgRd64yHTOoSSSLxrRh6pS6MVuVoWFJ7utKxcwiAKdKySlvdP3mKmXyB3c6IBCHyHr1rRkXC6P6B+j/milYSdkkgTfY60DGoY3WgNZcejHHNyXnKT4nZ8= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 387423858C31 Received: by mail-oo1-xc32.google.com with SMTP id 006d021491bc7-5fa8fa48ee5so369586eaf.2 for ; Thu, 13 Feb 2025 09:03:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1739466228; x=1740071028; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c58adgvLHd9ERlwCNOHE+rBpn35q5OO6bsb9gdY3pQs=; b=pPnhV9ZNDYXGCBHl/LPl2OC9FxZVYAoU9oeSn0OYvx1EcX9Arng4OMaYYqeSgroxug 3XK07ahukxuHlOCarTXfbWAboBnmaBdICbHjTQSblDqKAKpjLa02MN/+64/UG0Yq0yEh TFQ7Az50LSVz6yJMJdClwdryrqpOgY5+cQmZ5/rzmJNX19EU4GLDxzAa+r1Ay2kmAWYY T1+iPzFeUiTGBbOErXLsQ8X++huc49H4W9gMBuA46TWxN2cUxKKr3QNWFOsa++y/hp6D 6FkyoAxDxSS2dSvitz9aKqT3m+GgfPV3AN9Q+bH28YiNzqmPVUhfuorctROkjGBH7/Bi kEXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739466228; x=1740071028; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c58adgvLHd9ERlwCNOHE+rBpn35q5OO6bsb9gdY3pQs=; b=re09SEeAf+48mVG3lfUTDQQD8ovdAVgQt6rYwK1IA0O747UXUIl3nmtSLwGqFSX4r/ bJasrpQW4APQBk9V1GDWsJOovnSQRsy821APdLkZSEmfLBIIMFjScmDLg/cFYV69u3us OL0tlvaoylil2i+wMgsrDY0ameB6vqUV5F4OrGp4lMJUUAcpweOb4so41LXV6jkbv5ML lcpG8gi5D1lOzVN/Ft7UhGjCFG9CXcaTxueLjvVh4ELEAOaPdEHLDVV8c4OwmCFIhk9R eN0MQllyED7+kZ4F8W6QZSysdcvSegTzwJZYvh8ptL9WTPHfeyh21aaZXMxyTNmnlbr/ xgaw== X-Gm-Message-State: AOJu0YxZqG3epo+4x5ZlhanQNm+EOa+OxX64zozZm2HlvgRj4Gz8aNr+ 6BVaX70dg+1ePLd2XQeGEwaExexcpnNbLbHNQKvPHK0APrsTayLi7tv2XbqPODTw40do7cMTm0S k X-Gm-Gg: ASbGnctCuusg/WLITNGVuC+ofI9Lp9WPdikGRVdxoixyRgPIrwM1q3r1V6l4KTp5Aof r2zTlY2gi9/q6vZGCPFU3bw0y2SghhlAFDEKyFwKjkgDmz5o2adsQ7tkhp1WKRyc9rLQdXa5X1F Gq0zA8J3zAAsfBQ7fIdqidq0tsVrgwaE1ftOXCyAjjmMAhvugyvd7rgmKKI/qFxCUk0reo4IImm znAnP5HcXJtC0kVO7+7J9dnbp1DeCgK6sLlYuX2rIfqPobzaaPtouOLRadA46mDcf3j4MhrBQRg 4V/8snkq+WfcEA1ltDWIZ5imUfDR X-Received: by 2002:a05:6870:328a:b0:29d:c870:74 with SMTP id 586e51a60fabf-2b8f8e0801cmr2328201fac.27.1739466227885; Thu, 13 Feb 2025 09:03:47 -0800 (PST) Received: from ubuntu-vm.. ([191.17.238.217]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-2b954820712sm848362fac.5.2025.02.13.09.03.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Feb 2025 09:03:47 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Sam James , Florian Weimer , Ethan Lee Subject: [PATCH v4] elf: Extend glibc.rtld.execstack tunable to force executable stack (BZ 32653) Date: Thu, 13 Feb 2025 14:02:38 -0300 Message-ID: <20250213170343.1265362-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org >From the bug report [1], multiple programs still require to dlopen shared libraries with either missing PT_GNU_STACK or with the executable bit set. Although, in some cases, it seems to be a hard-craft assembly source without the required .note.GNU-stack marking (so the static linker is forced to set the stack executable if the ABI requires it), other cases seem that the library uses trampolines [2]. Unfortunately, READ_IMPLIES_EXEC is not an option since on some ABIs (x86_64), the kernel clears the bit, making it unsupported. To avoid reinstating the broken code that changes stack permission on dlopen (0ca8785a28), this patch extends the glibc.rtld.execstack tunable to allow an option to force an executable stack at the program startup. The tunable is a security issue because it defeats the PT_GNU_STACK hardening. It has the slight advantage of making it explicit by the caller, and, as for other tunables, this is disabled for setuid binaries. A tunable also allows us to eventually remove it, but from previous experiences, it would require some time. Checked on aarch64-linux-gnu, x86_64-linux-gnu, and i686-linux-gnu. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=32653 [2] https://github.com/conda-forge/ctng-compiler-activation-feedstock/issues/143 --- Changes from v3: * Fixed manual wording. * Add NEWS entry. Changes from v2: * Move exec stack handling earlier within the loader. * Make it generic and not Linux specific. --- NEWS | 4 ++- elf/Makefile | 13 +++++++- elf/dl-execstack-tunable.c | 40 +++++++++++++++++++++++++ elf/dl-support.c | 4 +-- elf/dl-tunables.list | 2 +- elf/rtld.c | 6 ++-- elf/tst-execstack-prog-static-tunable.c | 1 + elf/tst-execstack-tunable.c | 1 + elf/tst-rtld-list-tunables.exp | 2 +- manual/tunables.texi | 10 +++++-- sysdeps/generic/ldsodefs.h | 13 ++++++++ 11 files changed, 83 insertions(+), 13 deletions(-) create mode 100644 elf/dl-execstack-tunable.c create mode 100644 elf/tst-execstack-prog-static-tunable.c create mode 100644 elf/tst-execstack-tunable.c diff --git a/NEWS b/NEWS index e2e40e141c..dcd913d797 100644 --- a/NEWS +++ b/NEWS @@ -13,7 +13,9 @@ Major new features: Deprecated and removed features, and other changes affecting compatibility: - [Add deprecations, removals and changes affecting compatibility here] +* The glibc.rtld.execstack now supports a compatibility mode to allow + programs that require an executable stack through dynamic loaded + shared libraries. Changes to build and runtime requirements: diff --git a/elf/Makefile b/elf/Makefile index 5c833871d0..5c51f4cb2d 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -60,6 +60,7 @@ dl-routines = \ dl-deps \ dl-exception \ dl-execstack \ + dl-execstack-tunable \ dl-find_object \ dl-fini \ dl-init \ @@ -567,9 +568,11 @@ tests-execstack-yes = \ tst-execstack \ tst-execstack-needed \ tst-execstack-prog \ + tst-execstack-tunable \ # tests-execstack-yes tests-execstack-static-yes = \ - tst-execstack-prog-static + tst-execstack-prog-static \ + tst-execstack-prog-static-tunable \ # tests-execstack-static-yes ifeq (yes,$(run-built-tests)) tests-execstack-special-yes = \ @@ -1996,6 +1999,14 @@ LDFLAGS-tst-execstack-prog = -Wl,-z,execstack CFLAGS-tst-execstack-prog.c += -Wno-trampolines CFLAGS-tst-execstack-mod.c += -Wno-trampolines +# It expects loading a module with executable stack to work. +CFLAGS-tst-execstack-tunable.c += -DUSE_PTHREADS=0 -DDEFAULT_RWX_STACK=1 +$(objpfx)tst-execstack-tunable.out: $(objpfx)tst-execstack-mod.so +tst-execstack-tunable-ENV = GLIBC_TUNABLES=glibc.rtld.execstack=2 + +LDFLAGS-tst-execstack-prog-static-tunable = -Wl,-z,noexecstack +tst-execstack-prog-static-tunable-ENV = GLIBC_TUNABLES=glibc.rtld.execstack=2 + LDFLAGS-tst-execstack-prog-static = -Wl,-z,execstack CFLAGS-tst-execstack-prog-static.c += -Wno-trampolines diff --git a/elf/dl-execstack-tunable.c b/elf/dl-execstack-tunable.c new file mode 100644 index 0000000000..eeb0603abd --- /dev/null +++ b/elf/dl-execstack-tunable.c @@ -0,0 +1,40 @@ +/* Stack executability handling for GNU dynamic linker. + Copyright (C) 2025 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include + +void +_dl_handle_execstack_tunable (void) +{ + switch (TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL)) + { + case stack_tunable_mode_disable: + if ((__glibc_unlikely (GL(dl_stack_flags)) & PF_X)) + _dl_fatal_printf ( +"Fatal glibc error: executable stack is not allowed\n"); + break; + + case stack_tunable_mode_force: + if (_dl_make_stack_executable (&__libc_stack_end) != 0) + _dl_fatal_printf ( +"Fatal glibc error: cannot enable executable stack as tunable requires"); + break; + } + +} diff --git a/elf/dl-support.c b/elf/dl-support.c index a7d5a5e8ab..0388e23448 100644 --- a/elf/dl-support.c +++ b/elf/dl-support.c @@ -332,9 +332,7 @@ _dl_non_dynamic_init (void) break; } - if ((__glibc_unlikely (GL(dl_stack_flags)) & PF_X) - && TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL) == 0) - _dl_fatal_printf ("Fatal glibc error: executable stack is not allowed\n"); + _dl_handle_execstack_tunable (); call_function_static_weak (_dl_find_object_init); diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index 0b6721bc51..c03c9967f0 100644 --- a/elf/dl-tunables.list +++ b/elf/dl-tunables.list @@ -138,7 +138,7 @@ glibc { execstack { type: INT_32 minval: 0 - maxval: 1 + maxval: 2 default: 1 } } diff --git a/elf/rtld.c b/elf/rtld.c index 115f1da37f..b9f69b007b 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -1622,9 +1622,9 @@ dl_main (const ElfW(Phdr) *phdr, bool has_interp = rtld_setup_main_map (main_map); - if ((__glibc_unlikely (GL(dl_stack_flags)) & PF_X) - && TUNABLE_GET (glibc, rtld, execstack, int32_t, NULL) == 0) - _dl_fatal_printf ("Fatal glibc error: executable stack is not allowed\n"); + /* Handle this after PT_GNU_STACK parse, because it updates dl_stack_flags + if required. */ + _dl_handle_execstack_tunable (); /* If the current libname is different from the SONAME, add the latter as well. */ diff --git a/elf/tst-execstack-prog-static-tunable.c b/elf/tst-execstack-prog-static-tunable.c new file mode 100644 index 0000000000..88b0ca1263 --- /dev/null +++ b/elf/tst-execstack-prog-static-tunable.c @@ -0,0 +1 @@ +#include diff --git a/elf/tst-execstack-tunable.c b/elf/tst-execstack-tunable.c new file mode 100644 index 0000000000..9f03b0f7ca --- /dev/null +++ b/elf/tst-execstack-tunable.c @@ -0,0 +1 @@ +#include diff --git a/elf/tst-rtld-list-tunables.exp b/elf/tst-rtld-list-tunables.exp index 9f5990f340..8df6f5906e 100644 --- a/elf/tst-rtld-list-tunables.exp +++ b/elf/tst-rtld-list-tunables.exp @@ -13,6 +13,6 @@ glibc.malloc.top_pad: 0x20000 (min: 0x0, max: 0x[f]+) glibc.malloc.trim_threshold: 0x0 (min: 0x0, max: 0x[f]+) glibc.rtld.dynamic_sort: 2 (min: 1, max: 2) glibc.rtld.enable_secure: 0 (min: 0, max: 1) -glibc.rtld.execstack: 1 (min: 0, max: 1) +glibc.rtld.execstack: 1 (min: 0, max: 2) glibc.rtld.nns: 0x4 (min: 0x1, max: 0x10) glibc.rtld.optional_static_tls: 0x200 (min: 0x0, max: 0x[f]+) diff --git a/manual/tunables.texi b/manual/tunables.texi index 7f0246c789..67064f595e 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -365,8 +365,11 @@ change the main stack permission if kernel starts with a non-executable stack. The @code{glibc.rtld.execstack} can be used to control whether an executable stack is allowed from the main program. Setting the value to @code{0} disables the ABI auto-negotiation (meaning no executable stacks even if the ABI or ELF -header requires it), while @code{1} enables auto-negotiation (although the -program might not need an executable stack). +header requires it), @code{1} enables auto-negotiation (although the program +might not need an executable stack), while @code{2} forces an executable +stack at process start. Tthis is provided for compatibility reasons, when +the program dynamically loads modules with @code{dlopen} which require +an executable stack. When executable stacks are not allowed, and if the main program requires it, the loader will fail with an error message. @@ -380,7 +383,8 @@ of hardware capabilities and kernel configuration. @strong{NB:} Trying to load a dynamic shared library with @code{dlopen} or @code{dlmopen} that requires an executable stack will always fail if the main program does not require an executable stack at loading time. This -is enforced regardless of the tunable value. +can be worked around by setting the tunable to @code{2}, where the stack is +always executable. @end deftp @node Elision Tunables diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h index 8465cbaa9b..182172ea24 100644 --- a/sysdeps/generic/ldsodefs.h +++ b/sysdeps/generic/ldsodefs.h @@ -707,6 +707,19 @@ extern const ElfW(Phdr) *_dl_phdr; extern size_t _dl_phnum; #endif +/* Possible values for the glibc.rtld.execstack tunable. */ +enum stack_tunable_mode + { + /* Do not allow executable stacks, even if program requires it. */ + stack_tunable_mode_disable = 0, + /* Follows either ABI requirement, or the PT_GNU_STACK value. */ + stack_tunable_mode_enable = 1, + /* Always enable an executable stack. */ + stack_tunable_mode_force = 2 + }; + +void _dl_handle_execstack_tunable (void) attribute_hidden; + /* This function changes the permission of the memory region pointed by STACK_ENDP to executable and update the internal memory protection flags for future thread stack creation. */