Page MenuHomePhabricator

[LLD] [COFF] Make sections with runtime pseudo relocations writable
AbandonedPublic

Authored by mstorsjo on Aug 29 2018, 12:48 PM.

Details

Reviewers
rnk
ruiu
pcc
Summary

If there are runtime pseudo relocations in a section that isn't writable, the relocation code will try to make the section writable first by calling VirtualProtect, and restore it to read only mode afterwards, before giving the control over to user code.

In Windows Store apps, the VirtualProtect function isn't allowed (and can be stubbed out with a dummy that just returns an error).

To avoid having to use this function, the linker can move all section chunks that require runtime relocations to a writable section. When moving data from .rdata to .data, this works ideally. If there are runtime pseudo relocs in the .text section though, we create a separate writable text section .wtext. As long as the compiler produces .refptr stubs from all variables that might be imported from another dll, we shouldn't ever need to make the text section writable.

Diff Detail

Event Timeline

mstorsjo created this revision.Aug 29 2018, 12:48 PM
rnk added a comment.Aug 29 2018, 1:57 PM

Won't this effectively move Itanium vtables into .data? That seems... dangerous.

In D51454#1218266, @rnk wrote:

Won't this effectively move Itanium vtables into .data? That seems... dangerous.

I'm not fluent enough in the itanium ABI to off-hand say what pointers there actually are there. For RTTI data, with the libc++ in a separate DLL, it'll at least need to make them writable for the type info vtable pointer (see D43184 for old discussion on that). And probably also for other cases if things are autoimported.

As long as nothing is autoimported and needs pseudo relocs, nothing is made writable.

If you feel this is generally something that one generally would want to avoid, we perhaps should make it an option instead. Then someone linking things for Windows Store/UWP configurations (where VirtualProtect is unusable) can enable it. For other cases, making things writable only for a short time on load while fixing relocations probably is better.

rnk added a comment.Aug 29 2018, 3:00 PM

I think the extra option is worth it. I expect regular old desktop apps are the common case for most users, and they'd rather have the improved security.

You can still use VirtualProtectFromApp with UWP; you just can't do W+X.

You can still use VirtualProtectFromApp with UWP; you just can't do W+X.

Oh, I'll look into that. As long as all references from code use refptr, that should be fine then, and we could drop this patch.

mstorsjo abandoned this revision.Aug 30 2018, 12:21 AM

You can still use VirtualProtectFromApp with UWP; you just can't do W+X.

Oh, I'll look into that. As long as all references from code use refptr, that should be fine then, and we could drop this patch.

Let's skip this patch, at least for now. VirtualProtectFromApp isn't available for Win8.x Store Apps though, but I don't know if that really is an issue for anybody.

What we could add, though, is a warning if there are runtime pseudo relocs in executable sections.