Page MenuHomeFreeBSD
Differential D14508

properly align etext and rodata to prevent overlappings in PTI case
Needs ReviewPublic
Actions

Authored by op on Feb 25 2018, 10:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jan 12, 11:22 AM
Unknown Object (File)
Oct 28 2024, 9:18 PM
Unknown Object (File)
Sep 12 2024, 1:54 AM
Unknown Object (File)
Sep 8 2024, 4:36 PM
Unknown Object (File)
Sep 8 2024, 1:51 PM
Unknown Object (File)
Aug 17 2024, 2:07 AM
Unknown Object (File)
Jul 2 2024, 6:55 AM
Unknown Object (File)
Jul 1 2024, 5:43 AM
View All 27 Files
Subscribers
imp

Details

Reviewers
kib
emaste
alc
jhb
Group Reviewers
secteam
Summary

The pmap_pti_add_kva_locked function truncates the starting address and
rounds up to PAGE_SIZE the end address, thus passing etext is bogous,
since it overlaps with the start of rodata, see the example bellow.




objdump -d kernel before this patch:



...
 ffffffff808fff54:       41 5f                   pop    %r15
 ffffffff808fff56:       5d                      pop    %rbp
 ffffffff808fff57:       c3                      retq           <- etext
 Disassembly of section .rodata:

 ffffffff808fff60 <cam_status_table-0x570>:                     <-  rodata
 ffffffff808fff60:       43                      rex.XB
 ffffffff808fff61:       43                      rex.XB
...



and after:



...
 ffffffff808fff54:       41 5f                   pop    %r15
 ffffffff808fff56:       5d                      pop    %rbp
 ffffffff808fff57:       c3                      retq           <- etext
 Disassembly of section .rodata:

 ffffffff80900000 <cam_status_table-0x570>:                     <- rodata
 ffffffff80900000:       43                      rex.XB
 ffffffff80900001:       43                      rex.XB
...



Obtained from: opBSD
Diff Detail
Repository 
rS FreeBSD src repository - subversion 
Lint 
Lint Skipped
 
Unit 
Tests Skipped
 
Build Status 
Buildable 15264
 
Event Timeline
op created this revision.Feb 25 2018, 10:23 PM
Herald added a subscriber: imp.  ·  View Herald TranscriptFeb 25 2018, 10:23 PM
op added a reviewer: jhb.Feb 26 2018, 2:08 PM
emaste added a comment.Feb 26 2018, 2:50 PM
What is the desire here specifically with respect to PTI?



I think we do want a change along these lines; we should be able to map .rodata as NX. But the change would be a bit larger than this.
op added a comment.Feb 26 2018, 3:04 PM
You can see the problem here: https://github.com/freebsd/freebsd/blob/master/sys/amd64/amd64/pmap.c#L7921



static void
pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva, bool exec)
     ...
     sva = trunc_page(sva);
     MPASS(sva > VM_MAXUSER_ADDRESS);
     eva = round_page(eva);
     MPASS(sva < eva);
     ...



The end address is rounded up to page size, and in this case the round_page(etext) overlaps with the rodata.



Probably the same problem occurs with all of the other places, where the pmap_pti_add_kva_locked used.
op added a comment.Feb 26 2018, 3:07 PM
Probably it would be nice to rethink the linker file layout for amd64, since there are lot of parts merged into text, what is not NX naturally.
Revision Contents
Changeset List
PathSize
sys/
conf/
5 lines
Diff 39720
View Options
sys/conf/ldscript.amd64
Loading...