Support relro in delocator #2455
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
torben-hansen
commented
Jun 2, 2025
| @@ -722,7 +761,7 @@ func (d *delocation) processAarch64Instruction(statement, instruction *node32) ( | |||
| /* ppc64le | |||
|
|
|||
| [PABI]: “64-Bit ELF V2 ABI Specification. Power Architecture.” March 21st, | |||
| 2017 | |||
There was a problem hiding this comment.
These are because I converted space indentation to tab indentation.
torben-hansen
commented
Jun 2, 2025
torben-hansen
commented
Jun 2, 2025
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2455 +/- ##
==========================================
- Coverage 78.89% 78.88% -0.02%
==========================================
Files 621 621
Lines 108613 108675 +62
Branches 15414 15421 +7
==========================================
+ Hits 85685 85723 +38
- Misses 22258 22281 +23
- Partials 670 671 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
skmcgrail
previously approved these changes
Jun 3, 2025
dkostic
reviewed
Jun 3, 2025
util/fipstools/delocate/delocate.go
Outdated
| symbol = localTargetName(d.relroLocalLabelToFuncMap[symbol]) | ||
|
|
||
| // Transform the opcode and arguments | ||
| instructionName = "leaq" |
<
8000
div data-view-component="true" class="TimelineItem-badge">
skmcgrail
approved these changes
Jun 3, 2025
dkostic
approved these changes
Jun 3, 2025
This was referenced Jun 3, 2025
Merged
justsmth
added a commit
that referenced
this pull request
Jun 13, 2025
## What's Changed * Add build with hardened flag by @m271828 in #2396 * Openssl tool output ordered by options provided by @justsmth in #2452 * [SCRUTINICE] Remove redundant condition check by @nhatnghiho in #2450 * Support relro in delocator by @torben-hansen in #2455 * Explicitly don't allow buffers aliasing in ctr-drbg implementation by @torben-hansen in #2458 * Remove unused Wi 92BF ndows afunix.h by @justsmth in #2461 * Revert "Rework memory BIOs and implement BIO_seek (2nd try) (#2433)" by @justsmth in #2466 * Use max_cert_list for TLSv1.3 NewSessionTicket by @skmcgrail in #2453 * ML-KEM memory safety by @m271828 in #2263 * Simplify Compiler CI jobs by @justsmth in #2430 * Improve support for multilib-style distros in our test scripts by @justsmth in #2467 * Fix Ruby mainline and nginx CI by @samuel40791765 in #2460 * Add hardened build back in by @m271828 in #2474 * Fix OCSP integration test failures by @samuel40791765 in #2480 * Fix some theoretical missing earlyclobber markers in inline assembly by @torben-hansen in #2477 * Simplify sshkdf and kbkdf by @torben-hansen in #2478 * Run 3p module tests on python 3.13, add patch for 3.14 by @WillChilds-Klein in #2476 * [UPSTREAM] Fix BIO_eof for BIO pairs by @justsmth in #2440 * Fix service indicator in HKDF, more paranoid zeroization, and simplify logic by @torben-hansen in #2482 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
CryptoAlg-2491
Description of changes:
This PR adds support for relocation read-only (relro) sections
.data.rel.ro[.local]in the delocator. These type of sections are mapped as writable when the binary is loaded into memory. But after the relocation phase, permissions for the memory pages are re-configured to read-only. This doesn't work for the static FIPS build. In fact, all.datasections are fatal for the static FIPS build. relro section usage seems to have increased for newer compilers e.g. gcc14. I don't know why though. Looking at the assembly it looks related to vector optimisations and never happens for-O(strictly) below 2. I wasn't able to reverse engineer conditions fromgccthough.A relro section takes the form
The local symbol maps to another symbol (function symbol). For example,
.LC01maps tofoo, in the sense that during relocation, the address of the function implementationfoocan be referenced using the local symbol.LC01. The local symbol value (in this case the function address) is loaded using IP-addressing. This typically takes the form:The strategy to support relro is as follows:
lea.A transform example is as follows. Assume we have already located the mapping
.LC01 <-> foo. This is simply parsing related. Then assume we have the following load (the problematic part of the middle statement):The delocator already issues a local target for
foo, with the name.Lfoo_local_target, that we will use for the rewrite. For aleainstruction, we need to load the result into a non-vector register. We will use a caller-saved register, sayrax. Hence, the first rewrite is:Correctness should be maintained because
xmm0contains the same value as before. This almost works. But even thoughraxis caller-saved, we have no idea whether it's used anywhere else under the function scope. Hence, to maintain correctness, we must pushraxto the stack and restore it after the move instruction. Hence, the final rewrite is(This also handles clearing any red zones). The push-pop stack to mantain correctness under a
leare-write is a known technique in the delocator.Deleting relro sections is also just a game of identifying the correct patterns to remove. One fun little complexity to handle is the assembly macros
.setbecause they can alias local symbols that we have already mapped to a function symbol. These are also handled.Call-outs:
Pushing and popping from the stack cost a tiny number of CPU cycles. But luckily, the relro sections are only (until now at least) used to populate the
.bssallocated virtual function tables that is a once-only, lazy operation. So, I expect no performance impact at all. In fact, I measured and saw none in my little test.Testing:
Added unit tests for the new feature in the delocator to preserve functionality. Existing tests in the CI will cover correctness.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.