From owner-freebsd-arch@FreeBSD.ORG  Thu Nov 25 15:48:57 2010
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C28381065673
	for <arch@freebsd.org>; Thu, 25 Nov 2010 15:48:57 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200])
	by mx1.freebsd.org (Postfix) with ESMTP id 200348FC19
	for <arch@freebsd.org>; Thu, 25 Nov 2010 15:48:56 +0000 (UTC)
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id oAPFmqjZ018931
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 25 Nov 2010 17:48:52 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id
	oAPFmqR5025471; Thu, 25 Nov 2010 17:48:52 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id oAPFmqOi025470; 
	Thu, 25 Nov 2010 17:48:52 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Thu, 25 Nov 2010 17:48:52 +0200
From: Kostik Belousov <kostikbel@gmail.com>
To: arch@freebsd.org, amd64@freebsd.org
Message-ID: <20101125154852.GR2392@deviant.kiev.zoral.com.ua>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IltA/rM2wonYuhj8"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DNS_FROM_OPENWHOIS autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	skuns.kiev.zoral.com.ua
Cc: 
Subject: Non-executable stacks
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2010 15:48:57 -0000


--IltA/rM2wonYuhj8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hello,

at the
http://people.freebsd.org/~kib/misc/nxstacks.1.patch
please find the patch that implements non-executable stack support for
amd64 (and FreeBSD/ia32 processes executed on amd64 host).

The implementation is done to take advantage of GNU toolchain
PT_GNU_STACK markers. The description of them I was able to find,
except the binutils and gcc source code, is at
http://www.redhat.com/archives/fedora-devel-list/2003-November/msg00838.html
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

Notes about the patch. It consists of the following pieces that are
relatively independed from each other:

- Added .note.GNU-stack section for all assembly sources for i386 and
  amd64, used to build rtld, libc, libm and libthr. The libraries do
  not need executable stack, so shall be marked as such. This is the
  biggest and most trivial part of the patch. I had to modify
  contributed source for compiler-rt library.

- Changed gcc configuration to emit .note.GNU-stack as appropriate,
  for i386 and amd64.

- Moved signal trampolines off the main process stack. For this, I had
  to implement the global shared page n-th time. Simple allocator is
  provided to carve properly aligned chunks of the page space. Used
  by image activators to allocate space for the trampolines.

- ELF activator parses PT_GNU_STACK phdr and sets the stack protection
  as specified in the image. If the phdr is missing, rwx is used, as before.

- rtld is supplied with the main stack protection mode a by new aux vector.
  If any dso is loaded that requires executable stack and current protection
  disables execution from stack, __pthread_map_stacks_exec() is called.

- For single-threaded process, libc provides the weak implementation of
  __pthread_map_stacks_exec that calls mprotect() on the main process
  stack.

- For multi-threaded process, libthr provides __pthread_map_stacks_exec()
  that changes protection of all allocated stacks. New rtld interface
  _rtld_get_stack_prot() is used to properly set protection for created
  threads.

It is curious enough that HEAD allocates the main stack on amd64 as
executable, but libthr marks all stacks for non-initial thread as not
executable ! This should already break some gcc features when used
from non-initial thread.

--IltA/rM2wonYuhj8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iEYEARECAAYFAkzuhWQACgkQC3+MBN1Mb4gougCgyFDpcpeBGccPLew59uVgmJUA
S+oAniEHKhH3MdzbIHI62wt0yOrP4QIp
=xe92
-----END PGP SIGNATURE-----

--IltA/rM2wonYuhj8--