When CET is enabled, it is an error to dlopen a non CET enabled shared
library in CET enabled application. It may be desirable to make CET
permissive, that is disable CET when dlopening a non CET enabled shared
library. With the new --enable-cet=permissive configure option, CET is
disabled when dlopening a non CET enabled shared library.
Add DEFAULT_DL_X86_CET_CONTROL to config.h.in:
/* The default value of x86 CET control. */
#define DEFAULT_DL_X86_CET_CONTROL cet_elf_property
which enables CET features based on ELF property note.
--enable-cet=permissive it to
/* The default value of x86 CET control. */
#define DEFAULT_DL_X86_CET_CONTROL cet_permissive
which enables CET features permissively.
Update tst-cet-legacy-5a, tst-cet-legacy-5b, tst-cet-legacy-6a and
tst-cet-legacy-6b to check --enable-cet and --enable-cet=permissive.
This patch moves the vDSO setup from libc to loader code, just after
the vDSO link_map setup. For static case the initialization
is moved to _dl_non_dynamic_init instead.
Instead of using the mangled pointer, the vDSO data is set as
attribute_relro (on _rtld_global_ro for shared or _dl_vdso_* for
static). It is read-only even with partial relro.
It fixes BZ#24967 now that the vDSO pointer is setup earlier than
malloc interposition is called.
Also, vDSO calls should not be a problem for static dlopen as
indicated by BZ#20802. The vDSO pointer would be zero-initialized
and the syscall will be issued instead.
Checked on x86_64-linux-gnu, i686-linux-gnu, aarch64-linux-gnu,
arm-linux-gnueabihf, powerpc64le-linux-gnu, powerpc64-linux-gnu,
powerpc-linux-gnu, s390x-linux-gnu, sparc64-linux-gnu, and
sparcv9-linux-gnu. I also run some tests on mips.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Since RTM intrinsics are supported in GCC 4.9, we can use them in
pthread mutex lock elision.
* sysdeps/unix/sysv/linux/x86/Makefile (CFLAGS-elision-lock.c):
Add -mrtm.
(CFLAGS-elision-unlock.c): Likewise.
(CFLAGS-elision-timed.c): Likewise.
(CFLAGS-elision-trylock.c): Likewise.
* sysdeps/unix/sysv/linux/x86/hle.h: Rewritten.
GNU_PROPERTY_X86_FEATURE_1_AND may not be the first property item. We
need to check each property item until we reach the end of the property
or find GNU_PROPERTY_X86_FEATURE_1_AND.
This patch adds 2 tests. The first test checks if IBT is enabled and
the second test reads the output from the first test to check if IBT
is is enabled. The second second test fails if IBT isn't enabled
properly.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
[BZ #23467]
* sysdeps/unix/sysv/linux/x86/Makefile (tests): Add
tst-cet-property-1 and tst-cet-property-2 if CET is enabled.
(CFLAGS-tst-cet-property-1.o): New.
(ASFLAGS-tst-cet-property-dep-2.o): Likewise.
($(objpfx)tst-cet-property-2): Likewise.
($(objpfx)tst-cet-property-2.out): Likewise.
* sysdeps/unix/sysv/linux/x86/tst-cet-property-1.c: New file.
* sysdeps/unix/sysv/linux/x86/tst-cet-property-2.c: Likewise.
* sysdeps/unix/sysv/linux/x86/tst-cet-property-dep-2.S: Likewise.
* sysdeps/x86/dl-prop.h (_dl_process_cet_property_note): Parse
each property item until GNU_PROPERTY_X86_FEATURE_1_AND is found.
Verify that setcontext works with gaps above and below the newly
allocated shadow stack.
* sysdeps/unix/sysv/linux/x86/Makefile (tests): Add
tst-cet-setcontext-1 if CET is enabled.
(CFLAGS-tst-cet-setcontext-1.c): Add -mshstk.
* sysdeps/unix/sysv/linux/x86/tst-cet-setcontext-1.c: New file.
Save and restore shadow stack pointer in setjmp and longjmp to support
shadow stack in Intel CET. Use feature_1 in tcbhead_t to check if
shadow stack is enabled before saving and restoring shadow stack pointer.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
* sysdeps/i386/__longjmp.S: Include <jmp_buf-ssp.h>.
(__longjmp): Restore shadow stack pointer if shadow stack is
enabled, SHADOW_STACK_POINTER_OFFSET is defined and __longjmp
isn't defined for __longjmp_cancel.
* sysdeps/i386/bsd-_setjmp.S: Include <jmp_buf-ssp.h>.
(_setjmp): Save shadow stack pointer if shadow stack is enabled
and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/i386/bsd-setjmp.S: Include <jmp_buf-ssp.h>.
(setjmp): Save shadow stack pointer if shadow stack is enabled
and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/i386/setjmp.S: Include <jmp_buf-ssp.h>.
(__sigsetjmp): Save shadow stack pointer if shadow stack is
enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/unix/sysv/linux/i386/____longjmp_chk.S: Include
<jmp_buf-ssp.h>.
(____longjmp_chk): Restore shadow stack pointer if shadow stack
is enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/unix/sysv/linux/x86/Makefile (gen-as-const-headers):
Remove jmp_buf-ssp.sym.
* sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S: Include
<jmp_buf-ssp.h>.
(____longjmp_chk): Restore shadow stack pointer if shadow stack
is enabled and SHADOW_STACK_POINTER_OFFSET is defined.
* sysdeps/x86/Makefile (gen-as-const-headers): Add
jmp_buf-ssp.sym.
* sysdeps/x86/jmp_buf-ssp.sym: New dummy file.
* sysdeps/x86_64/__longjmp.S: Include <jmp_buf-ssp.h>.
(__longjmp): Restore shadow stack pointer if shadow stack is
enabled, SHADOW_STACK_POINTER_OFFSET is defined and __longjmp
isn't defined for __longjmp_cancel.
* sysdeps/x86_64/setjmp.S: Include <jmp_buf-ssp.h>.
(__sigsetjmp): Save shadow stack pointer if shadow stack is
enabled and SHADOW_STACK_POINTER_OFFSET is defined.
To support Shadow Stack (SHSTK) in Intel Control-flow Enforcement
Technology (CET) in setjmp/longjmp, we need to save shadow stack
pointer in jmp_buf. The __saved_mask field in jmp_buf has type
of __sigset_t. On Linux, __sigset_t is defined as
#define _SIGSET_NWORDS (1024 / (8 * sizeof (unsigned long int)))
typedef struct
{
unsigned long int __val[_SIGSET_NWORDS];
} __sigset_t;
which is much bigger than expected by the __sigprocmask system call,
which has
typedef struct {
unsigned long sig[_NSIG_WORDS];
} sigset_t;
For Linux/x86, we can shrink __sigset_t used by __saved_mask in jmp_buf
to add paddings for shadow stack pointer. As long as the new __sigset_t
is not smaller than sigset_t expected by the __sigprocmask system call,
it should work correctly.
This patch adds an internal header file, <setjmpP.h>, to define
__jmp_buf_sigset_t for __saved_mask in jmp_buf for Linux/x86 with a
space to store shadow stack pointer. It verifies __jmp_buf_sigset_t has
the suitable size for the __sigprocmask system call. A run-time test,
tst-saved_mask-1.c, is added to verify that size of __jmp_buf_sigset_t
is sufficient. If its size is too small, the test fails with
rt_sigprocmask(SIG_SETMASK, strace: umoven: short read (4 < 8) @0x7fa8aa28effc
0x7fa8aa28effc, NULL, 8) = -1 EFAULT (Bad address)
rt_sigprocmask(SIG_SETMASK, strace: umoven: short read (4 < 8) @0x7fa8aa28effc
0x7fa8aa28effc, NULL, 8) = -1 EFAULT (Bad address)
rt_sigprocmask(SIG_SETMASK, NULL, 0x7fa8aa28effc, 8) = -1 EFAULT (Bad address)
exit_group(1) = ?
Tested with build-many-glibcs.py.
* debug/longjmp_chk.c: Include <setjmpP.h> instead of
<setjmp.h>.
* setjmp/longjmp.c: Include <setjmpP.h> instead of <setjmp.h>.
(__libc_siglongjmp): Cast &env[0].__saved_mask to "sigset_t *".
* setjmp/sigjmp.c: Include <setjmpP.h> instead of <setjmp.h>.
(__sigjmp_save): Cast &env[0].__saved_mask to "sigset_t *".
* sysdeps/generic/setjmpP.h: New file.
* sysdeps/unix/sysv/linux/x86/jmp_buf-ssp.sym: Likewise.
* sysdeps/unix/sysv/linux/x86/setjmpP.h: Likewise.
* sysdeps/unix/sysv/linux/x86/tst-saved_mask-1.c: Likewise.
* sysdeps/unix/sysv/linux/x86/Makefile (gen-as-const-headers):
Add jmp_buf-ssp.sym.
(tests): Add tst-saved_mask-1.
Linux 3.15 adds support for clock_gettime, gettimeofday, and time vDSO
(commit id 37c975545ec63320789962bf307f000f08fabd48). This patch adds
GLIBC supports to use such symbol when they are avaiable.
Along with x86 vDSO support, this patch cleanup x86_64 code by moving
all common code to x86 common folder. Only init-first.c is different
between implementations.
This patch eliminates the mixture of SONAME information in
shlib-versions files and SONAME information used to generate
gnu/lib-names.h in makefiles, with the information in the makefiles
being removed so all this information comes from the shlib-versions
files.
So that gnu/lib-names.h supports multiple ABIs, it is changed to be
generated on the same basis as gnu/stubs.h: when there are multiple
ABIs, gnu/lib-names.h is a wrapper header (the same header installed
whatever ABI is being built) and separate headers such as
gnu/lib-names-64.h contain the substantive contents (only one such
header being installed by any glibc build).
The rules for building gnu/lib-names.h were moved from Makeconfig to
Makerules because they need to come after sysdeps makefiles are
included (now that "ifndef abi-variants" is a toplevel conditional on
the rules rather than $(abi-variants) being evaluated later inside the
commands for a rule).
Tested for x86_64 and x86 that the installed shared libraries are
unchanged by this patch, and examined the installed gnu/lib-names*.h
headers by hand. Also tested the case of a single ABI (where there is
just a single header installed, again like stubs.h) by hacking
abi-variants to empty for x86_64.
[BZ #14171]
* Makeconfig [$(build-shared) = yes]
($(common-objpfx)soversions.mk): Don't handle SONAMEs specified in
makefiles.
[$(build-shared) = yes && $(soversions.mk-done) = t]
($(common-objpfx)gnu/lib-names.h): Remove rule.
[$(build-shared) = yes && $(soversions.mk-done) = t]
($(common-objpfx)gnu/lib-names.stmp): Likewise. Split and moved
to Makerules.
[$(build-shared) = yes && $(soversions.mk-done) = t]
(before-compile): Don't append $(common-objpfx)gnu/lib-names.h
here.
[$(build-shared) = yes && $(soversions.mk-done) = t]
(common-generated): Don't append gnu/lib-names.h and
gnu/lib-names.stmp here.
* Makerules [$(build-shared) = yes && $(soversions.mk-done) = t]
(lib-names-h-abi): New variable.
[$(build-shared) = yes && $(soversions.mk-done) = t]
(lib-names-stmp-abi): Likewise.
[$(build-shared) = yes && $(soversions.mk-done) = t &&
abi-variants] (before-compile): Append
$(common-objpfx)$(lib-names-h-abi).
[$(build-shared) = yes && $(soversions.mk-done) = t &&
abi-variants] (common-generated): Append gnu/lib-names.h.
[$(build-shared) = yes && $(soversions.mk-done) = t &&
abi-variants] (install-others-nosubdir): Depend on
$(inst_includedir)/$(lib-names-h-abi).
[$(build-shared) = yes && $(soversions.mk-done) = t &&
abi-variants] ($(common-objpfx)gnu/lib-names.h): New rule.
[$(build-shared) = yes && $(soversions.mk-done) = t]
($(common-objpfx)$(lib-names-h-abi)): New rule.
[$(build-shared) = yes && $(soversions.mk-done) = t]
($(common-objpfx)$(lib-names-stmp-abi)): Likewise.
[$(build-shared) = yes && $(soversions.mk-done) = t]
(common-generated): Append $(lib-names-h-abi) and
$(lib-names-stmp-abi).
* scripts/lib-names.awk: Do not handle multi being set.
* sysdeps/unix/sysv/linux/aarch64/Makefile (abi-lp64-ld-soname):
Remove variable.
(abi-lp64_be-ld-soname): Likewise.
* sysdeps/unix/sysv/linux/arm/Makefile (abi-soft-ld-soname):
Likewise.
(abi-hard-ld-soname): Likewise.
* sysdeps/unix/sysv/linux/i386/shlib-versions: New file.
* sysdeps/unix/sysv/linux/mips/Makefile (abi-o32_soft-ld-soname):
Remove variable.
(abi-o32_hard-ld-soname): Likewise.
(abi-o32_soft_2008-ld-soname): Likewise.
(abi-o32_hard_2008-ld-soname): Likewise.
(abi-n32_soft-ld-soname): Likewise.
(abi-n32_hard-ld-soname): Likewise.
(abi-n32_soft_2008-ld-soname): Likewise.
(abi-n32_hard_2008-ld-soname): Likewise.
(abi-n64_soft-ld-soname): Likewise.
(abi-n64_hard-ld-soname): Likewise.
(abi-n64_soft_2008-ld-soname): Likewise.
(abi-n64_hard_2008-ld-soname): Likewise.
* sysdeps/unix/sysv/linux/powerpc/Makefile (abi-64-v1-ld-soname):
Likewise.
(abi-64-v2-ld-soname): Likewise.
* sysdeps/unix/sysv/linux/powerpc/powerpc64/shlib-versions: Add
ld.so entries.
* sysdeps/unix/sysv/linux/s390/Makefile (abi-64-ld-soname): Remove
variable.
* sysdeps/unix/sysv/linux/s390/s390-64/shlib-versions: Add ld.so
entry.
* sysdeps/unix/sysv/linux/x86/Makefile (abi-32-ld-soname): Remove
variable.
(abi-64-ld-soname): Likewise.
(abi-x32-ld-soname): Likewise.
* sysdeps/unix/sysv/linux/x86_64/64/shlib-versions: Add ld.so
entry.
* sysdeps/unix/sysv/linux/x86_64/x32/shlib-versions: Likewise.