Reland^2 "[MTE] remap stacks with PROT_MTE when requested by dlopened library"
Also enable stack MTE if main binary links in a library that needs it.
Otherwise the following is possible:
1. a binary doesn't require stack MTE, but links in libraries that use
stg on the stack
2. that binary later dlopens a library that requires stack MTE, and our
logic in dlopen remaps the stacks with MTE
3. the libraries from step 1 now have tagged pointers with missing tags
in memory, so things go wrong
This reverts commit f53e91cc810be2a36377f3b7765f50c89f1f0046.
Reason for revert: Fixed problem detected in b/324568991
Test: atest memtag_stack_dlopen_test with MTE enabled
Test: check crash is gone on fullmte build
Change-Id: I4a93f6814a19683c3ea5fe1e6d455df5459d31e1
diff --git a/libc/bionic/heap_tagging.cpp b/libc/bionic/heap_tagging.cpp
index 48ec955..0c1e506 100644
--- a/libc/bionic/heap_tagging.cpp
+++ b/libc/bionic/heap_tagging.cpp
@@ -57,6 +57,7 @@
break;
case M_HEAP_TAGGING_LEVEL_SYNC:
case M_HEAP_TAGGING_LEVEL_ASYNC:
+ atomic_store(&globals->memtag, true);
atomic_store(&globals->memtag_stack, __libc_shared_globals()->initial_memtag_stack);
break;
default:
@@ -113,6 +114,7 @@
globals->heap_pointer_tag = static_cast<uintptr_t>(0xffull << UNTAG_SHIFT);
}
atomic_store(&globals->memtag_stack, false);
+ atomic_store(&globals->memtag, false);
});
if (heap_tagging_level != M_HEAP_TAGGING_LEVEL_TBI) {
diff --git a/libc/bionic/libc_init_dynamic.cpp b/libc/bionic/libc_init_dynamic.cpp
index c61810e..1180a51 100644
--- a/libc/bionic/libc_init_dynamic.cpp
+++ b/libc/bionic/libc_init_dynamic.cpp
@@ -39,11 +39,12 @@
* all dynamic linking has been performed.
*/
+#include <elf.h>
#include <stddef.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
-#include <stdint.h>
-#include <elf.h>
+#include "bionic/pthread_internal.h"
#include "libc_init_common.h"
#include "private/bionic_defs.h"
@@ -59,6 +60,11 @@
extern int __cxa_atexit(void (*)(void *), void *, void *);
};
+void memtag_stack_dlopen_callback() {
+ async_safe_format_log(ANDROID_LOG_INFO, "libc", "remapping stacks as PROT_MTE");
+ __pthread_internal_remap_stack_with_mte();
+}
+
// Use an initializer so __libc_sysinfo will have a fallback implementation
// while .preinit_array constructors run.
#if defined(__i386__)
@@ -156,6 +162,10 @@
__libc_init_mte_late();
+ // This roundabout way is needed so we don't use the static libc linked into the linker, which
+ // will not affect the process.
+ __libc_shared_globals()->memtag_stack_dlopen_callback = memtag_stack_dlopen_callback;
+
exit(slingshot(args.argc - __libc_shared_globals()->initial_linker_arg_count,
args.argv + __libc_shared_globals()->initial_linker_arg_count,
args.envp));
diff --git a/libc/bionic/libc_init_static.cpp b/libc/bionic/libc_init_static.cpp
index 00faa5b..f091ff8 100644
--- a/libc/bionic/libc_init_static.cpp
+++ b/libc/bionic/libc_init_static.cpp
@@ -305,6 +305,14 @@
bool memtag_stack = false;
HeapTaggingLevel level =
__get_tagging_level(memtag_dynamic_entries, phdr_start, phdr_ct, load_bias, &memtag_stack);
+ // This is used by the linker (in linker.cpp) to communicate than any library linked by this
+ // executable enables memtag-stack.
+ if (__libc_shared_globals()->initial_memtag_stack) {
+ if (!memtag_stack) {
+ async_safe_format_log(ANDROID_LOG_INFO, "libc", "enabling PROT_MTE as requested by linker");
+ }
+ memtag_stack = true;
+ }
char* env = getenv("BIONIC_MEMTAG_UPGRADE_SECS");
static const char kAppProcessName[] = "app_process64";
const char* progname = __libc_shared_globals()->init_progname;
@@ -373,6 +381,8 @@
}
// We did not enable MTE, so we do not need to arm the upgrade timer.
__libc_shared_globals()->heap_tagging_upgrade_timer_sec = 0;
+ // We also didn't enable memtag_stack.
+ __libc_shared_globals()->initial_memtag_stack = false;
}
#else // __aarch64__
void __libc_init_mte(const memtag_dynamic_entries_t*, const void*, size_t, uintptr_t, void*) {}
diff --git a/libc/bionic/pthread_attr.cpp b/libc/bionic/pthread_attr.cpp
index de4cc9e..f6c0401 100644
--- a/libc/bionic/pthread_attr.cpp
+++ b/libc/bionic/pthread_attr.cpp
@@ -155,36 +155,6 @@
return 0;
}
-static uintptr_t __get_main_stack_startstack() {
- FILE* fp = fopen("/proc/self/stat", "re");
- if (fp == nullptr) {
- async_safe_fatal("couldn't open /proc/self/stat: %m");
- }
-
- char line[BUFSIZ];
- if (fgets(line, sizeof(line), fp) == nullptr) {
- async_safe_fatal("couldn't read /proc/self/stat: %m");
- }
-
- fclose(fp);
-
- // See man 5 proc. There's no reason comm can't contain ' ' or ')',
- // so we search backwards for the end of it. We're looking for this field:
- //
- // startstack %lu (28) The address of the start (i.e., bottom) of the stack.
- uintptr_t startstack = 0;
- const char* end_of_comm = strrchr(line, ')');
- if (sscanf(end_of_comm + 1, " %*c "
- "%*d %*d %*d %*d %*d "
- "%*u %*u %*u %*u %*u %*u %*u "
- "%*d %*d %*d %*d %*d %*d "
- "%*u %*u %*d %*u %*u %*u %" SCNuPTR, &startstack) != 1) {
- async_safe_fatal("couldn't parse /proc/self/stat");
- }
-
- return startstack;
-}
-
static int __pthread_attr_getstack_main_thread(void** stack_base, size_t* stack_size) {
ErrnoRestorer errno_restorer;
@@ -198,28 +168,11 @@
if (stack_limit.rlim_cur == RLIM_INFINITY) {
stack_limit.rlim_cur = 8 * 1024 * 1024;
}
-
- // Ask the kernel where our main thread's stack started.
- uintptr_t startstack = __get_main_stack_startstack();
-
- // Hunt for the region that contains that address.
- FILE* fp = fopen("/proc/self/maps", "re");
- if (fp == nullptr) {
- async_safe_fatal("couldn't open /proc/self/maps: %m");
- }
- char line[BUFSIZ];
- while (fgets(line, sizeof(line), fp) != nullptr) {
- uintptr_t lo, hi;
- if (sscanf(line, "%" SCNxPTR "-%" SCNxPTR, &lo, &hi) == 2) {
- if (lo <= startstack && startstack <= hi) {
- *stack_size = stack_limit.rlim_cur;
- *stack_base = reinterpret_cast<void*>(hi - *stack_size);
- fclose(fp);
- return 0;
- }
- }
- }
- async_safe_fatal("stack not found in /proc/self/maps");
+ uintptr_t lo, hi;
+ __find_main_stack_limits(&lo, &hi);
+ *stack_size = stack_limit.rlim_cur;
+ *stack_base = reinterpret_cast<void*>(hi - *stack_size);
+ return 0;
}
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
diff --git a/libc/bionic/pthread_internal.cpp b/libc/bionic/pthread_internal.cpp
index 6a7ee2f..bfe2f98 100644
--- a/libc/bionic/pthread_internal.cpp
+++ b/libc/bionic/pthread_internal.cpp
@@ -40,6 +40,7 @@
#include "private/ErrnoRestorer.h"
#include "private/ScopedRWLock.h"
#include "private/bionic_futex.h"
+#include "private/bionic_globals.h"
#include "private/bionic_tls.h"
static pthread_internal_t* g_thread_list = nullptr;
@@ -119,6 +120,89 @@
return nullptr;
}
+static uintptr_t __get_main_stack_startstack() {
+ FILE* fp = fopen("/proc/self/stat", "re");
+ if (fp == nullptr) {
+ async_safe_fatal("couldn't open /proc/self/stat: %m");
+ }
+
+ char line[BUFSIZ];
+ if (fgets(line, sizeof(line), fp) == nullptr) {
+ async_safe_fatal("couldn't read /proc/self/stat: %m");
+ }
+
+ fclose(fp);
+
+ // See man 5 proc. There's no reason comm can't contain ' ' or ')',
+ // so we search backwards for the end of it. We're looking for this field:
+ //
+ // startstack %lu (28) The address of the start (i.e., bottom) of the stack.
+ uintptr_t startstack = 0;
+ const char* end_of_comm = strrchr(line, ')');
+ if (sscanf(end_of_comm + 1,
+ " %*c "
+ "%*d %*d %*d %*d %*d "
+ "%*u %*u %*u %*u %*u %*u %*u "
+ "%*d %*d %*d %*d %*d %*d "
+ "%*u %*u %*d %*u %*u %*u %" SCNuPTR,
+ &startstack) != 1) {
+ async_safe_fatal("couldn't parse /proc/self/stat");
+ }
+
+ return startstack;
+}
+
+void __find_main_stack_limits(uintptr_t* low, uintptr_t* high) {
+ // Ask the kernel where our main thread's stack started.
+ uintptr_t startstack = __get_main_stack_startstack();
+
+ // Hunt for the region that contains that address.
+ FILE* fp = fopen("/proc/self/maps", "re");
+ if (fp == nullptr) {
+ async_safe_fatal("couldn't open /proc/self/maps: %m");
+ }
+ char line[BUFSIZ];
+ while (fgets(line, sizeof(line), fp) != nullptr) {
+ uintptr_t lo, hi;
+ if (sscanf(line, "%" SCNxPTR "-%" SCNxPTR, &lo, &hi) == 2) {
+ if (lo <= startstack && startstack <= hi) {
+ *low = lo;
+ *high = hi;
+ fclose(fp);
+ return;
+ }
+ }
+ }
+ async_safe_fatal("stack not found in /proc/self/maps");
+}
+
+void __pthread_internal_remap_stack_with_mte() {
+#if defined(__aarch64__)
+ // If process doesn't have MTE enabled, we don't need to do anything.
+ if (!__libc_globals->memtag) return;
+ bool prev = true;
+ __libc_globals.mutate(
+ [&prev](libc_globals* globals) { prev = atomic_exchange(&globals->memtag_stack, true); });
+ if (prev) return;
+ uintptr_t lo, hi;
+ __find_main_stack_limits(&lo, &hi);
+
+ if (mprotect(reinterpret_cast<void*>(lo), hi - lo,
+ PROT_READ | PROT_WRITE | PROT_MTE | PROT_GROWSDOWN)) {
+ async_safe_fatal("error: failed to set PROT_MTE on main thread");
+ }
+ ScopedWriteLock creation_locker(&g_thread_creation_lock);
+ ScopedReadLock list_locker(&g_thread_list_lock);
+ for (pthread_internal_t* t = g_thread_list; t != nullptr; t = t->next) {
+ if (t->terminating || t->is_main()) continue;
+ if (mprotect(t->mmap_base_unguarded, t->mmap_size_unguarded,
+ PROT_READ | PROT_WRITE | PROT_MTE)) {
+ async_safe_fatal("error: failed to set PROT_MTE on thread: %d", t->tid);
+ }
+ }
+#endif
+}
+
bool android_run_on_all_threads(bool (*func)(void*), void* arg) {
// Take the locks in this order to avoid inversion (pthread_create ->
// __pthread_internal_add).
diff --git a/libc/bionic/pthread_internal.h b/libc/bionic/pthread_internal.h
index 3b9e6a4..091f711 100644
--- a/libc/bionic/pthread_internal.h
+++ b/libc/bionic/pthread_internal.h
@@ -178,6 +178,7 @@
bionic_tls* bionic_tls;
int errno_value;
+ bool is_main() { return start_routine == nullptr; }
};
struct ThreadMapping {
@@ -207,6 +208,7 @@
__LIBC_HIDDEN__ pid_t __pthread_internal_gettid(pthread_t pthread_id, const char* caller);
__LIBC_HIDDEN__ void __pthread_internal_remove(pthread_internal_t* thread);
__LIBC_HIDDEN__ void __pthread_internal_remove_and_free(pthread_internal_t* thread);
+__LIBC_HIDDEN__ void __find_main_stack_limits(uintptr_t* low, uintptr_t* high);
static inline __always_inline bionic_tcb* __get_bionic_tcb() {
return reinterpret_cast<bionic_tcb*>(&__get_tls()[MIN_TLS_SLOT]);
@@ -266,6 +268,9 @@
__LIBC_HIDDEN__ extern void __bionic_atfork_run_child();
__LIBC_HIDDEN__ extern void __bionic_atfork_run_parent();
+// Re-map all threads and successively launched threads with PROT_MTE.
+__LIBC_HIDDEN__ void __pthread_internal_remap_stack_with_mte();
+
extern "C" bool android_run_on_all_threads(bool (*func)(void*), void* arg);
extern pthread_rwlock_t g_thread_creation_lock;