[all-commits] [llvm/llvm-project] 62e6c1: [lld/mac] Allow -segprot having stricter initprot ...

Nico Weber via All-commits all-commits at lists.llvm.org
Thu Sep 5 09:30:07 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 62e6c1ead7aedfbf973fb667537ff5cee4988da1
      https://github.com/llvm/llvm-project/commit/62e6c1ead7aedfbf973fb667537ff5cee4988da1
  Author: Nico Weber <thakis at chromium.org>
  Date:   2024-09-05 (Thu, 05 Sep 2024)

  Changed paths:
    M lld/MachO/Driver.cpp
    M lld/MachO/OutputSegment.cpp
    M lld/test/MachO/segprot.s

  Log Message:
  -----------
  [lld/mac] Allow -segprot having stricter initprot than maxprot on mac (#107269)

...including for catalyst.

The usecase for this is to put certain security-critical variables into
a special segment/section that's mapped as read-only most of the time,
and that temporary gets remapped as writeable when these variables are
written to be the program. This protects against them being written to
by heap spraying attacks. This special section should be mapped as
read-only at program start, so using

`-segprot MY_PROTECTED_MEMORY_THINGER rw r`

to mark that segment as rw maxprot and r initprot is exactly what we
want.

lld has so far rejected mismatching initprot and maxprot.

ld64 doesn't reject this, but silently writes initprot into both fields
(!) It looks like this might not be fully intentional, see
https://crbug.com/41495919#comment5 and
http://crbug.com/41495919#comment8.

In any case, when postprocessing ld64's output to have different values
for initprot and maxprot, the dynamic loader seems to do the right thing
(see also the previous two links).

The same technique also works on Windows, using both link.exe and
lld-link.exe using `/SECTION:myprotsect,R`.

So, since this is useful, allow it when targeting macOS, and make it do
what you'd expect.

Since loader support for this on iOS is less clear, keep disallowing it
there for now.

See the PR for the program I used to check that this seems to work. (I
only checked on arm64 macOS 14.5 so far; will run this on many more
systems on bots once this is merged and rolled in.)



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list