Bug 26831

Summary: aarch64: seccomp filters may prevent mprotect(PROT_EXEC|PROT_BTI)
Product: glibc Reporter: Szabolcs Nagy <nsz>
Component: dynamic-linkAssignee: Szabolcs Nagy <nsz>
Status: RESOLVED FIXED    
Severity: normal CC: carlos, fweimer
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: 2.33   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1888842
Host: aarch64 Target:
Build: Last reconfirmed:

Description Szabolcs Nagy 2020-11-02 14:48:03 UTC
see also
https://bugzilla.redhat.com/show_bug.cgi?id=1888842

branch-protection support in ld.so uses mprotect to
turn PROT_BTI on on executable segments, but this may
be prevented by security policies such as the systemd
MemoryDenyWriteExecute sandboxing option that makes
mprotect with PROT_EXEC fail via a seccomp filter.
Comment 1 Sourceware Commits 2020-12-11 15:49:27 UTC
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cd543b5eb3642d76e365a131ce676f31fe3f1dd4

commit cd543b5eb3642d76e365a131ce676f31fe3f1dd4
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Tue Dec 1 10:13:18 2020 +0000

    aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831]
    
    Re-mmap executable segments if possible instead of using mprotect
    to add PROT_BTI. This allows using BTI protection with security
    policies that prevent mprotect with PROT_EXEC.
    
    If the fd of the ELF module is not available because it was kernel
    mapped then mprotect is used and failures are ignored.  To protect
    the main executable even when mprotect is filtered the linux kernel
     will have to be changed to add PROT_BTI to it.
    
    The delayed failure reporting is mainly needed because currently
    _dl_process_gnu_properties does not propagate failures such that
    the required cleanups happen. Using the link_map_machine struct for
    error propagation is not ideal, but this seemed to be the least
    intrusive solution.
    
    Fixes bug 26831.
    
    Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Comment 2 Sourceware Commits 2021-01-21 10:44:00 UTC
The release/2.32/master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=33dc30bc838b12183744746de102da8b76b9b1d0

commit 33dc30bc838b12183744746de102da8b76b9b1d0
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Tue Dec 1 10:13:18 2020 +0000

    aarch64: Use mmap to add PROT_BTI instead of mprotect [BZ #26831]
    
    Re-mmap executable segments if possible instead of using mprotect
    to add PROT_BTI. This allows using BTI protection with security
    policies that prevent mprotect with PROT_EXEC.
    
    If the fd of the ELF module is not available because it was kernel
    mapped then mprotect is used and failures are ignored.  To protect
    the main executable even when mprotect is filtered the linux kernel
     will have to be changed to add PROT_BTI to it.
    
    The delayed failure reporting is mainly needed because currently
    _dl_process_gnu_properties does not propagate failures such that
    the required cleanups happen. Using the link_map_machine struct for
    error propagation is not ideal, but this seemed to be the least
    intrusive solution.
    
    Fixes bug 26831.
    
    Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
    (cherry picked from commit cd543b5eb3642d76e365a131ce676f31fe3f1dd4)
Comment 3 Szabolcs Nagy 2021-03-29 08:54:46 UTC
fixed for 2.33