[libc] fortify jmp buffer for x86-64 #112769
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SchrodingerZhu
requested review from
petrhosek,
nickdesaulniers and
statham-arm
|
@llvm/pr-subscribers-libc Author: Schrodinger ZHU Yifan (SchrodingerZhu) Changessupersedes ##101110 Full diff: https://github.com/llvm/llvm-project/pull/112769.diff 10 Files Affected:
diff --git a/libc/config/config.json b/libc/config/config.json
index 2e4f878778e6e0..88110ab29152c3 100644
--- a/libc/config/config.json
+++ b/libc/config/config.json
@@ -99,6 +99,10 @@
"LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER": {
"value": true,
"doc": "Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved."
+ },
+ "LIBC_CONF_SETJMP_ENABLE_FORTIFICATION": {
+ "value": true,
+ "doc": "Enable fortification for setjmp and longjmp."
}
},
"time": {
diff --git a/libc/docs/configure.rst b/libc/docs/configure.rst
index 867bb807d10ac9..2704b47f13cb36 100644
--- a/libc/docs/configure.rst
+++ b/libc/docs/configure.rst
@@ -54,6 +54,7 @@ to learn about the defaults for your platform and target.
- ``LIBC_CONF_SCANF_DISABLE_INDEX_MODE``: Disable index mode in the scanf format string.
* **"setjmp" options**
- ``LIBC_CONF_SETJMP_AARCH64_RESTORE_PLATFORM_REGISTER``: Make setjmp save the value of x18, and longjmp restore it. The AArch64 ABI delegates this register to platform ABIs, which can choose whether to make it caller-saved.
+ - ``LIBC_CONF_SETJMP_ENABLE_FORTIFICATION``: Enable fortification for setjmp and longjmp.
* **"string" options**
- ``LIBC_CONF_MEMSET_X86_USE_SOFTWARE_PREFETCHING``: Inserts prefetch for write instructions (PREFETCHW) for memset on x86 to recover performance when hardware prefetcher is disabled.
- ``LIBC_CONF_STRING_UNSAFE_WIDE_READ``: Read more than a byte at a time to perform byte-string operations like strlen.
diff --git a/libc/include/llvm-libc-types/jmp_buf.h b/libc/include/llvm-libc-types/jmp_buf.h
index 60e033c6c65a95..c89bfc5afcbd3b 100644
--- a/libc/include/llvm-libc-types/jmp_buf.h
+++ b/libc/include/llvm-libc-types/jmp_buf.h
@@ -43,6 +43,8 @@ typedef struct {
#else
#error "__jmp_buf not available for your target architecture."
#endif
+ // unused if checksum feature is not enabled.
+ __UINT64_TYPE__ __chksum;
} __jmp_buf;
typedef __jmp_buf jmp_buf[1];
diff --git a/libc/src/setjmp/CMakeLists.txt b/libc/src/setjmp/CMakeLists.txt
index d85c532e8636c8..a90c3e177fb739 100644
--- a/libc/src/setjmp/CMakeLists.txt
+++ b/libc/src/setjmp/CMakeLists.txt
@@ -2,6 +2,24 @@ if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
add_subdirectory(${CMAKE_CURRENT_SOURCE_DIR}/${LIBC_TARGET_ARCHITECTURE})
endif()
+if (LIBC_CONF_SETJMP_ENABLE_FORTIFICATION)
+ set(checksum_flags "-DLIBC_SETJMP_ENABLE_FORTIFICATION=1")
+else()
+ set(checksum_flags "-DLIBC_SETJMP_ENABLE_FORTIFICATION=0")
+endif()
+
+
+add_header_library(
+ checksum
+ HDRS
+ checksum.h
+ DEPENDS
+ libc.src.__support.common
+ libc.src.__support.OSUtil.osutil
+ COMPILE_OPTIONS
+ ${checksum_flags}
+)
+
add_entrypoint_object(
setjmp
ALIAS
diff --git a/libc/src/setjmp/checksum.h b/libc/src/setjmp/checksum.h
new file mode 100644
index 00000000000000..df6a12d185c3ee
--- /dev/null
+++ b/libc/src/setjmp/checksum.h
@@ -0,0 +1,46 @@
+//===-- Implementation header for jmpbuf checksum ---------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
+#define LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
+
+#ifndef LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#define LIBC_COPT_SETJMP_ENABLE_FORTIFICATION 1
+#endif
+
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#include "src/__support/OSUtil/syscall.h"
+#include "src/__support/macros/config.h"
+#include <sys/syscall.h>
+
+namespace LIBC_NAMESPACE_DECL {
+namespace jmpbuf {
+// random bytes from https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
+LIBC_INLINE __UINTPTR_TYPE__ value_mask = 0x3899'f0d3'5005'd953;
+LIBC_INLINE __UINT64_TYPE__ checksum_cookie = 0xc7d9'd341'6afc'33f2;
+// abitrary prime number
+LIBC_INLINE constexpr __UINT64_TYPE__ ROTATION = 13;
+// initialize the checksum state
+LIBC_INLINE void initialize() {
+ union {
+ struct {
+ __UINTPTR_TYPE__ entropy0;
+ __UINT64_TYPE__ entropy1;
+ };
+ char buffer[sizeof(__UINTPTR_TYPE__) + sizeof(__UINT64_TYPE__)];
+ };
+ syscall_impl<long>(SYS_getrandom, buffer, sizeof(buffer), 0);
+ // add in additional entropy
+ jmpbuf::value_mask ^= entropy0;
+ jmpbuf::checksum_cookie ^= entropy1;
+}
+} // namespace jmpbuf
+} // namespace LIBC_NAMESPACE_DECL
+#endif // LIBC_SETJMP_ENABLE_FORTIFICATION
+
+#endif // LLVM_LIBC_SRC_SETJMP_CHECKSUM_H
diff --git a/libc/src/setjmp/x86_64/CMakeLists.txt b/libc/src/setjmp/x86_64/CMakeLists.txt
index b5b0d9ba65599c..571f3681887106 100644
--- a/libc/src/setjmp/x86_64/CMakeLists.txt
+++ b/libc/src/setjmp/x86_64/CMakeLists.txt
@@ -6,6 +6,7 @@ add_entrypoint_object(
../setjmp_impl.h
DEPENDS
libc.hdr.types.jmp_buf
+ libc.src.setjmp.checksum
COMPILE_OPTIONS
-O3
)
@@ -18,6 +19,9 @@ add_entrypoint_object(
../longjmp.h
DEPENDS
libc.hdr.types.jmp_buf
+ libc.src.stdlib.abort
+ libc.src.__support.OSUtil.osutil
+ libc.src.setjmp.checksum
COMPILE_OPTIONS
-O3
-fomit-frame-pointer
diff --git a/libc/src/setjmp/x86_64/longjmp.cpp b/libc/src/setjmp/x86_64/longjmp.cpp
index c293c55a6f9fb2..09aa189f2b87bd 100644
--- a/libc/src/setjmp/x86_64/longjmp.cpp
+++ b/libc/src/setjmp/x86_64/longjmp.cpp
@@ -8,8 +8,11 @@
#include "src/setjmp/longjmp.h"
#include "include/llvm-libc-macros/offsetof-macro.h"
+#include "src/__support/OSUtil/io.h"
#include "src/__support/common.h"
#include "src/__support/macros/config.h"
+#include "src/setjmp/checksum.h"
+#include "src/stdlib/abort.h"
#if !defined(LIBC_TARGET_ARCH_IS_X86_64)
#error "Invalid file include"
@@ -17,26 +20,71 @@
namespace LIBC_NAMESPACE_DECL {
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+extern "C" [[gnu::cold, noreturn]] void __libc_jmpbuf_corruption() {
+ write_to_stderr("invalid checksum detected in longjmp\n");
+ abort();
+}
+#define LOAD_CHKSUM_STATE_REGISTERS() \
+ asm("mov %0, %%rcx\n\t" ::"m"(jmpbuf::value_mask) : "rcx"); \
+ asm("mov %0, %%rdx\n\t" ::"m"(jmpbuf::checksum_cookie) : "rdx");
+
+#define RESTORE_REG(DST) \
+ "movq %c[" #DST "](%%rdi), %%rax\n\t" \
+ "movq %%rax, %%" #DST "\n\t" \
+ "xor %%rcx, %%" #DST "\n\t" \
+ "mul %%rdx\n\t" \
+ "xor %%rax, %%rdx\n\t" \
+ "rol $%c[rotation], %%rdx\n\t"
+
+#define RESTORE_RIP() \
+ "movq %c[rip](%%rdi), %%rax\n\t" \
+ "xor %%rax, %%rcx\n\t" \
+ "mul %%rdx\n\t" \
+ "xor %%rax, %%rdx\n\t" \
+ "rol $%c[rotation], %%rdx\n\t" \
+ "cmp %c[chksum](%%rdi), %%rdx\n\t" \
+ "jne __libc_jmpbuf_corruption\n\t" \
+ "cmpl $0x1, %%esi\n\t" \
+ "adcl $0x0, %%esi\n\t" \
+ "movq %%rsi, %%rax\n\t" \
+ "jmp *%%rcx\n\t"
+#else
+#define LOAD_CHKSUM_STATE_REGISTERS()
+#define RESTORE_REG(DST) "movq %c[" #DST "](%%rdi), %%" #DST "\n\t"
+#define RESTORE_RIP() \
+ "cmpl $0x1, %%esi\n\t" \
+ "adcl $0x0, %%esi\n\t" \
+ "movq %%rsi, %%rax\n\t" \
+ "jmpq *%c[rip](%%rdi)\n\t"
+#endif
+
[[gnu::naked]]
LLVM_LIBC_FUNCTION(void, longjmp, (jmp_buf, int)) {
- asm(R"(
- cmpl $0x1, %%esi
- adcl $0x0, %%esi
- movq %%rsi, %%rax
-
- movq %c[rbx](%%rdi), %%rbx
- movq %c[rbp](%%rdi), %%rbp
- movq %c[r12](%%rdi), %%r12
- movq %c[r13](%%rdi), %%r13
- movq %c[r14](%%rdi), %%r14
- movq %c[r15](%%rdi), %%r15
- movq %c[rsp](%%rdi), %%rsp
- jmpq *%c[rip](%%rdi)
- )" ::[rbx] "i"(offsetof(__jmp_buf, rbx)),
+ LOAD_CHKSUM_STATE_REGISTERS()
+ asm(
+ // clang-format off
+ RESTORE_REG(rbx)
+ RESTORE_REG(rbp)
+ RESTORE_REG(r12)
+ RESTORE_REG(r13)
+ RESTORE_REG(r14)
+ RESTORE_REG(r15)
+ RESTORE_REG(rsp)
+ RESTORE_RIP()
+ // clang-format on
+ ::[rbx] "i"(offsetof(__jmp_buf, rbx)),
[rbp] "i"(offsetof(__jmp_buf, rbp)), [r12] "i"(offsetof(__jmp_buf, r12)),
[r13] "i"(offsetof(__jmp_buf, r13)), [r14] "i"(offsetof(__jmp_buf, r14)),
[r15] "i"(offsetof(__jmp_buf, r15)), [rsp] "i"(offsetof(__jmp_buf, rsp)),
- [rip] "i"(offsetof(__jmp_buf, rip)));
+ [rip] "i"(offsetof(__jmp_buf, rip))
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+ // clang-format off
+ ,[rotation] "i"(jmpbuf::ROTATION)
+ , [chksum] "i"(offsetof(__jmp_buf, __chksum))
+ // clang-format on
+#endif
+ : "rax", "rdx", "rcx", "rsi");
}
} // namespace LIBC_NAMESPACE_DECL
diff --git a/libc/src/setjmp/x86_64/setjmp.cpp b/libc/src/setjmp/x86_64/setjmp.cpp
index f6e82642edd7da..56e2f55cd3a9ff 100644
--- a/libc/src/setjmp/x86_64/setjmp.cpp
+++ b/libc/src/setjmp/x86_64/setjmp.cpp
@@ -9,37 +9,88 @@
#include "include/llvm-libc-macros/offsetof-macro.h"
#include "src/__support/common.h"
#include "src/__support/macros/config.h"
+#include "src/setjmp/checksum.h"
#include "src/setjmp/setjmp_impl.h"
#if !defined(LIBC_TARGET_ARCH_IS_X86_64)
#error "Invalid file include"
#endif
-namespace LIBC_NAMESPACE_DECL {
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+#define LOAD_CHKSUM_STATE_REGISTERS() \
+ asm("mov %0, %%rcx\n\t" ::"m"(jmpbuf::value_mask) : "rcx"); \
+ asm("mov %0, %%rdx\n\t" ::"m"(jmpbuf::checksum_cookie) : "rdx");
-[[gnu::naked]]
-LLVM_LIBC_FUNCTION(int, setjmp, (jmp_buf buf)) {
- asm(R"(
- mov %%rbx, %c[rbx](%%rdi)
- mov %%rbp, %c[rbp](%%rdi)
- mov %%r12, %c[r12](%%rdi)
- mov %%r13, %c[r13](%%rdi)
- mov %%r14, %c[r14](%%rdi)
- mov %%r15, %c[r15](%%rdi)
+#define STORE_REG(SRC) \
+ "mov %%" #SRC ", %%rax\n\t" \
+ "xor %%rcx, %%rax\n\t" \
+ "mov %%rax, %c[" #SRC "](%%rdi)\n\t" \
+ "mul %%rdx\n\t" \
+ "xor %%rax, %%rdx\n\t" \
+ "rol $%c[rotation], %%rdx\n\t"
+
+#define STORE_RSP() \
+ "lea 8(%%rsp), %%rax\n\t" \
+ "xor %%rcx, %%rax\n\t" \
+ "mov %%rax, %c[rsp](%%rdi)\n\t" \
+ "mul %%rdx\n\t" \
+ "xor %%rax, %%rdx\n\t" \
+ "rolq $%c[rotation], %%rdx\n\t"
- lea 8(%%rsp), %%rax
- mov %%rax, %c[rsp](%%rdi)
+#define STORE_RIP() \
+ "mov (%%rsp), %%rax\n\t" \
+ "xor %%rcx, %%rax\n\t" \
+ "mov %%rax, %c[rip](%%rdi)\n\t" \
+ "mul %%rdx\n\t" \
+ "xor %%rax, %%rdx\n\t" \
+ "rolq $%c[rotation], %%rdx\n\t"
- mov (%%rsp), %%rax
- mov %%rax, %c[rip](%%rdi)
+#define STORE_CHECKSUM() "mov %%rdx, %c[chksum](%%rdi)\n\t"
+#else
+#define LOAD_CHKSUM_STATE_REGISTERS()
+#define STORE_REG(SRC) "mov %%" #SRC ", %c[" #SRC "](%%rdi)\n\t"
+#define STORE_RSP() \
+ "lea 8(%%rsp), %%rax\n\t" \
+ "mov %%rax, %c[rsp](%%rdi)\n\t"
+#define STORE_RIP() \
+ "mov (%%rsp), %%rax\n\t" \
+ "mov %%rax, %c[rip](%%rdi)\n\t"
+#define STORE_CHECKSUM()
+#endif
- xorl %%eax, %%eax
- retq)" ::[rbx] "i"(offsetof(__jmp_buf, rbx)),
+namespace LIBC_NAMESPACE_DECL {
+[[gnu::naked]]
+LLVM_LIBC_FUNCTION(int, setjmp, (jmp_buf buf)) {
+ LOAD_CHKSUM_STATE_REGISTERS()
+ asm(
+ // clang-format off
+ STORE_REG(rbx)
+ STORE_REG(rbp)
+ STORE_REG(r12)
+ STORE_REG(r13)
+ STORE_REG(r14)
+ STORE_REG(r15)
+ STORE_RSP()
+ STORE_RIP()
+ STORE_CHECKSUM()
+ // clang-format on
+ ::[rbx] "i"(offsetof(__jmp_buf, rbx)),
[rbp] "i"(offsetof(__jmp_buf, rbp)), [r12] "i"(offsetof(__jmp_buf, r12)),
[r13] "i"(offsetof(__jmp_buf, r13)), [r14] "i"(offsetof(__jmp_buf, r14)),
[r15] "i"(offsetof(__jmp_buf, r15)), [rsp] "i"(offsetof(__jmp_buf, rsp)),
[rip] "i"(offsetof(__jmp_buf, rip))
- : "rax");
+#if LIBC_COPT_SETJMP_ENABLE_FORTIFICATION
+ // clang-format off
+ ,[rotation] "i"(jmpbuf::ROTATION)
+ ,[chksum] "i"(offsetof(__jmp_buf, __chksum))
+ // clang-format on
+#endif
+ : "rax", "rdx");
+
+ asm(R"(
+ xorl %eax, %eax
+ retq
+ )");
}
} // namespace LIBC_NAMESPACE_DECL
diff --git a/libc/startup/linux/CMakeLists.txt b/libc/startup/linux/CMakeLists.txt
index eaa724e41f1685..34c870f98b1f1c 100644
--- a/libc/startup/linux/CMakeLists.txt
+++ b/libc/startup/linux/CMakeLists.txt
@@ -104,6 +104,7 @@ add_object_library(
libc.src.stdlib.exit
libc.src.stdlib.atexit
libc.src.unistd.environ
+ libc.src.setjmp.checksum
COMPILE_OPTIONS
-ffreestanding # To avoid compiler warnings about calling the main function.
-fno-builtin # avoid emit unexpected calls
diff --git a/libc/startup/linux/do_start.cpp b/libc/startup/linux/do_start.cpp
index ff104c7f0d1d2f..fc40ac0b1b1095 100644
--- a/libc/startup/linux/do_start.cpp
+++ b/libc/startup/linux/do_start.cpp
@@ -11,6 +11,7 @@
#include "src/__support/OSUtil/syscall.h"
#include "src/__support/macros/config.h"
#include "src/__support/threads/thread.h"
+#include "src/setjmp/checksum.h"
#include "src/stdlib/atexit.h"
#include "src/stdlib/exit.h"
#include "src/unistd/environ.h"
@@ -130,7 +131,7 @@ void teardown_main_tls() { cleanup_tls(tls.addr, tls.size); }
init_tls(tls);
if (tls.size != 0 && !set_thread_ptr(tls.tp))
syscall_impl<long>(SYS_exit, 1);
-
+ jmpbuf::initialize();
self.attrib = &main_thread_attrib;
main_thread_attrib.atexit_callback_mgr =
internal::get_thread_atexit_callback_mgr();
|
statham-arm
reviewed
Oct 18, 2024
statham-arm
reviewed
Oct 18, 2024
statham-arm
reviewed
Oct 18, 2024
|
Some performance data. Without fortification: |
|
Thanks for the updates. I'm happy with this now, but @nickdesaulniers has been looking at completely different aspects of the patch, so I think he needs to be happy too. (In another system like Gerrit I'd indicate this by setting +1 but not +2. Not sure what the corresponding Github etiquette is.) |
|
@nickdesaulniers a gentle ping~ |
SchrodingerZhu
force-pushed
the
longjmp-fortify
branch
from
95066ec to
ef9ccdb
Compare
SchrodingerZhu
force-pushed
the
longjmp-fortify
branch
from
6496060 to
35a1f08
Compare
There was a problem hiding this comment.
oh, boy, this is getting harder and harder to follow. This code has maximally factored any repetition via macro expansion. While I'm a big fan of DRY (don't repeat yourself), I don't think we want that for inline asm.
I think rather than having this pattern of:
#ifdef __i386
...lots of #defines
#else
...lots of #defines
#endif
#ifdef LIBC_COPT_SETJMP_FORTIFICATION
...
#else
...lots of #defines
#endif
asm (
MACRO_EXPANSION
MACRO_EXPANSION
MACRO_EXPANSION
...
it would be easier to maintain/read/understand if:
- we move i386 implementations to their own file. I split out i386 sources recently; I should have done that for jmp_buf.
- write checksum in C and call it from inline asm, so that the checksum routine is the same between architectures.
- perhaps have separate .cpp files selected via cmake depending on LIBC_COPT_SETJMP_FORTIFICATION. Then we can have longjump.cpp and longjump_fortified.cpp, setjump.cpp and setjump_fortified.cpp.
With inline asm, you really want to keep it straightforward what assembler you'll get. As is, I feel like I would need to preprocess setjmp.cpp and longjump.cpp just to fully review the sequence of instructions.
Please file an issue to track jmp_buf fortification for all architectures, then add a link to it in the PR description so that we can track implementing this for all other architectures.
|
Yet another try. PTAL. |
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
|
fixed |
|
@nickdesaulniers PTAL. |
| DEPENDS | ||
| libc.hdr.types.jmp_buf | ||
| COMPILE_OPTIONS | ||
| -O3 |
There was a problem hiding this comment.
Do you want to make these -O3's libc_opt_high_flag after #117638?
Comment on lines
+27
to
+28
| LIBC_INLINE constexpr __UINTPTR_TYPE__ MULTIPLE = | ||
| static_cast<__UINTPTR_TYPE__>(6364136223846793005ull); |
There was a problem hiding this comment.
Suggested change
| LIBC_INLINE constexpr __UINTPTR_TYPE__ MULTIPLE = | |
| static_cast<__UINTPTR_TYPE__>(6364136223846793005ull); | |
| LIBC_INLINE constexpr auto MULTIPLE = | |
| static_cast<__UINTPTR_TYPE__>(6364136223846793005ull); |
https://llvm.org/docs/CodingStandards.html#use-auto-type-deduction-to-make-code-more-readable
Comment on lines
+18
to
+21
| __UINTPTR_TYPE__ value_mask = | ||
| static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull); | ||
| __UINTPTR_TYPE__ checksum_cookie = | ||
| static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull); |
There was a problem hiding this comment.
Suggested change
| __UINTPTR_TYPE__ value_mask = | |
| static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull); | |
| __UINTPTR_TYPE__ checksum_cookie = | |
| static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull); | |
| auto value_mask = | |
| static_cast<__UINTPTR_TYPE__>(0x3899'f0d3'5005'd953ull); | |
| auto checksum_cookie = | |
| static_cast<__UINTPTR_TYPE__>(0xc7d9'd341'6afc'33f2ull); |
Comment on lines
+28
to
+29
| jmpbuf::value_mask ^= entropy[0]; | ||
| jmpbuf::checksum_cookie ^= entropy[0]; |
There was a problem hiding this comment.
Did a previous version of this PR use entropy[1]? Otherwise why is entropy a 2 element array?
| asm(R"( | ||
| mov %c[rbx](%%rdi), %%rbx | ||
| xor %%rbx, %[cookie] | ||
| xor %[mask], %%rbx |
There was a problem hiding this comment.
This is going to modify mask, right? In that case, I'd make mask an output that's also read "+m", rather than an input. Same for setjmp.
| }, | ||
| "LIBC_CONF_SETJMP_FORTIFICATION": { | ||
| "value": false, | ||
| "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux." |
There was a problem hiding this comment.
We will eventually need to support shadow stacks (part of Intel's CET): https://libc-alpha.sourceware.narkive.com/KcCIyBg9/patch-linux-x86-support-shadow-stack-pointer-in-setjmp-longjmp. It's perhaps worth discussing if we'll want to have 2 or 3 configs for fortification.
For instance, I'd imaging we'd want full fortification or no fortification. But I wonder if shadow stacks make checksumming irrelevant? Hmm...I'll need to think about that more.
| "setjmp": { | ||
| "LIBC_CONF_SETJMP_FORTIFICATION": { | ||
| "value": true, | ||
| "doc": "Protect jmp_buf by masking its contents and storing a simple checksum, to make it harder for an attacker to read meaningful information from a jmp_buf or to modify it. This is only supported on x86-64 Linux." |
There was a problem hiding this comment.
Perhaps this should be one config. Otherwise, if the user flips one but not the other, then setjmp/longjmp will fail at runtime, right?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
supersedes ##101110