This is an archive of the discontinued LLVM Phabricator instance.

Differential D45778

[COFF] Mark images with no exception handlers for /safeseh
ClosedPublic

Authored by rnk on Apr 18 2018, 10:39 AM.

Details

Reviewers
ruiu
mstorsjo
Commits
rG8f1a28f19028: [COFF] Mark images with no exception handlers for /safeseh
rLLD330300: [COFF] Mark images with no exception handlers for /safeseh
rL330300: [COFF] Mark images with no exception handlers for /safeseh
Summary

DLLs and executables with no exception handlers need to be marked with
IMAGE_DLL_CHARACTERISTICS_NO_SEH, even if they have a load config.

Discovered here when building Chromium with LLD on Windows:
https://crbug.com/833951

Diff Detail

Event Timeline

rnk created this revision.Apr 18 2018, 10:39 AM
Harbormaster completed remote builds in B17177: Diff 142963.Apr 18 2018, 10:39 AM
rnk added a comment.Apr 18 2018, 10:51 AM

@mstorsjo will this be a problem for mingw? Does the mingw CRT provide a load config for each image? This could be an undesirable behavior change if mingw does not provide a load config, and the user links in a 32-bit object file that has exception handlers that they don't actually need for program correctness, but now the DLL is marked as not using safe SEH.

mstorsjo added a comment.Apr 18 2018, 11:08 AM
In D45778#1071192, @rnk wrote:

@mstorsjo will this be a problem for mingw? Does the mingw CRT provide a load config for each image?

I have no idea what a load config is - what should I look for and where?

This could be an undesirable behavior change if mingw does not provide a load config, and the user links in a 32-bit object file that has exception handlers that they don't actually need for program correctness, but now the DLL is marked as not using safe SEH.

Fwiw, no mingw setups use SEH for exceptions on i386 so far - it's only used on x86_64. On i386, it's either dwarf or sjlj.

What effect does it have if a DLL is marked as not using safe SEH?

rnk updated this revision to Diff 142984.Apr 18 2018, 1:04 PM
  • Set the flag if there are handlers but no load config
rnk added a comment.Apr 18 2018, 1:05 PM
In D45778#1071211, @mstorsjo wrote:

What effect does it have if a DLL is marked as not using safe SEH?

If it also lacks a load config, it is more easily expoitable. If a DLL doesn't have a IMAGE_LOAD_CONFIG_DIRECTORY64 and it doesn't have the "no SEH" flag set, then any address in that DLL can be used as an exception handler. For 32-bit, exception handler function pointers are stored on the stack, so only a stack buffer overrun followed by an exception is needed to start an exploit chain.

After thinking that through, I think we should adjust the check to always add the "no SEH" flag if there is no load config. That's the safe thing to do.

rnk updated this revision to Diff 142986.Apr 18 2018, 1:06 PM
  • remove tab
Harbormaster completed remote builds in B17186: Diff 142986.Apr 18 2018, 1:06 PM
ruiu added inline comments.Apr 18 2018, 1:39 PM
lld/COFF/Writer.cpp
833–834

Maybe we should move these conditions to createSEHTable and make it a Config member (such as Config->SEH?)

rnk added inline comments.Apr 18 2018, 2:42 PM
lld/COFF/Writer.cpp
833–834

That makes sense, but I wouldn't want to put mutable state on Config. We can just put it on Writer.

rnk updated this revision to Diff 143002.Apr 18 2018, 2:44 PM
  • move logic to createSEHTable
ruiu accepted this revision.Apr 18 2018, 2:47 PM

LGTM

lld/COFF/Writer.cpp
830–834

Maybe you should move I386 to createSEHTable as well?

This revision is now accepted and ready to land.Apr 18 2018, 2:47 PM
rnk updated this revision to Diff 143004.Apr 18 2018, 2:54 PM
  • fix hello32.test: default to marking image as "no seh", then remove it if we record handlers
Harbormaster completed remote builds in B17195: Diff 143004.Apr 18 2018, 2:54 PM
rnk updated this revision to Diff 143006.Apr 18 2018, 2:56 PM
  • fix boolean logic thinko
rnk added inline comments.Apr 18 2018, 3:40 PM
lld/COFF/Writer.cpp
830–834

I found a way to do this that I like.

Closed by commit rL330300: [COFF] Mark images with no exception handlers for /safeseh (authored by rnk). · Explain WhyApr 18 2018, 3:40 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lld/
COFF/
12 lines
test/
COFF/
43 lines
12 lines

Diff 142986

lld/COFF/Writer.cpp

Show First 20 LinesShow All 179 Lines▼ Show 20 Linesprivate:
std::unique_ptr<FileOutputBuffer> &Buffer; std::unique_ptr<FileOutputBuffer> &Buffer;
std::vector<OutputSection *> OutputSections; std::vector<OutputSection *> OutputSections;
std::vector<char> Strtab; std::vector<char> Strtab;
std::vector<llvm::object::coff_symbol16> OutputSymtab; std::vector<llvm::object::coff_symbol16> OutputSymtab;
IdataContents Idata; IdataContents Idata;
DelayLoadContents DelayIdata; DelayLoadContents DelayIdata;
EdataContents Edata; EdataContents Edata;
RVATableChunk *GuardFidsTable = nullptr; bool HasSafeExceptionHandlers = false;
RVATableChunk *SEHTable = nullptr;
DebugDirectoryChunk *DebugDirectory = nullptr; DebugDirectoryChunk *DebugDirectory = nullptr;
std::vector<Chunk *> DebugRecords; std::vector<Chunk *> DebugRecords;
CVDebugRecordChunk *BuildId = nullptr; CVDebugRecordChunk *BuildId = nullptr;
Optional<codeview::DebugInfo> PreviousBuildId; Optional<codeview::DebugInfo> PreviousBuildId;
ArrayRef<uint8_t> SectionTable; ArrayRef<uint8_t> SectionTable;
uint64_t FileSize; uint64_t FileSize;
▲ Show 20 LinesShow All 625 Lines▼ Show 20 Linestemplate <typename PEHeaderTy> void Writer::writeHeader() {
if (!Config->AllowBind) if (!Config->AllowBind)
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_BIND; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_BIND;
if (Config->NxCompat) if (Config->NxCompat)
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
if (!Config->AllowIsolation) if (!Config->AllowIsolation)
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_ISOLATION; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_ISOLATION;
if (Config->GuardCF != GuardCFLevel::Off) if (Config->GuardCF != GuardCFLevel::Off)
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_GUARD_CF; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_GUARD_CF;
if (Config->Machine == I386 && !SEHTable && // Set the NO_SEH flag if we saw no exception handlers in .sxdata. Also set
!Symtab->findUnderscore("_load_config_used")) // the flag if the load config is missing, because the loader will not be
// able to find the safe exception handler table.
if (Config->Machine == I386 && (!HasSafeExceptionHandlers ||
!Symtab->findUnderscore("_load_config_used")))
ruiuUnsubmitted
Not Done
ReplyInline Actions

Maybe we should move these conditions to createSEHTable and make it a Config member (such as Config->SEH?)

ruiu: Maybe we should move these conditions to createSEHTable and make it a Config member (such as…
rnkAuthorUnsubmitted
Not Done
ReplyInline Actions

That makes sense, but I wouldn't want to put mutable state on Config. We can just put it on Writer.

rnk: That makes sense, but I wouldn't want to put mutable state on Config. We can just put it on…
ruiuUnsubmitted
Not Done
ReplyInline Actions

Maybe you should move I386 to createSEHTable as well?

ruiu: Maybe you should move I386 to createSEHTable as well?
rnkAuthorUnsubmitted
Not Done
ReplyInline Actions

I found a way to do this that I like.

rnk: I found a way to do this that I like.
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_SEH; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_NO_SEH;
if (Config->TerminalServerAware) if (Config->TerminalServerAware)
PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWARE; PE->DLLCharacteristics |= IMAGE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWARE;
PE->NumberOfRvaAndSize = NumberfOfDataDirectory; PE->NumberOfRvaAndSize = NumberfOfDataDirectory;
if (TextSec->getVirtualSize()) { if (TextSec->getVirtualSize()) {
PE->BaseOfCode = TextSec->getRVA(); PE->BaseOfCode = TextSec->getRVA();
PE->SizeOfCode = TextSec->getRawSize(); PE->SizeOfCode = TextSec->getRawSize();
} }
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines for (ObjFile *File : ObjFile::Instances) {
// FIXME: We should error here instead of earlier unless /safeseh:no was // FIXME: We should error here instead of earlier unless /safeseh:no was
// passed. // passed.
if (!File->hasSafeSEH()) if (!File->hasSafeSEH())
return; return;
markSymbolsForRVATable(File, File->getSXDataChunks(), Handlers); markSymbolsForRVATable(File, File->getSXDataChunks(), Handlers);
} }
HasSafeExceptionHandlers = !Handlers.empty();
maybeAddRVATable(std::move(Handlers), "__safe_se_handler_table", maybeAddRVATable(std::move(Handlers), "__safe_se_handler_table",
"__safe_se_handler_count"); "__safe_se_handler_count");
} }
// Add a symbol to an RVA set. Two symbols may have the same RVA, but an RVA set // Add a symbol to an RVA set. Two symbols may have the same RVA, but an RVA set
// cannot contain duplicates. Therefore, the set is uniqued by Chunk and the // cannot contain duplicates. Therefore, the set is uniqued by Chunk and the
// symbol's offset into that Chunk. // symbol's offset into that Chunk.
static void addSymbolToRVASet(SymbolRVASet &RVASet, Defined *S) { static void addSymbolToRVASet(SymbolRVASet &RVASet, Defined *S) {
▲ Show 20 LinesShow All 287 LinesShow Last 20 Lines

lld/test/COFF/safeseh-notable.s

  • This file was added.
# RUN: llvm-mc -triple i686-windows-msvc %s -filetype=obj -o %t.obj
# RUN: lld-link %t.obj -safeseh -out:%t.exe -entry:main
# RUN: llvm-readobj -file-headers %t.exe | FileCheck %s
# This object lacks a _load_config_used global, so we set
# IMAGE_DLL_CHARACTERISTICS_NO_SEH even though there is an exception handler.
# This is a more secure default. If someone wants to use a CRT without a load
# config and they want to use 32-bit SEH, they will need to provide a
# safeseh-compatible load config.
# CHECK-LABEL: Characteristics [
# CHECK: IMAGE_DLL_CHARACTERISTICS_NO_SEH
# CHECK: ]
# CHECK-LABEL: DataDirectory {
# CHECK: LoadConfigTableRVA: 0x0
# CHECK: LoadConfigTableSize: 0x0
# CHECK: }
# CHECK-NOT: LoadConfig
# CHECK-NOT: SEHTable
.def @feat.00;
.scl 3;
.type 0;
.endef
.globl @feat.00
@feat.00 = 1
.text
.def _main; .scl 2; .type 32; .endef
.globl _main
_main:
pushl $_my_handler
movl $42, %eax
popl %ecx
ret
.def _my_handler; .scl 3; .type 32; .endef
_my_handler:
ret
.safeseh _my_handler

lld/test/COFF/safeseh.s

# RUN: llvm-mc -triple i686-windows-msvc %s -filetype=obj -o %t.obj # RUN: llvm-mc -triple i686-windows-msvc %s -filetype=obj -o %t.obj
# RUN: lld-link %t.obj -safeseh -out:%t.exe -opt:noref -entry:main # RUN: lld-link %t.obj -safeseh -out:%t.exe -opt:noref -entry:main
# RUN: llvm-readobj -coff-basereloc -coff-load-config -file-headers %t.exe | FileCheck %s --check-prefix=CHECK-NOGC # RUN: llvm-readobj -coff-basereloc -coff-load-config -file-headers %t.exe | FileCheck %s --check-prefix=CHECK-NOGC
# RUN: lld-link %t.obj -safeseh -out:%t.exe -opt:ref -entry:main # RUN: lld-link %t.obj -safeseh -out:%t.exe -opt:ref -entry:main
# RUN: llvm-readobj -coff-basereloc -coff-load-config -file-headers %t.exe | FileCheck %s --check-prefix=CHECK-GC # RUN: llvm-readobj -coff-basereloc -coff-load-config -file-headers %t.exe | FileCheck %s --check-prefix=CHECK-GC
# __safe_se_handler_table needs to be relocated against ImageBase. # __safe_se_handler_table needs to be relocated against ImageBase.
# check that the relocation is present. # check that the relocation is present.
#
# CHECK-NOGC-NOT: IMAGE_DLL_CHARACTERISTICS_NO_SEH # CHECK-NOGC-NOT: IMAGE_DLL_CHARACTERISTICS_NO_SEH
# CHECK-NOGC: BaseReloc [ # CHECK-NOGC: BaseReloc [
# CHECK-NOGC: Entry { # CHECK-NOGC: Entry {
# CHECK-NOGC: Type: HIGHLOW # CHECK-NOGC: Type: HIGHLOW
# CHECK-NOGC: LoadConfig [ # CHECK-NOGC: LoadConfig [
# CHECK-NOGC: Size: 0x48 # CHECK-NOGC: Size: 0x48
# CHECK-NOGC: SEHandlerTable: 0x402048 # CHECK-NOGC: SEHandlerTable: 0x402048
# CHECK-NOGC: SEHandlerCount: 1 # CHECK-NOGC: SEHandlerCount: 1
# CHECK-NOGC: ] # CHECK-NOGC: ]
# CHECK-NOGC: SEHTable [ # CHECK-NOGC: SEHTable [
# CHECK-NOGC-NEXT: 0x401006 # CHECK-NOGC-NEXT: 0x401006
# CHECK-NOGC-NEXT: ] # CHECK-NOGC-NEXT: ]
# Without the SEH table, the address is absolute, so check that we do # If we enable GC, the exception handler should be removed, and we should add
# not have a relocation for it. # the DLL characteristic flag that indicates that there are no exception
# CHECK-GC-NOT: IMAGE_DLL_CHARACTERISTICS_NO_SEH # handlers in this DLL. The exception handler table in the load config should
# be empty and there should be no relocations for it.
#
# CHECK-GC: Characteristics [
# CHECK-GC: IMAGE_DLL_CHARACTERISTICS_NO_SEH
# CHECK-GC: ]
# CHECK-GC: BaseReloc [ # CHECK-GC: BaseReloc [
# CHECK-GC-NEXT: ] # CHECK-GC-NEXT: ]
# CHECK-GC: LoadConfig [ # CHECK-GC: LoadConfig [
# CHECK-GC: Size: 0x48 # CHECK-GC: Size: 0x48
# CHECK-GC: SEHandlerTable: 0x0 # CHECK-GC: SEHandlerTable: 0x0
# CHECK-GC: SEHandlerCount: 0 # CHECK-GC: SEHandlerCount: 0
# CHECK-GC: ] # CHECK-GC: ]
# CHECK-GC-NOT: SEHTable # CHECK-GC-NOT: SEHTable
Show All 39 Lines