[GHC] #14069: RTS linker maps code as writable
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime | Version: 8.0.1 System (Linker) | Keywords: | Operating System: Unknown/Multiple Architecture: | Type of failure: None/Unknown Unknown/Multiple | Test Case: | Blocked By: Blocking: | Related Tickets: Differential Rev(s): | Wiki Page: -------------------------------------+------------------------------------- GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default. Fix this. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Description changed by bgamari: Old description:
GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default.
Fix this.
New description: GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default. Instead we should first map pages as `PROT_READ | PROT_WRITE`, perform any necessary relocations (which requires writing), and then `mprotect` it to `PROT_READ | PROT_EXEC`. To find the relevant code grep for `PROT_EXEC` in the `rts/` directory. -- -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:1 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by bgamari): * cc: romanzolotarev (added) Comment: CCing romanzolotarev who expressed interest in this on Twitter. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:2 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by angerman): * cc: angerman (added) Comment: This is already in the aarch64/mach-o linker. And I believe the aarch64/elf linker could possibly be doing this already as well. Feel free to query me on IRC:angerman, or twitter:angerman_io. Otherwise if no one picks this up, I'll try to get around to it. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:3 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by romanzolotarev): Ben, thank you for adding me to the loop. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:4 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.4.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by lelf): * cc: lelf (added) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:5 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.6.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by bgamari): * keywords: => newcomer * milestone: 8.4.1 => 8.6.1 Comment: This won't be fixed for 8.4, although I do hope someone picks it up for 8.6. This strikes me as a rather serious yet easy-to-fix security issue. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:6 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.6.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by sjakobi): * cc: sjakobi (added) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:7 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.6.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Comment (by mcandre): Same goes for HardenedBSD; a handful of Haskell programs can run, but common things like HLint, aeson, and shake fail to compile or operate in W^X environments. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:8 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: SantiM Type: bug | Status: new Priority: high | Milestone: 8.6.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | -------------------------------------+------------------------------------- Changes (by SantiM): * owner: (none) => SantiM Comment: I'm working with a friend on this bug as part of ZuriHac, we'll be sending changes for different files affected. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:9 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: SantiM Type: bug | Status: new Priority: high | Milestone: 8.6.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by SantiM): * differential: => Phab:D4817 -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:10 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable
-------------------------------------+-------------------------------------
Reporter: bgamari | Owner: SantiM
Type: bug | Status: new
Priority: high | Milestone: 8.8.1
Component: Runtime System | Version: 8.0.1
(Linker) |
Resolution: | Keywords: newcomer
Operating System: Unknown/Multiple | Architecture:
| Unknown/Multiple
Type of failure: None/Unknown | Test Case:
Blocked By: | Blocking:
Related Tickets: | Differential Rev(s): Phab:D4817
Wiki Page: |
-------------------------------------+-------------------------------------
Comment (by Ben Gamari
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: SantiM Type: bug | Status: closed Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: fixed | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by bgamari): * status: new => closed * resolution: => fixed -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:13 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by SantiM): * owner: SantiM => (none) * status: closed => new * resolution: fixed => Comment: Let's leave this open, there's more occurrences of mmap that were not protected in Phab:D4817 -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:14 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by kgardas): * cc: kgardas (added) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:15 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by neosimsim): * cc: neosimsim (added) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:16 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by qnikst): * cc: qnikst (added) Comment: List of files that have `mmap`, but do not have `mprotect` around: rts/Linker/LoadArchive.c rts/Linker/Elf.c rts/Linker/M32Alloc.c Should all of them be worked on in one pass or should we do some preparatory work before? -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:17 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Comment (by sgraf): qnikst: That's up to you, really. If you think it makes sense to do it all in one patch, just do it. I suspect that it will be a rather small change, so I'd do it all in one. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:18 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Comment (by rockbmb): I'm preparing a patch to address the remaining changes here, do you mind if I go ahead @qnikst? I'd like to avoid duplicating work you may have already done. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:19 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Comment (by qnikst): @rockbmb, feel free to do that I'm currently stuck on this ticket. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:20 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: (none) Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by watashi): * cc: watashi (added) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:21 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#14069: RTS linker maps code as writable -------------------------------------+------------------------------------- Reporter: bgamari | Owner: rockbmb Type: bug | Status: new Priority: high | Milestone: 8.8.1 Component: Runtime System | Version: 8.0.1 (Linker) | Resolution: | Keywords: newcomer Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Phab:D4817 Wiki Page: | -------------------------------------+------------------------------------- Changes (by rockbmb): * owner: (none) => rockbmb -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/14069#comment:22 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
participants (1)
-
GHC