[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200923014616.GA1216401@rani.riverdale.lan>
Date: Tue, 22 Sep 2020 21:46:16 -0400
From: Arvind Sankar <nivedita@...m.mit.edu>
To: "Madhavan T. Venkataraman" <madvenka@...ux.microsoft.com>
Cc: Florian Weimer <fw@...eb.enyo.de>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, oleg@...hat.com,
x86@...nel.org, libffi-discuss@...rceware.org, luto@...nel.org,
David.Laight@...LAB.COM, mark.rutland@....com, mic@...ikod.net,
pavel@....cz
Subject: Re: [PATCH v2 0/4] [RFC] Implement Trampoline File Descriptor
On Thu, Sep 17, 2020 at 10:36:02AM -0500, Madhavan T. Venkataraman wrote:
>
>
> On 9/16/20 8:04 PM, Florian Weimer wrote:
> > * madvenka:
> >
> >> Examples of trampolines
> >> =======================
> >>
> >> libffi (A Portable Foreign Function Interface Library):
> >>
> >> libffi allows a user to define functions with an arbitrary list of
> >> arguments and return value through a feature called "Closures".
> >> Closures use trampolines to jump to ABI handlers that handle calling
> >> conventions and call a target function. libffi is used by a lot
> >> of different applications. To name a few:
> >>
> >> - Python
> >> - Java
> >> - Javascript
> >> - Ruby FFI
> >> - Lisp
> >> - Objective C
> >
> > libffi does not actually need this. It currently collocates
> > trampolines and the data they need on the same page, but that's
> > actually unecessary. It's possible to avoid doing this just by
> > changing libffi, without any kernel changes.
> >
> > I think this has already been done for the iOS port.
> >
>
> The trampoline table that has been implemented for the iOS port (MACH)
> is based on PC-relative data referencing. That is, the code and data
> are placed in adjacent pages so that the code can access the data using
> an address relative to the current PC.
>
> This is an ISA feature that is not supported on all architectures.
>
> Now, if it is a performance feature, we can include some architectures
> and exclude others. But this is a security feature. IMO, we cannot
> exclude any architecture even if it is a legacy one as long as Linux
> is running on the architecture. So, we need a solution that does
> not assume any specific ISA feature.
Which ISA does not support PIC objects? You mentioned i386 below, but
i386 does support them, it just needs to copy the PC into a GPR first
(see below).
>
> >> The code for trampoline X in the trampoline table is:
> >>
> >> load &code_table[X], code_reg
> >> load (code_reg), code_reg
> >> load &data_table[X], data_reg
> >> load (data_reg), data_reg
> >> jump code_reg
> >>
> >> The addresses &code_table[X] and &data_table[X] are baked into the
> >> trampoline code. So, PC-relative data references are not needed. The user
> >> can modify code_table[X] and data_table[X] dynamically.
> >
> > You can put this code into the libffi shared object and map it from
> > there, just like the rest of the libffi code. To get more
> > trampolines, you can map the page containing the trampolines multiple
> > times, each instance preceded by a separate data page with the control
> > information.
> >
>
> If you put the code in the libffi shared object, how do you pass data to
> the code at runtime? If the code we are talking about is a function, then
> there is an ABI defined way to pass data to the function. But if the
> code we are talking about is some arbitrary code such as a trampoline,
> there is no ABI defined way to pass data to it except in a couple of
> platforms such as HP PA-RISC that have support for function descriptors
> in the ABI itself.
>
> As mentioned before, if the ISA supports PC-relative data references
> (e.g., X86 64-bit platforms support RIP-relative data references)
> then we can pass data to that code by placing the code and data in
> adjacent pages. So, you can implement the trampoline table for X64.
> i386 does not support it.
>
i386 just needs a tiny bit of code to copy the PC into a GPR first, i.e.
the trampoline would be:
call 1f
1: pop %data_reg
movl (code_table + X - 1b)(%data_reg), %code_reg
movl (data_table + X - 1b)(%data_reg), %data_reg
jmp *(%code_reg)
I do not understand the point about passing data at runtime. This
trampoline is to achieve exactly that, no?
Thanks.
Powered by blists - more mailing lists