| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Capability narrowing uses a lookup table from an address to the
internally used wide capability. Keep the narrow capability in the
table instead of just the address and check it. This allows free
and realloc to check their input and only accept capabilities
exactly matching what was returned by malloc.
When a user adds restrictions on top of malloc returned capabilities
(e.g. narrower bounds), realloc could bypass those restrictions when
it simply looked up the internal wide capability for the address.
|
| |
|
|
|
|
|
|
| |
Once the kernel starts providing a VDSO, old binaries should continue
to work (without using the new VDSO). For this we set the vdso to 0
independently of auxv, otherwise glibc attempts to load it even if the
target has no vdso symbols specified and the load can crash since the
setup code is not purecap compatible.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Capability narrowing requires extra alignment for large allocations,
this can cause significant heap fragmentation so ensure large
allocations use a single mmap and unmaped on free. The fragmentation
is bug 14581.
This patch disables dynamic mmap threshold when cap_narrowing is
enabled and uses a threshold of 256 kbytes on morello (which means
at most 64 byte alignment requirement on the heap). The dynamic
threshold could quickly grow very big and stay there making the
fragmentation issue common.
|
| |
|
|
|
|
| |
Capability narrowing uses a lookup table and the old logic could
cause unnecessary resizes after deletes with the smallest lookup
table size.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add more cap_ hooks to implement narrowing without depending on a
global capability covering the heap. Either recording every
narrowed capability in a lookup table or recording every mapping
used for the heap are supported. The morello implmentation uses
a lookup table for now.
The lookup table adds memory overhead, failure paths and locks.
Recording and removing entries from the lookup table must be done
carefully in realloc so on failure the old pointer is usable and
on success the old pointer is immediately reusable concurrently.
The locks require fork hooks so malloc works in multi-threaded
fork child.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Public interfaces return pointers with narrow bounds, this internally
requires bumping the size and alignment requirement of allocations so
the bounds are representible.
When pointers with narrow bounds need to be turned back to have wide
bounds (free, realloc), the pointer is rederived from DDC. (So this
patch relies on DDC to cover all heap memory with RW permission.)
Allocations above the mmap threshold waste memory for alignment and
realloc often falls back to the inefficient alloc, copy, free sequence
instead of mremap or other inplace solution.
|
| |
|
|
| |
Updates libc.abilist files for getauxptr to version 2.37.
|
| |
|
|
| |
Testcase for printing capabilities.
|
| |
|
|
| |
Adjust padding to accommodate pointer size and alignment increase.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to distinguish timerids that are small integers returned by
the kernel and timerids that are pointers to struct timer. The existing
pointer tagging does not work for CHERI because of the pointer shift.
Simply use the top bit without shift to tag pointers. This still relies
on the top byte ignore of aarch64 (the top byte does not affect the
capability representation) and that pointers are not tagged for other
reasons (like HWASAN).
Note: this is morello specific and does not work for generic cheri.
|
| |
|
|
| |
TODO: not needed with full pcuabi
|
| |
|
|
|
|
|
| |
It has to return a pointer that can be dereferenced, so it must be
derived correctly from RX and RW capabilities.
Try to have tight object bounds and seal function symbols.
|
| |
|
|
| |
Writable version of D_PTR, required for updating GOT[1] and GOT[2].
|
| |
|
|
|
|
|
|
|
| |
There is no traditional TLS support in morello that would explicitly
call __tls_get_addr, but the libc uses it internally and the returned
pointer escapes to user code. So bound the pointers according to
the tls symbol size instead of doing so in each caller.
(Affects dlsym and dynamic TLSDESC.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add morello specific dl-machine.h.
Add morello dynamic relocation processing support for purecap ABI.
Only support R_AARCH64_NONE, R_AARCH64_ABS64 and R_AARCH64_RELATIVE
dynamic relocs from the lp64 ABI.
RELATIVE and IRELATIVE relocs use a helper function from cheri-rel.h
to construct a capability. Also fixed the IRELATIVE handling for
static linking.
Use new machine routines on morello for load address computation so it
is a valid capability:
void *elf_machine_runtime_dynamic (void)
void elf_machine_rtld_base_setup (struct link_map *map, void *args)
The ld.so load address and RX, RW capabilities are derived from auxv
and the RW ranges are set up based on the ld.so program headers early.
__tls_get_addr should return a bounded pointer instead of fixing it in
_dl_make_tlsdesc_dynamic, this is done in a separate patch.
|
| | |
|
| |
|
|
|
|
| |
All symbol addresses can be derived from the RX capability of the
module (l_map_start). For RW object symbols pointer will have to
be rederived from l_rw_start.
|
| |
|
|
| |
Propagate capabilities during lazy binding and IFUNC fixup in dlsym.
|
| |
|
|
|
|
|
|
| |
Used internally for r_debug tests, but with the assumption that
the return value can be dereferenced, so change the prototype
and return a valid capability.
Also used in pldd, where we only support purecap abi processes.
|
| |
|
|
| |
Prevent lp64 ld.so loading purecap binaries.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of
map->l_addr + offset
use
dl_rx_ptr (map, offset)
dl_rw_ptr (map, offset)
depending on RX or RW permission requirement.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is simpler and more consistent to make l_entry a capability
throughout instead of leaving it as an address and converting before
use:
The AT_ENTRY auxv entry is specified to be a capability and a number
if internal l_entry usage is simpler if it is elfptr_t.
Functions returning a pointer to the user entry are also changed to
use elfptr_t.
|
| |
|
|
|
|
|
|
|
| |
The purecap version of aarch64 dl-start.S. Note: self relocation of
ld.so is handled by the rtld bootstrap code.
The ldso internal _dl_start still expects continuous argc, argv, envp,
auxv, so that's emulated (since the purecap ELF entry passes them in
separate registers).
|
| |
|
|
| |
The dynamic section cannot be relocated to hold pointers in place.
|
| |
|
|
|
|
| |
Add purecap ld cache flag. Add the purecap ld.so name to known names.
Handle lib64c system library paths. And set the purecap abi flag on
cache entries.
|
| |
|
|
| |
The asm code of the test is for lp64 ABI only.
|
| |
|
|
|
|
|
|
|
| |
Adjust ucontext layout for purecap ABI and add make/get/set/swapcontext
implementations accordingly.
Note: mcontext layout follows the linux sigcontext struct, in userspace
*context functions rely on the c registers stored in the extension area
and ignore the mcontext fields for x registers.
|
| |
|
|
|
| |
Similar to lp64 setjmp/longjmp, but handles capability registers.
Save q regs instead of d regs to simplify the offset computation.
|
| |
|
|
|
|
|
|
|
|
| |
Using const on the definition does not work for a pure capability ABI:
the capability permissions when accessing the object will be read only.
Use a hack to hide the public declaration in the TU where the const
objects are initialized. (This should work on non-capability targets
too, but to err on the safe side only enable the hack on capability
targets.)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Alignment of the public definition did not match the internal layout.
Ensure that the type is at least pointer aligned.
|
| | |
|
| |
|
|
| |
Arm Morello requires 128-bit atomics.
|
| |
|
|
| |
At least tls image access requires RX capability of the main link_map.
|
| |
|
|
| |
To derive pointers within a module from the per module RX and RW caps.
|
| |
|
|
| |
Store mmap result to intptr_t instead of long.
|
| |
|
|
|
|
|
|
| |
Pointer mangling cannot be supported on capability architectures.
And there is not enough bytes in dl_random for 128 bit pointers.
Stack guard is still loaded from dl_random: stack protection is
unlikely to be useful on a capability architecture, but it works.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Written in C so the self relocation code in crt1.o is easier to
maintain.
The purecap ELF entry is special: passes separate argc, argv, envp,
auxv in registers instead of on the stack.
For each module there will be separate RW and RX capabilities that
cover the writable and all load segments respectively. The relative
reloc processing code is prepared for such separate capabilities.
The static link detection (for self relocation) is not ideal, it
relies on relocations that don't work in PIC, so it is ifdefed out
for Scrt1.o. (Currently adrp of undefined weak symbol is not fixed
up by the linker to be 0 so we use movz to detect the presence of
__rela_dyn_start.)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The prototype of __libc_start_main is changed to
void
__libc_start_main (int main (int, char **, char **, void *),
int argc, char **argv, char **envp, void *auxv,
void rtld_fini (void), void *sp);
so envp is passed down separately and the unused init, fini args are
dropped.
|
| |
|
|
| |
Purecap ABI versions of crti.S and crtn.S.
|
| |
|
|
|
|
|
|
|
| |
New file containing the capability permission bits.
The capability permission bits are defined in the Arm Architecture
Reference Manual Suplement- Morello for A-Profile Architecture:
https://developer.arm.com/documentation/ddi0606/latest
|
| | |
|
| |
|
|
|
|
| |
The signal mask argument is passed as a struct with a pointer and size
in the linux syscall abi, but the types used in glibc were wrong for
CHERI due to an x32 specific hack.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a temporary workaround.
length is rounded up to pagesize and don't use exact bound (bounds
will be larger if exact value is not representable).
capability permissions are roughly emulated too.
TODO: kernel should do this
|
| |
|
|
| |
TODO: this is the value in the 5.18 kernel, will change later.
|
| |
|
|
| |
TODO: Remove this once morello has vdso gettimeofday.
|
| |
|
|
| |
TODO: drop this once linux brk always fails.
|
