[PATCH 2/4] elf: Move note processing after l_phdr is updated [BZ #26831]

Szabolcs Nagy szabolcs.nagy@arm.com
Fri Nov 20 14:35:57 GMT 2020 

The 11/03/2020 04:36, H.J. Lu wrote:
> On Tue, Nov 3, 2020 at 2:38 AM Florian Weimer <fweimer@redhat.com> wrote:
> > Is this still compatible with the CET requirements?
> >
> > I hope it is because the CET magic happens in _dl_open_check, so after
> > the the code in elf/dl-load.c has run.
> 
> _dl_process_pt_note and _dl_process_pt_gnu_property may call
> _dl_signal_error.  Are we prepared to clean more things up when it
> happens?  I am investigating:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=26825
> 
> I don't think cleanup of _dl_process_pt_gnu_property failure is done
> properly.

(removed linux devs from cc)

indeed failures are not handled right, the call tree is

dl_open_worker
    _dl_map_object
        _dl_map_object_from_fd
            _dl_process_pt_gnu_property
                record bti/cet marking
    _dl_map_object_deps
        catch(_dl_map_object)
            ... record bti/cet marking
    // maping is complete
    dl_open_check
        handle bti/cet
    _dl_relocate_object
    // point of no return
    activate_nodelete
    catch(dl_init)

dl_main
    parse phdr or _dl_map_object if ld.so mapped
        ... record bti/cet marking
    _dl_map_object_deps
        ... record bti/cet marking
    rtld_main_check
        handle bti/cet
    _dl_relocate_object

the issues:

- dl_open_check is only applied to the dlopened lib not to
  its dependencies. does cet check the deps? for bti this
  means protection is missed on deps, i opened bug 26926.

- _dl_map_object_from_fd has special failure handling (via
  "lose") because there is local clean ups to be done (e.g.
  open fd, mallocs), so _dl_process_pt_gnu_property cannot
  use _dl_signal_error. however i need to do bti mmap there
  while the fd is available.

my plan for bti: do mmap in _dl_process_pt_gnu_property
and record failures in the linkmap, then in dl_open_check
walk dependencies and if any of them failed then signal
the error from there. (this fixes both issues on aarch64.)

if this works out i'll resend the patches and ask linux to
add bti protection to the main exe.

More information about the Libc-alpha mailing list