| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Testcase for printing capabilities.
|
|
Off-by-one error found on morello with strict stack bounds.
|
|
This reverts commit 37cfa707b08a6d8c060d7fdebf2cc255e1de8908.
|
|
TODO: squash into
commit 392f32c841c9feefdc376129d2ac2215855decc4
aarch64: morello: add lazy binding entry code
|
|
This reverts commit 0c66b05c7f0b2ec5fdf7d37b4150ba517efa5df8.
|
|
This reverts commit 960401b6f740232d2b97bfe9ea4118b394112a5e.
|
|
This reverts commit 078ebf3e35bd0c50b58dc2ec796530054f69b9a9.
|
|
This reverts commit 347f7e2ac1f34f92bc382afe9e5fe32ebe7cf16c.
|
|
processing"
This reverts commit 93ab84cd80067744fb990d0f420dafc04a18d4cb.
|
|
prctl is a variadic function and on morello args that were not passed
cannot be accessed so the generic code does not work.
|
|
Only use as many varargs as accessible according to the bounds of c9.
TODO: squash into original syscall support
|
|
TODO: squash into
commit 0edbd4c6d389b9e2be5ff1d026b4d30ae70a4af9
aarch64: morello: fix DL_SYMBOL_ADDRESS
|
|
TODO: squash into
commit 418b9dac8999e5a64b69ee072321cd6eed8d8be1
aarch64: don't build wordcopy
|
|
TODO: squash into
commit f2f4f441fbda6080d0ff742f3bb535c09315ef98
cheri: elf: Turn l_addr back to ElfW(Addr)
|
|
TODO: not needed with full pcuabi
|
|
|
|
|
|
|
|
Ensure mmap returns pointers with RWX permission covering all segments.
These pointers later get restricted to RX and RW permission.
|
|
The arena allocator incrementally applies RW mprotect to a PROT_NONE
mapping. Use PROT_MAX to ensure the pointers derived from the original
mapping have RW capability permission.
|
|
Specifies the prot flags a mapping may gain via mprotect or MAP_FIXED.
On CHERI targets this is used to get capability with more permissions
than the original mmap protection would imply.
|
|
|
|
TODO: squash into initial cheri_perms.h
|
|
Larger requirement because pointers are bigger.
|
|
This works around a gcc issue where it const folds inf/inf into nan,
preventing the invalid exception signal to be raised.
(x-x)/(x-x) is more robust against optimizations and works for x==nan
too.
The issue should be fixed in gcc-11.3.0 and gcc-12, but glibc supports
older compilers.
|
|
malloc/tst-malloc-backtrace tests heap corruption.
malloc/tst-dynarray uses malloc_debug wrappers that access internals.
|
|
|
|
Add more cap_ hooks to implement narrowing without depending on a
global capability covering the heap. Either recording every
narrowed capability in a lookup table or recording every mapping
used for the heap are supported. The morello implmentation uses
a lookup table for now.
The lookup table adds memory overhead, failure paths and locks.
Recording and removing entries from the lookup table must be done
carefully in realloc so on failure the old pointer is usable and
on success the old pointer is immediately reusable concurrently.
The locks require fork hooks so malloc works in multi-threaded
fork child.
|
|
Public interfaces return pointers with narrow bounds, this internally
requires bumping the size and alignment requirement of allocations so
the bounds are representible.
When pointers with narrow bounds need to be turned back to have wide
bounds (free, realloc), the pointer is rederived from DDC. (So this
patch relies on DDC to cover all heap memory with RW permission.)
Allocations above the mmap threshold waste memory for alignment and
realloc often falls back to the inefficient alloc, copy, free sequence
instead of mremap or other inplace solution.
|
|
__libc_free must only be used for memory given out by __libc_malloc
and similar public apis, but tcache stores a cache of already freed
pointers and itself is allocated using internal malloc apis. Strong
double free detection in __libc_free breaks tcache_thread_shutdown,
so use a cut down version of free to reset tcache entries.
|
|
In dl_iterate_phdr phdr is the only capability passed to the callback
that may be used to derive pointers of the elf module, so ensure it
has wide bounds.
|
|
Used internally for r_debug tests, but with the assumption that
the return value can be dereferenced, so change the prototype
and return a valid capability.
Also used in pldd, where we only support purecap abi processes.
|
|
The dlpi_addr field is a capability that has value l_addr, but we can
only do this for libraries (ET_DYN) where l_addr == l_map_start,
otherwise we return l_addr which is normally 0 then (ET_EXEC) so the
caller can detect and special case it.
For now l_addr != 0 and l_addr != l_map_start case is not supported.
Note: this api may be used by the unwinder to find and read .eh_frame
data.
TODO: dlpi_addr could be address only, but requires unwinder update
and agreement about the abi.
|
|
l_addr is no longer a capability so this is not needed.
|
|
Pointers are no longer derived from l_addr, but l_map_start (RX) and
l_rw_start (RW) so it does not have to be a capability.
This also allows removing hacks where l_addr was derived from DDC.
|
|
Instead of
map->l_addr + offset
use
dl_rx_ptr (map, offset)
dl_rw_ptr (map, offset)
depending on RX or RW permission requirement.
|
|
|
|
There is no traditional TLS support in morello that would explicitly
call __tls_get_addr, but the libc uses it internally and the returned
pointer escapes to user code. So bound the pointers according to
the tls symbol size instead of doing so in each caller.
(Affects dlsym and dynamic TLSDESC.)
|
|
It has to return a pointer that can be dereferenced, so it must be
derived correctly from RX and RW capabilities.
Try to have tight object bounds and seal function symbols.
|
|
All symbol addresses can be derived from the RX capability of the
module (l_map_start). For RW object symbols pointer will have to
be rederived from l_rw_start.
|
|
The dynamic section of an executable needs to be written to set the
DT_DEBUG entry for debuggers (unless the target has some other place
to store r_debug). For this reason we make l_ld writable whenever
the dynamic section is writable.
The ld.so l_ld is kept RX, since it does not have DT_DEBUG.
(Note: relocating the dynamic section is not allowed on cheri and
that's the only other reason glibc would write to it.)
|
|
Writable version of D_PTR, required for updating GOT[1] and GOT[2].
|
|
use the reloc processing code from cheri-rel.h which already
supports separate RX and RW capabilities per module.
|
|
At least tls image access requires RX capability of the main link_map.
|
|
The l_map_start and l_rw_start of the ld.so and exe comes from the auxv
since they are normally mapped by the kernel. Some generic code had to
be modified so l_map_start is propagated and not overwritten when it is
recomputed.
The l_rw_range should exclude the relro region, but in libc.so and
ld.so this does not work: symbols are accessed before relro is applied
and then the permission should be writable.
|
|
Use a new hook to do the rtld bootstrap map base address and root
capability setup on CHERI.
This will be needed to use separate per module RX and RW root caps.
|
|
To derive pointers within a module from the per module RX and RW caps.
|
|
For each module keep an RX and an RW root capability. Use the existing
l_map_start for RX (covering all load segments) and add l_rw_start for
RW (covering all writable load segments).
For relocation processing, we also need individual RW ranges to decide
which objects need to be derived from RW and RX capabilities. In
practice most modules have exactly one RW segment and it's unlikely
that any module needs more than four distinct ranges to tightly cover
the RW mappings.
Only added on CHERI targets so always has to be used behind ifdef.
|
|
The purecap ELF entry is special: passes separate argc, argv, envp,
auxv in registers instead of on the stack.
The ldso internal _dl_start still expects continuous argc, argv, envp,
auxv, so that's emulated.
|
|
For each module there will be separate RW and RX capabilities that
cover the writable and all load segments respectively.
Prepare the relative reloc processing in static start code for such
separate capabilities.
|
