[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: Audit external function called indirectly via GOT

To: Florian Weimer <fweimer@redhat.com>
Subject: Re: RFC: Audit external function called indirectly via GOT
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 28 Mar 2018 11:41:38 -0700
Authentication-results: sourceware.org; auth=none
Cc: Generic System V Application Binary Interface <generic-abi@googlegroups.com>, gnu-gabi@sourceware.org
Delivered-to: listarch-gnu-gabi@sourceware.org
Delivered-to: mailing list gnu-gabi@sourceware.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gzN++aNdsU9alilA/EVmmRfEaVRIierrk8t1pU+9PCw=; b=ant+HtSE+XPkWCAcCg1Kf5G0ZTjwTYKXUMVuLnTKeCEMuEzRWIgD+e3UO56Mu9ujhE gR7JDdG22PacLUFoIszlYNM7xmEFALTC/NWtTIZgoPeAUC0rFZfhX89TKLrOtES+PNB6 qBB1MT+nublFG2Ezz+ogTnvjN4xMgUzeA9Ol+PAoc4O9pa1w3dRcoS3/lKl+yU2bcfpI EfXDKWLXeu1FdnjZqalkjti9XJScx5V4AG7O0tqpXHjUbx9VI2rLMm/oDPUeiZzNZiNU ARWtD2GZVz0TmTDNeiYif27bRMY97ptLaaA1ruTKdMuNRqab4yxIo+nEVmDa8e4Y95Xp qetw==
In-reply-to: <e6935942-f8d6-3193-3e91-343715be5c5d@redhat.com>
List-help: <mailto:gnu-gabi-help@sourceware.org>
List-id: <gnu-gabi.sourceware.org>
List-post: <mailto:gnu-gabi@sourceware.org>
List-subscribe: <mailto:gnu-gabi-subscribe@sourceware.org>
Mailing-list: contact gnu-gabi-help@sourceware.org; run by ezmlm
References: <20180317133115.GA4681@gmail.com> <ba9013ec-7c77-9a3d-d474-3f5f4670d093@redhat.com> <CAMe9rOq3_U_T88+j8teyGRrrFoHWbvS=D+hHSBHZ01gQTWy=Hw@mail.gmail.com> <e6935942-f8d6-3193-3e91-343715be5c5d@redhat.com>
Sender: gnu-gabi-owner@sourceware.org

On Wed, Mar 28, 2018 at 11:37 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 03/20/2018 05:52 PM, H.J. Lu wrote:
>>
>> On Mon, Mar 19, 2018 at 1:21 AM, Florian Weimer <fweimer@redhat.com>
>> wrote:
>>>
>>> On 03/17/2018 02:31 PM, H.J. Lu wrote:
>>>>
>>>>
>>>> Auditing of external function calls and their return values relies on
>>>> lazy binding with PLT.  When external functions are called indirectly
>>>> via GOT without using PLT, auditing stops working.
>>>>
>>>> Here is a proposal to support auditing of external function called
>>>> indirectly via GOT:
>>>>
>>>> 1. Add optional dynamic tags:
>>>>
>>>>    #define DT_GNU_PLT     0x6ffffef4  /* Address of PLT section  */
>>>>    #define DT_GNU_PLTSZ   0x6ffffdf1  /* Size of PLT section  */
>>>>    #define DT_GNU_PLTENT  0x6ffffdf2  /* Size of one PLT entry  */
>>>>    #define DT_GNU_PLT0SZ  0x6ffffdf3  /* Size of the first PLT entry  */
>>>>    #define DT_GNU_PLTGOTSZ 0x6ffffdf4 /* Size of PLTGOT section  */
>>>>
>>>> and update DT_FLAGS_1 with:
>>>>
>>>>    #define DF_1_JMPRELIGN 0x10000000  /* DT_JMPREL can be ignored  */
>>>> 2. Linker creates PLT entries for auditing external function calls via
>>>> GOT and sets DT_GNU_PLT, DT_GNU_PLTSZ, DT_GNU_PLTENT, DT_GNU_PLT0SZ and
>>>> DT_GNU_PLTGOTSZ.  If PLT isn't required for lazy binding, set the
>>>> DF_1_JMPRELIGN bit in DT_FLAGS_1.
>>>
>>>
>>>
>>> Could we ship a template for the PLT entries in ld.so instead?  And if
>>> needed, map it from the file together with an address array, like this?
>>
>>
>> This won't work since linker needs to know exactly PLT layout to generate
>> JUMP_SLOT relocations for LD_AUDIT.
>
>
> I don't see why it would need JUMP_SLOT relocations if it simply
> auto-generates PLT stub equivalents and installs them in GLOB_DAT
> relocations.

My understanding is that LD_AUDIT is based on JUMP_SLOT relocations.

> Anyway, going back to the larger question what we need here.
>
> I used  this as a test case for audit support with BIND_NOW:
>
> latrace /bin/true --help
>
> Most of Fedora is compiled with BIND_NOW.  Fedora 26 does not print latrace
> messages (the problem I mentioned earlier), Fedora 27 works (yay), Fedora 28
> crashes (meh).
>
> So depending on which side Fedora 28+ falls, I think your approach might be
> viable.  I expect that a future binutils version would do this by default,
> and beyond the additional dynamic section tags, new PLT stubs would only be
> created for no-plt functions because current binutils is supposed to
> generate PLT entries again (after they went missing for -z now binaries for
> some time).
>

-fno-plt is a compiler option, not a linker option.  Linker generates PLT for
PLT32 relocations to external functions.


-- 
H.J.

Follow-Ups:
- Re: RFC: Audit external function called indirectly via GOT
  - From: Florian Weimer <fweimer@redhat.com>

References:
- RFC: Audit external function called indirectly via GOT
  - From: "H.J. Lu" <hjl.tools@gmail.com>
- Re: RFC: Audit external function called indirectly via GOT
  - From: Florian Weimer <fweimer@redhat.com>
- Re: RFC: Audit external function called indirectly via GOT
  - From: "H.J. Lu" <hjl.tools@gmail.com>
- Re: RFC: Audit external function called indirectly via GOT
  - From: Florian Weimer <fweimer@redhat.com>

Prev by Date: Re: RFC: Audit external function called indirectly via GOT
Next by Date: Re: RFC: Audit external function called indirectly via GOT
Previous by thread: Re: RFC: Audit external function called indirectly via GOT
Next by thread: Re: RFC: Audit external function called indirectly via GOT
Index(es):
- Date
- Thread