Page MenuHomePhabricator

[safestack] Add runtime support for MPX-based hardening
Needs ReviewPublic

Authored by mlemay-intel on Feb 7 2017, 8:36 AM.

Details

Reviewers
zvi
eugenis
pcc
Summary

This patch adds support for the separate stack segment feature on 64-bit
platforms with Intel MPX support. It initializes MPX and allocates safe stacks
at high addresses so that BNDCU instructions inserted by the compiler can block
stray writes to safe stacks.

Event Timeline

mlemay-intel created this revision.Feb 7 2017, 8:36 AM
kcc added a subscriber: kcc.Feb 7 2017, 1:55 PM

Michael ,
Please excuse me if I missed some email thread on llvm-dev describing at the high level what you are doing with MPX.
If there was no such thread I encourage you to start one.

I am personally extremely skeptical about anything related to MPX
(see https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions and the more recent and detailed intel-mpx.github.io).
Now, from a quick glance it looks like you are using the MPX instructions for something else,
but it deserves a discussion before we look at the patches.

In D29657#669919, @kcc wrote:

Michael ,
Please excuse me if I missed some email thread on llvm-dev describing at the high level what you are doing with MPX.
If there was no such thread I encourage you to start one.

I am personally extremely skeptical about anything related to MPX
(see https://github.com/google/sanitizers/wiki/AddressSanitizerIntelMemoryProtectionExtensions and the more recent and detailed intel-mpx.github.io).
Now, from a quick glance it looks like you are using the MPX instructions for something else,
but it deserves a discussion before we look at the patches.

Hi Kostya,

You haven't missed anything; I'm in the middle of writing the llvm-dev post now. :) Thanks for your feedback. Very briefly, I'm using MPX to enforce something analogous to a coarse-grained segment limit rather than fine-grained per-object bounds.

  • Reserve space during runtime library initialization for safe stacks to be allocated later. This helps to prevent ordinary data from being allocated at addresses that could lead to bound check violations.
  • Protect the variable that records the address of the most recent safe stack by moving it above the bound.
  • Add MprotectReadWrite to sanitizer_posix.cc.