[PATCH v8 0/4] arm64: Enable BTI for the executable as well as the interpreter

Szabolcs Nagy szabolcs.nagy at arm.com
Wed Feb 16 08:49:54 PST 2022 

The 02/16/2022 13:34, Catalin Marinas via Libc-alpha wrote:
> On Tue, Feb 15, 2022 at 06:34:56PM +0000, Will Deacon wrote:
> > This appears to be a user-visible change which cannot be detected or
> > disabled from userspace. If there is code out there which does not work
> > when BTI is enabled, won't that now explode when the kernel enables it?
> > How are we supposed to handle such a regression?
> 
> If this ever happens, the only workaround is to disable BTI on the
> kernel command line. If we need a knob closer to user, we could add a
> sysctl option (as we did for the tagged address ABI, though I doubt
> people are even aware that exists). The dynamic loader doesn't do
> anything smart when deciding to map objects with PROT_BTI (like env
> variables), it simply relies on the ELF information.
> 
> I think that's very unlikely and feedback from Szabolcs in the past and
> additional testing by Mark and Jeremy was that it should be fine. The
> architecture allows interworking between BTI and non-BTI objects and on
> distros with both BTI and MDWE enabled, this is already the case: the
> main executable is mapped without PROT_BTI while the libraries will be
> mapped with PROT_BTI. The new behaviour allows both to be mapped with
> PROT_BTI, just as if MDWE was disabled.
> 
> I think the only difference would be with a BTI-unware dynamic loader
> (e.g. older distro). Here the main executable, if compiled with BTI,
> would be mapped as executable while the rest of the libraries are
> non-BTI. The interworking should be fine but we can't test everything
> since such BTI binaries would not normally be part of the distro.

note: a bti marked exe has to be built against a bti enabled
runtime (so crt files etc are bti compatible) and any system
that executes such an exe must be newer and thus bti aware
(according to glibc abi compatibility rules).

so while it's possible that ld.so is not bti marked when an
exe is, the ld.so will be at least bti aware, which means it
will map all bti binaries (including the exe) with PROT_BTI.

so this doesn't really affect glibc based systems. and there
are not many other systems that can produce bti marked exes.
(i don't think this can cause problems on android either)

if we ever wanted to map bti marked binaries without PROT_BTI
and introduced a knob to do that in ld.so, then this change
would be problematic (we cannot easily remove PROT_BTI from
the exe), but we don't have such plans.

> 
> If there are dodgy libraries out there that do tricks and branch into
> the middle of a function in the main executable, they will fail with
> this series but also fail if MDWE is disabled and the dynamic linker is
> BTI-aware. So this hardly counts as a use-case.
> 
> For consistency, I think whoever does the initial mapping should also
> set the correct attributes as we do for static binaries. If you think
> another knob is needed other than the cmdline, I'm fine with it.
> 
> -- 
> Catalin

More information about the linux-arm-kernel mailing list