From patchwork Thu Jul 25 20:05:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 814371 Delivered-To: patch@linaro.org Received: by 2002:adf:e641:0:b0:367:895a:4699 with SMTP id b1csp556044wrn; Thu, 25 Jul 2024 13:12:19 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWaQ4xKLNnmbPwfBkWfdUM15CxWnJGOnu2mBuMe8Qc4W3/rgl8khEXZZvbST5Rzv3V212Na8dOSaQP7pvCM3pZ3 X-Google-Smtp-Source: AGHT+IHHOKGo/7/Pmyb1QXHt2m26PC96gAmuhiBFuxipmLadjbKyG/2YB3dyT8q8qkITIjmsnoRq X-Received: by 2002:a05:6902:2745:b0:e0b:358e:1e11 with SMTP id 3f1490d57ef6-e0b358e21dbmr1943219276.18.1721938339240; Thu, 25 Jul 2024 13:12:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1721938339; cv=pass; d=google.com; s=arc-20160816; b=zN8EeZpNNcXsDo/GC/twnWTufYaxc7LfK8nJosNJ601GK3SvYnaGlEeFESZPZ7D9Us 1lK/W+V+tV2V4oVeg++L1MsFx8pSfQ1f0n/dql3b/xeK370hGGZIddV82AybtlJeYYWI NmND5uj0zJ/jYQG7PREXMX6qFKUm+uGkhCT2uSGM1M66ZKPjVVhP9ZUhbWDRuF4ATDfP dBZl4tut0EV1cZrXB2i0H8niPT0X6S/4C3JELPFdY9JpNUqlzMJLC5vAJRXVQ97+FxVA hURH55kZTUOdVxCfxw/s6racohPoZwoRR6sDtJ08GOXGApboiVeiHHI/v/IhLLK32nqu TYiQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=oJ7MfjevUiMkFtNcuDrKjG6XLmhQdqyxPBtINOcC9m4=; fh=dHLBnA+MhGtNtN2B2JMAELi4oD+gmgMg7DL8H0jYbkI=; b=VXW562/ygQbifjbU45M7itvIlIbsSC8YhEPSfoIvW22pNQOjblY1IpuLi9b8Mzl/v1 ElEm9G+X1RYOzImgaN0F7QuWqcboCrm8NC7FDUo5kVXh7Gt5tXVUKhLXGij3bwUQaNc5 +B9AbejgqRMss9qWlWpzz6Gwx6pPNGyIokHMCuKhdoEYlZ/H10WvPCzuMp/IISjxQT6a FovO6bz0VNCLQfMvoBaTM1i/nxQzRN5GR5ao2LnxOUsS1RBN2Lk5/0X11U1pQtfwsJiL CKjAZyf8cEqgUwSVJBp0O0mY7/F1rEtOc5Cha7J4TuIjwlmOX8XOUF02sGfjJWm8BBIC cKHQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sx22Xhwj; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id 6a1803df08f44-6bb3fae367dsi23738096d6.477.2024.07.25.13.12.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jul 2024 13:12:19 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Sx22Xhwj; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id D1637385C6C1 for ; Thu, 25 Jul 2024 20:12:18 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) by sourceware.org (Postfix) with ESMTPS id D5F80385840C for ; Thu, 25 Jul 2024 20:12:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D5F80385840C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D5F80385840C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::132 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721938329; cv=none; b=uO6ahh1Thz1PRhgB2ZPayszLnJ7AHtRuyJvRg5kE8rMDISRumJzLJQUxcqdA19RWc6JGB6Autw12fDRTRaA0yXFXeXLM9mqrJVImiNEJyytg9GZyqeSDxCxprp5r3JcNb9boojBk/hhFNvXiaHy2lA9vlqi/ScP2WB/XDgduYZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721938329; c=relaxed/simple; bh=6mhWPq2AnX41MRJAhRmAuqq567FezgFXjVlGt5oXV3s=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=jAvwlEGAKv4X2vCeiO7/GbHfIV/ArMgjX+JsAYwvwHqJLqp53FMQZCgLkRWcBv3YRtR5lwarMnGgbZpdKGtBEVMXpd+GIEH0peyTHW2ok4EICKF5n1CU3lp0OE0QLyOHwInhuCoV5/lab/SpePOEb956IkC+v7i/9TQC4Va2H60= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-il1-x132.google.com with SMTP id e9e14a558f8ab-39728bbf949so4688245ab.3 for ; Thu, 25 Jul 2024 13:12:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1721938324; x=1722543124; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=oJ7MfjevUiMkFtNcuDrKjG6XLmhQdqyxPBtINOcC9m4=; b=Sx22XhwjNu32/jlDC4ZHJ2dWyp04HDvCOyH068U42uSC7O150PB69eOfvIbX7+wjrO 5WCS6jI8kHsywEq8wqpT5lM1+e9ByQVkU0saEyiVlsQNbjjVRAjR1CYZ39BlirK92oa/ gPbnrX4i/jlY7dHAJhPRUEVfrZn/sCYY0mlfUwMUru8qZWB4Wo/ZjLXe7yJXKY5F9vOe C0f67JIq+8vuvHHvEKQNNm3y0C5yIEPe4s99XEAxOgX54of3aXeDwaE54XQZFrEl24nc OKXBBxhM9eUnnXYiZjWgrME4l9Ier1hmWtG+XZvX0fF0A5jHp8L4maPcEb1bx5nbjw2R 10wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721938324; x=1722543124; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oJ7MfjevUiMkFtNcuDrKjG6XLmhQdqyxPBtINOcC9m4=; b=pIlTmvVBsBOdZPpfOjQ6PRKp1IRHJi72eIESbvRH3igjdkKpukrYcg/l/UskAD5kod gwMeQpAMYuxkCvYGlY/w96W86KbCuvouz7z+IrNz3UpskDoWOfAF1G4qQVgJmxaRRiw4 aIfb49FphmNRKRdsoOZaNH7sNYyWTTYbBQpRi3A8epCxgxLWHx1m/+r7os4j9hu0c1ty N49u9RCVgTlRKH2pSmznor9j36OTqzQUfyejI8ZMhHPwLqE6znsZg9iUp/soU+eQTG1F VXZWXDqqlc4pWucrOYyWGumEkaS1BQ1OwZuyK7Zk1SSyjTlPnZQG34ZZN9os2UQLUd1P O3tQ== X-Gm-Message-State: AOJu0YwarPxVGNSxs1QYlVgiIsmkbJAsOOlwAU8H0SJDNQljqO/zEeUT iHE7oXFbTkD/eDuvvx2mrjyMkuH0m4VhfiP8LZnSZsu/C7exPz6YlQxk/40ujP4tp87cpUPhFdG i X-Received: by 2002:a92:c54c:0:b0:380:c1e5:5fd6 with SMTP id e9e14a558f8ab-39a217ec9a9mr54759215ab.13.1721938324093; Thu, 25 Jul 2024 13:12:04 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:1944:71e3:2ede:b2a5:f38e]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7a9f884d12csm1334994a12.55.2024.07.25.13.12.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jul 2024 13:12:02 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Subject: [PATCH v4 0/4] Improve executable stack handling Date: Thu, 25 Jul 2024 17:05:16 -0300 Message-ID: <20240725201159.3286231-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org If some shared library loaded with dlopen/dlmopen requires an executable stack, either implicitly because of a missing GNU_STACK ELF header (where the ABI default flags implies in the executable bit) or explicitly because of the executable bit from GNU_STACK; the loader will try to set the both the main thread and all thread stacks (from the pthread cache) as executable. Besides the issue where any executable stack transition failure does not undo the previous transitions (meaning that if the library fails to load, there can be thread stacks with executable stacks), this behavior was used on recent CVE [1] as a vector for RCE. The second patch changes the behavior where if a shared library requires an executable stack, and the current stack is not executable, dlopen fails. The change is done only for dynamically loaded modules, if the program or any dependency requires an executable stack, the loader will still change the main thread before program execution and any thread created with default stack configuration. The fourth patch also adds a tunable, glibc.rtld.execstack, which can be used to control whether executable stacks are allowed from either the main program or dependencies. The default is to allow executable stacks. The executable stacks default permission is checked against the one provided by the PT_GNU_STACK from program headers (if present). The tunable also disables the stack permission change if any dependency requires an executable stack at loading time. [1] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt --- Changed from v3: - Rebased against master. - Improve the NEWS entry wording. Changes from v2: - Removed the dlopen executable stack support. - Allow program and dependencies with executable stack as default. - Rename tunable from glibc.rtld.noexecstack to glibc.rtld.execstack. Changes from v1: - Fixed tests invocation without --enable-hardcoded-path-in-tests. - Added hurd, hppa, mips exceptions. Adhemerval Zanella (4): elf: Consolidate stackinfo.h elf: Do not change stack permission on dlopen/dlmopen elf: Add tst-execstack-prog-static elf: Add glibc.rtld.execstack NEWS | 10 +- elf/Makefile | 49 +++++++ elf/dl-load.c | 13 +- elf/dl-support.c | 5 + elf/dl-tunables.list | 6 + elf/rtld.c | 4 + elf/tst-execstack-prog-static.c | 1 + elf/tst-execstack.c | 142 ++++++++------------ elf/tst-rtld-list-tunables.exp | 1 + manual/tunables.texi | 19 +++ nptl/allocatestack.c | 19 --- sysdeps/aarch64/stackinfo.h | 33 ----- sysdeps/arc/stackinfo.h | 33 ----- sysdeps/csky/stackinfo.h | 29 ---- sysdeps/generic/stackinfo.h | 15 ++- sysdeps/loongarch/stackinfo.h | 33 ----- sysdeps/nios2/stackinfo.h | 33 ----- sysdeps/nptl/pthreadP.h | 6 - sysdeps/powerpc/{ => powerpc32}/stackinfo.h | 8 +- sysdeps/riscv/stackinfo.h | 33 ----- sysdeps/unix/sysv/linux/Versions | 3 - sysdeps/unix/sysv/linux/dl-execstack.c | 67 +-------- sysdeps/unix/sysv/linux/mips/Makefile | 7 + 23 files changed, 180 insertions(+), 389 deletions(-) create mode 100644 elf/tst-execstack-prog-static.c delete mode 100644 sysdeps/aarch64/stackinfo.h delete mode 100644 sysdeps/arc/stackinfo.h delete mode 100644 sysdeps/csky/stackinfo.h delete mode 100644 sysdeps/loongarch/stackinfo.h delete mode 100644 sysdeps/nios2/stackinfo.h rename sysdeps/powerpc/{ => powerpc32}/stackinfo.h (82%) delete mode 100644 sysdeps/riscv/stackinfo.h