[GHC] #14069: RTS linker maps code as writable

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
           Reporter:  bgamari        |             Owner:  (none)
               Type:  bug            |            Status:  new
           Priority:  high           |         Milestone:  8.4.1
          Component:  Runtime        |           Version:  8.0.1
  System (Linker)                    |
           Keywords:                 |  Operating System:  Unknown/Multiple
       Architecture:                 |   Type of failure:  None/Unknown
  Unknown/Multiple                   |
          Test Case:                 |        Blocked By:
           Blocking:                 |   Related Tickets:
Differential Rev(s):                 |         Wiki Page:
-------------------------------------+-------------------------------------
 GHC's RTS linker maps executable code in writable pages, representing a
 significant potential exploit point for arbitrary code execution. OpenBSD
 disallows running program that do this by default.

 Fix this.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.4.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Description changed by bgamari:

Old description:

> GHC's RTS linker maps executable code in writable pages, representing a
> significant potential exploit point for arbitrary code execution. OpenBSD
> disallows running program that do this by default.
>
> Fix this.

New description:

 GHC's RTS linker maps executable code in writable pages, representing a
 significant potential exploit point for arbitrary code execution. OpenBSD
 disallows running program that do this by default.


 Instead we should first map pages as `PROT_READ | PROT_WRITE`, perform any
 necessary relocations (which requires writing), and then `mprotect` it to
 `PROT_READ | PROT_EXEC`.

 To find the relevant code grep for `PROT_EXEC` in the `rts/` directory.

--

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:1>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.4.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by bgamari):

 * cc: romanzolotarev (added)


Comment:

 CCing romanzolotarev who expressed interest in this on Twitter.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:2>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.4.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by angerman):

 * cc: angerman (added)


Comment:

 This is already in the aarch64/mach-o linker. And I believe the
 aarch64/elf linker could possibly be doing this already as well.

 Feel free to query me on IRC:angerman, or twitter:angerman_io.

 Otherwise if no one picks this up, I'll try to get around to it.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:3>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.4.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------

Comment (by romanzolotarev):

 Ben, thank you for adding me to the loop.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:4>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.4.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by lelf):

 * cc: lelf (added)


--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:5>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.6.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by bgamari):

 * keywords:   => newcomer
 * milestone:  8.4.1 => 8.6.1


Comment:

 This won't be fixed for 8.4, although I do hope someone picks it up for
 8.6. This strikes me as a rather serious yet easy-to-fix security issue.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:6>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.6.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by sjakobi):

 * cc: sjakobi (added)


--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:7>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.6.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------

Comment (by mcandre):

 Same goes for HardenedBSD; a handful of Haskell programs can run, but
 common things like HLint, aeson, and shake fail to compile or operate in
 W^X environments.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:8>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  SantiM
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.6.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by SantiM):

 * owner:  (none) => SantiM


Comment:

 I'm working with a friend on this bug as part of ZuriHac, we'll be sending
 changes for different files affected.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:9>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  SantiM
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.6.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):  Phab:D4817
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by SantiM):

 * differential:   => Phab:D4817


--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:10>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  SantiM
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.8.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):  Phab:D4817
       Wiki Page:                    |
-------------------------------------+-------------------------------------

Comment (by Ben Gamari <ben@…>):

 In [changeset:"67c422ca0e7b94e021430e3dfc9b19f3de21ed16/ghc" 67c422c/ghc]:
 {{{
 #!CommitTicketReference repository="ghc"
 revision="67c422ca0e7b94e021430e3dfc9b19f3de21ed16"
 rts/linker/{SymbolExtras,elf_got}.c: map code as read-only

 protect mmaped addresses from writes after being initially manipulated

 Test Plan: ./validate

 Reviewers: bgamari, erikd, simonmar

 Reviewed By: bgamari

 Subscribers: angerman, carlostome, rwbarton, thomie, carter

 GHC Trac Issues: #14069

 Differential Revision: https://phabricator.haskell.org/D4817
 }}}

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:12>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  SantiM
            Type:  bug               |               Status:  closed
        Priority:  high              |            Milestone:  8.8.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:  fixed             |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):  Phab:D4817
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by bgamari):

 * status:  new => closed
 * resolution:   => fixed


--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:13>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets
Reply | Threaded
Open this post in threaded view
|

Re: [GHC] #14069: RTS linker maps code as writable

GHC - devs mailing list
In reply to this post by GHC - devs mailing list
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
        Reporter:  bgamari           |                Owner:  (none)
            Type:  bug               |               Status:  new
        Priority:  high              |            Milestone:  8.8.1
       Component:  Runtime System    |              Version:  8.0.1
  (Linker)                           |
      Resolution:                    |             Keywords:  newcomer
Operating System:  Unknown/Multiple  |         Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |            Test Case:
      Blocked By:                    |             Blocking:
 Related Tickets:                    |  Differential Rev(s):  Phab:D4817
       Wiki Page:                    |
-------------------------------------+-------------------------------------
Changes (by SantiM):

 * owner:  SantiM => (none)
 * status:  closed => new
 * resolution:  fixed =>


Comment:

 Let's leave this open, there's more occurrences of mmap that were not
 protected in Phab:D4817

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/14069#comment:14>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

_______________________________________________
ghc-tickets mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-tickets