diff options
| author | Ben Gamari <ben@smart-cactus.org> | 2019-10-28 00:34:09 -0400 |
|---|---|---|
| committer | Marge Bot <ben+marge-bot@smart-cactus.org> | 2019-11-04 03:41:44 -0500 |
| commit | 120f2e5343d5ccd3ad117d530018b75302c6482b (patch) | |
| tree | 66b3e392325172021ef79518a0027de2962a2f84 /rts/LinkerInternals.h | |
| parent | 5d4f16eed151caddf4624ff0a1fc23d5a4475957 (diff) | |
| download | haskell-120f2e5343d5ccd3ad117d530018b75302c6482b.tar.gz | |
rts/linker: Ensure that code isn't writable
For many years the linker would simply map all of its memory with
PROT_READ|PROT_WRITE|PROT_EXEC. However operating systems have been
becoming increasingly reluctant to accept this practice (e.g. #17353
and #12657) and for good reason: writable code is ripe for exploitation.
Consequently mmapForLinker now maps its memory with
PROT_READ|PROT_WRITE. After the linker has finished filling/relocating
the mapping it must then call mmapForLinkerMarkExecutable on the
sections of the mapping which contain executable code.
Moreover, to make all of this possible it was necessary to redesign the
m32 allocator. First, we gave (in an earlier commit) each ObjectCode its
own m32_allocator. This was necessary since code loading and symbol
resolution/relocation are currently interleaved, meaning that it is not
possible to enforce W^X when symbols from different objects reside in
the same page.
We then redesigned the m32 allocator to take advantage of the fact that
all of the pages allocated with the allocator die at the same time
(namely, when the owning ObjectCode is unloaded). This makes a number of
things simpler (e.g. no more page reference counting; the interface
provided by the allocator for freeing is simpler). See
Note [M32 Allocator] for details.
Diffstat (limited to 'rts/LinkerInternals.h')
| -rw-r--r-- | rts/LinkerInternals.h | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/rts/LinkerInternals.h b/rts/LinkerInternals.h index 79fb46eb2b..5cd35f2e5b 100644 --- a/rts/LinkerInternals.h +++ b/rts/LinkerInternals.h @@ -130,7 +130,7 @@ typedef struct _Segment { SegmentProt prot; /* mem protection to set after all symbols were * resolved */ - int *sections_idx; /* an array of section indexes assigned to this segment */ + int *sections_idx; /* an array of section indexes assigned to this segment */ int n_sections; } Segment; @@ -246,9 +246,10 @@ typedef struct _ObjectCode { HashTable *extraInfos; #if RTS_LINKER_USE_MMAP == 1 - /* The m32 allocator used for allocating small sections - * and symbol extras during loading */ - m32_allocator *m32; + /* The m32 allocators used for allocating small sections and symbol extras + * during loading. We have two: one for (writeable) data and one for + * (read-only/executable) code. */ + m32_allocator *rw_m32, *rx_m32; #endif } ObjectCode; @@ -293,6 +294,7 @@ void freeObjectCode (ObjectCode *oc); SymbolAddr* loadSymbol(SymbolName *lbl, RtsSymbolInfo *pinfo); void *mmapForLinker (size_t bytes, uint32_t flags, int fd, int offset); +void mmapForLinkerMarkExecutable (void *start, size_t len); void addProddableBlock ( ObjectCode* oc, void* start, int size ); void checkProddableBlock (ObjectCode *oc, void *addr, size_t size ); |