oss-sec mailing list archives
Re: Alternative CET ABI
From: Florian Weimer <fweimer () redhat com>
Date: Thu, 30 Jul 2020 18:54:50 +0200
* Jann Horn:
On Thu, Jul 30, 2020 at 6:02 PM Florian Weimer <fweimer () redhat com> wrote:Functions no longer start with the ENDBR64 prefix. Instead, the link editor produces a PLT entry with an ENDBR64 prefix if it detects any address-significant relocation for it. The PLT entry performs a NOTRACK jump to the target address. This assumes that the target address is subject to RELRO, of course, so that redirection is not possible. Without address-significant relocations, the link editor produces a PLT entry without the ENDBR64 prefix (but still with the NOTRACK jump), or perhaps no PLT entry at all.How would this interact with function pointer comparisons? As in, if library A exports a function func1 without referencing it, and libraries B and C both take references to func1, would they end up with different function pointers (pointing to their respective PLT entries)?
Same as today. ELF already deals with this by picking one canonical function address per process. Some targets already need PLTs for inter-DSO calls, so the problem is not new. It happens even on x86 because the main program can refer to its PLT stubs without run-time relocations, so those determine the canonical address of those functions, and not the actual implementation in a shared object.
Would this mean that the behavior of a program that compares function pointers obtained through different shared libraries might change?
Hopefully not, because that would break things quite horribly (as it's sometimes possible to observe if the RTLD_DEEPBIND flag is used). Both the canonicalization and the fact in order to observe the function pointer, you need to take its address should take care of this.
I guess you could maybe canonicalize function pointers somehow, but that'd probably at least break dlclose(), right?
Ahh, dlclose. I think in this case, my idea to generate a PLT stub locally in the address-generating DSO will not work because the canonical address must survive dlclose if it refers to another DSO. There are two ways to deal with this: do not unload the PLT stub until the target DSO is also unloaded (but make sure that the DSO can be reloaded at a different address; probably not worth the complexity), or use the dlsym hack I sketched for regular symbol binding as well. Even more room for experiments, I guess. Thanks, Florian
Current thread:
- Alternative CET ABI Florian Weimer (Jul 30)
- Re: Alternative CET ABI Jann Horn (Jul 30)
- Re: Alternative CET ABI Florian Weimer (Jul 30)
- Re: Alternative CET ABI H.J. Lu (Jul 30)
- Re: Alternative CET ABI Szabolcs Nagy (Jul 30)
- Re: Alternative CET ABI Florian Weimer (Jul 30)
- Re: Alternative CET ABI Jann Horn (Jul 30)