about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
* cheri: stdio-common: Add test for %#p printf modifier arm/morello/v2Carlos Eduardo Seo2022-10-262-0/+101
| | | | Testcase for printing capabilities.
* Fix elf/tst-tls20 stack OOB accessSzabolcs Nagy2022-10-261-2/+2
| | | | Off-by-one error found on morello with strict stack bounds.
* Revert "Fix elf/tst-tls20 stack OOB access"Szabolcs Nagy2022-10-261-1/+1
| | | | This reverts commit 37cfa707b08a6d8c060d7fdebf2cc255e1de8908.
* TODO: fix _dl_runtime_profile entry after revertSzabolcs Nagy2022-10-261-1/+1
| | | | | | | TODO: squash into commit 392f32c841c9feefdc376129d2ac2215855decc4 aarch64: morello: add lazy binding entry code
* Revert "TODO(audit): aarch64: morello: add _dl_runtime_profile entry"Szabolcs Nagy2022-10-262-194/+4
| | | | This reverts commit 0c66b05c7f0b2ec5fdf7d37b4150ba517efa5df8.
* Revert "TODO(gprof): aarch64: morello: add gprof profiling support to asm"Szabolcs Nagy2022-10-261-38/+4
| | | | This reverts commit 960401b6f740232d2b97bfe9ea4118b394112a5e.
* Revert "TODO(drop): aarch64: morello: CPU feature detection for Morello"Szabolcs Nagy2022-10-263-12/+1
| | | | This reverts commit 078ebf3e35bd0c50b58dc2ec796530054f69b9a9.
* Revert "TODO(relro): cheri: make __attribute_relro a nop"Szabolcs Nagy2022-10-261-5/+1
| | | | This reverts commit 347f7e2ac1f34f92bc382afe9e5fe32ebe7cf16c.
* Revert "TODO(l_addr): cheri: rtld: elfptr_t fix in rtld.c program header ↵Szabolcs Nagy2022-10-261-1/+1
| | | | | | processing" This reverts commit 93ab84cd80067744fb990d0f420dafc04a18d4cb.
* aarch64: morello: add prctl with correct vararg handlingSzabolcs Nagy2022-10-261-0/+44
| | | | | prctl is a variadic function and on morello args that were not passed cannot be accessed so the generic code does not work.
* TODO: fix variadic syscallsSzabolcs Nagy2022-10-262-0/+18
| | | | | | Only use as many varargs as accessible according to the bounds of c9. TODO: squash into original syscall support
* TODO: use empty dl-symaddr.cSzabolcs Nagy2022-10-261-17/+0
| | | | | | | TODO: squash into commit 0edbd4c6d389b9e2be5ff1d026b4d30ae70a4af9 aarch64: morello: fix DL_SYMBOL_ADDRESS
* TODO: use empty wordcopy.cSzabolcs Nagy2022-10-261-17/+0
| | | | | | | TODO: squash into commit 418b9dac8999e5a64b69ee072321cd6eed8d8be1 aarch64: don't build wordcopy
* TODO: more l_addr cleanupSzabolcs Nagy2022-10-261-1/+1
| | | | | | | TODO: squash into commit f2f4f441fbda6080d0ff742f3bb535c09315ef98 cheri: elf: Turn l_addr back to ElfW(Addr)
* TODO(uapi): cheri: start: restrict auxv capability permissionsSzabolcs Nagy2022-10-264-0/+8
| | | | TODO: not needed with full pcuabi
* cheri: Fix capability permissions of PROT_NONE maps in test codeSzabolcs Nagy2022-10-264-3/+11
|
* cheri: Fix capability permissions of PROT_NONE map in locarchiveSzabolcs Nagy2022-10-261-1/+9
|
* cheri: nptl: Fix thread stack capability permissionsSzabolcs Nagy2022-10-261-1/+9
|
* cheri: elf: Fix segment mapping permissionsSzabolcs Nagy2022-10-261-4/+13
| | | | | Ensure mmap returns pointers with RWX permission covering all segments. These pointers later get restricted to RX and RW permission.
* cheri: malloc: Ensure the mappings have RW permissionSzabolcs Nagy2022-10-261-1/+9
| | | | | | The arena allocator incrementally applies RW mprotect to a PROT_NONE mapping. Use PROT_MAX to ensure the pointers derived from the original mapping have RW capability permission.
* aarch64: morello: define PROT_MAXSzabolcs Nagy2022-10-261-0/+3
| | | | | | Specifies the prot flags a mapping may gain via mprotect or MAP_FIXED. On CHERI targets this is used to get capability with more permissions than the original mmap protection would imply.
* TODO(uapi): mmap perm emulationSzabolcs Nagy2022-10-261-0/+17
|
* TODO: update cheri_perms.hSzabolcs Nagy2022-10-261-3/+21
| | | | TODO: squash into initial cheri_perms.h
* cheri: Update the static tls requirement of the libcSzabolcs Nagy2022-10-201-0/+8
| | | | Larger requirement because pointers are bigger.
* math: Fix asin and acos invalid exceptionSzabolcs Nagy2022-10-131-16/+2
| | | | | | | | | | | This works around a gcc issue where it const folds inf/inf into nan, preventing the invalid exception signal to be raised. (x-x)/(x-x) is more robust against optimizations and works for x==nan too. The issue should be fixed in gcc-11.3.0 and gcc-12, but glibc supports older compilers.
* cheri: malloc: disable capability narrowing on some testsSzabolcs Nagy2022-10-121-0/+5
| | | | | malloc/tst-malloc-backtrace tests heap corruption. malloc/tst-dynarray uses malloc_debug wrappers that access internals.
* cheri: malloc: add tunable to turn narrowing offSzabolcs Nagy2022-10-123-0/+19
|
* cheri: malloc: Capability narrowing using internal lookup tableSzabolcs Nagy2022-10-124-18/+470
| | | | | | | | | | | | | | | Add more cap_ hooks to implement narrowing without depending on a global capability covering the heap. Either recording every narrowed capability in a lookup table or recording every mapping used for the heap are supported. The morello implmentation uses a lookup table for now. The lookup table adds memory overhead, failure paths and locks. Recording and removing entries from the lookup table must be done carefully in realloc so on failure the old pointer is usable and on success the old pointer is immediately reusable concurrently. The locks require fork hooks so malloc works in multi-threaded fork child.
* cheri: malloc: Initial capability narrowing supportSzabolcs Nagy2022-10-123-8/+272
| | | | | | | | | | | | | | Public interfaces return pointers with narrow bounds, this internally requires bumping the size and alignment requirement of allocations so the bounds are representible. When pointers with narrow bounds need to be turned back to have wide bounds (free, realloc), the pointer is rederived from DDC. (So this patch relies on DDC to cover all heap memory with RW permission.) Allocations above the mmap threshold waste memory for alignment and realloc often falls back to the inefficient alloc, copy, free sequence instead of mremap or other inplace solution.
* malloc: Don't use __libc_free for tcache cleanupSzabolcs Nagy2022-10-121-2/+31
| | | | | | | | __libc_free must only be used for memory given out by __libc_malloc and similar public apis, but tcache stores a cache of already freed pointers and itself is allocated using internal malloc apis. Strong double free detection in __libc_free breaks tcache_thread_shutdown, so use a cut down version of free to reset tcache entries.
* cheri: elf: make sure dlpi_phdr covers the load segmentsSzabolcs Nagy2022-10-121-0/+5
| | | | | | In dl_iterate_phdr phdr is the only capability passed to the callback that may be used to derive pointers of the elf module, so ensure it has wide bounds.
* aarch64: morello: add dl-r_debug.hSzabolcs Nagy2022-10-121-0/+61
| | | | | | | | Used internally for r_debug tests, but with the assumption that the return value can be dereferenced, so change the prototype and return a valid capability. Also used in pldd, where we only support purecap abi processes.
* TODO(api): cheri: fix dl_iterate_phdr dlpi_addrSzabolcs Nagy2022-10-121-0/+6
| | | | | | | | | | | | | | The dlpi_addr field is a capability that has value l_addr, but we can only do this for libraries (ET_DYN) where l_addr == l_map_start, otherwise we return l_addr which is normally 0 then (ET_EXEC) so the caller can detect and special case it. For now l_addr != 0 and l_addr != l_map_start case is not supported. Note: this api may be used by the unwinder to find and read .eh_frame data. TODO: dlpi_addr could be address only, but requires unwinder update and agreement about the abi.
* aarch64: morello: elf: drop unused load address computationSzabolcs Nagy2022-10-121-41/+0
| | | | l_addr is no longer a capability so this is not needed.
* cheri: elf: Turn l_addr back to ElfW(Addr)Szabolcs Nagy2022-10-127-30/+9
| | | | | | | Pointers are no longer derived from l_addr, but l_map_start (RX) and l_rw_start (RW) so it does not have to be a capability. This also allows removing hacks where l_addr was derived from DDC.
* cheri: elf: use RX, RW capabilities to derive pointersSzabolcs Nagy2022-10-1213-39/+37
| | | | | | | | | | | | | Instead of map->l_addr + offset use dl_rx_ptr (map, offset) dl_rw_ptr (map, offset) depending on RX or RW permission requirement.
* aarch64: morello: RX, RW fixes for relocation processingSzabolcs Nagy2022-10-121-8/+14
|
* aarch64: morello: elf: Return bounded pointer in __tls_get_addrSzabolcs Nagy2022-10-124-9/+69
| | | | | | | | | There is no traditional TLS support in morello that would explicitly call __tls_get_addr, but the libc uses it internally and the returned pointer escapes to user code. So bound the pointers according to the tls symbol size instead of doing so in each caller. (Affects dlsym and dynamic TLSDESC.)
* aarch64: morello: fix DL_SYMBOL_ADDRESSSzabolcs Nagy2022-10-126-2/+84
| | | | | | | It has to return a pointer that can be dereferenced, so it must be derived correctly from RX and RW capabilities. Try to have tight object bounds and seal function symbols.
* cheri: fix SYMBOL_ADDRESS to return RX derived pointerSzabolcs Nagy2022-10-121-2/+5
| | | | | | All symbol addresses can be derived from the RX capability of the module (l_map_start). For RW object symbols pointer will have to be rederived from l_rw_start.
* cheri: elf: Use RW permissions for l_ld when neededSzabolcs Nagy2022-10-122-2/+6
| | | | | | | | | | | The dynamic section of an executable needs to be written to set the DT_DEBUG entry for debuggers (unless the target has some other place to store r_debug). For this reason we make l_ld writable whenever the dynamic section is writable. The ld.so l_ld is kept RX, since it does not have DT_DEBUG. (Note: relocating the dynamic section is not allowed on cheri and that's the only other reason glibc would write to it.)
* aarch64: morello: add D_PTR_RWSzabolcs Nagy2022-10-122-1/+5
| | | | Writable version of D_PTR, required for updating GOT[1] and GOT[2].
* aarch64: morello: fix relative relocsSzabolcs Nagy2022-10-124-48/+34
| | | | | use the reloc processing code from cheri-rel.h which already supports separate RX and RW capabilities per module.
* cheri: Setup RX, RW capabilities for static linkingSzabolcs Nagy2022-10-122-2/+12
| | | | At least tls image access requires RX capability of the main link_map.
* cheri: elf: Setup per module RX and RW capabilitiesSzabolcs Nagy2022-10-122-0/+95
| | | | | | | | | | | The l_map_start and l_rw_start of the ld.so and exe comes from the auxv since they are normally mapped by the kernel. Some generic code had to be modified so l_map_start is propagated and not overwritten when it is recomputed. The l_rw_range should exclude the relro region, but in libc.so and ld.so this does not work: symbols are accessed before relro is applied and then the permission should be writable.
* aarch64: morello: Add elf_machine_rtld_base_setupSzabolcs Nagy2022-10-121-0/+72
| | | | | | | Use a new hook to do the rtld bootstrap map base address and root capability setup on CHERI. This will be needed to use separate per module RX and RW root caps.
* elf: add dl_{rx,rw}_ptr to derive addresses within a mapSzabolcs Nagy2022-10-121-0/+28
| | | | To derive pointers within a module from the per module RX and RW caps.
* cheri: elf: add an RW capability to link_mapSzabolcs Nagy2022-10-121-0/+12
| | | | | | | | | | | | | | For each module keep an RX and an RW root capability. Use the existing l_map_start for RX (covering all load segments) and add l_rw_start for RW (covering all writable load segments). For relocation processing, we also need individual RW ranges to decide which objects need to be derived from RW and RX capabilities. In practice most modules have exactly one RW segment and it's unlikely that any module needs more than four distinct ranges to tightly cover the RW mappings. Only added on CHERI targets so always has to be used behind ifdef.
* aarch64: morello: Use purecap ELF entry ABI in _startSzabolcs Nagy2022-10-122-51/+85
| | | | | | | | The purecap ELF entry is special: passes separate argc, argv, envp, auxv in registers instead of on the stack. The ldso internal _dl_start still expects continuous argc, argv, envp, auxv, so that's emulated.
* aarch64: morello: use RW and RX capabilities for static start codeSzabolcs Nagy2022-10-122-12/+13
| | | | | | | | For each module there will be separate RW and RX capabilities that cover the writable and all load segments respectively. Prepare the relative reloc processing in static start code for such separate capabilities.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-20 06:40:11 +0000