Skip to content

Fix Intel CET / SHSTK support in fibers #14027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: PHP-8.3
Choose a base branch
from
Open

Fix Intel CET / SHSTK support in fibers #14027

wants to merge 4 commits into from

Conversation

arnaud-lb
Copy link
Member

@arnaud-lb arnaud-lb commented Apr 21, 2024
edited
Loading

This fixes SHSTK support in fibers:

  • The syscall number for map_shadow_stack has changed since initial support was added. I update the syscall number and use the SYS_map_shadow_stack macro instead of the hard coded number when possible. Note: when the configure check is broken, SHSTK is not disabled. Instead, SHSTK handling is not added, causing fibers to crash. So there is no risk of disabling a security feature by breaking this check.
  • make_fcontext/jump_fcontext was broken due to accidental duplication of shadow stack handling
  • Set the the shadow stack to the same size as the normal stack, as in the worse case the shadow stack needs as much space. This matches what the kernel does for the main stack. This size is excluding the guard page the kernel adds.
  • Enable SHSTK in CI. For now this should only check that we can build with -fcf-protection, and that the linker adds the SHSTK flag on the binary (cet-report=error). The glibc version used in CI will not enable SHSTK at runtime, but I believe it will in Ubuntu 24.

This can be tested with a kernel >= 6.6 and glibc >= 2.39, when compiling with CFLAGS=-fcf-protection=full LDFLAGS=-Wl,-z,cet-report=error, and running with GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK.

Check that the binary was compiled with SHSTK:

readelf -n sapi/cli/php | grep -a SHSTK

Check CPU and kernel support:

grep user_shstk /proc/cpuinfo

Check that ld enables SHSTK:

GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK strace sapi/cli/php -r '' 2>&1 | grep ARCH_SHSTK

See https://docs.kernel.org/next/x86/shstk.html
See https://www.phoronix.com/news/Glibc-Intel-CET-Shadow-Stack

@arnaud-lb arnaud-lb changed the base branch from master to PHP-8.3 April 21, 2024 18:29
@arnaud-lb arnaud-lb marked this pull request as ready for review April 23, 2024 10:00
@arnaud-lb arnaud-lb requested a review from devnexen April 23, 2024 10:01
@devnexen
Copy link
Member

make_fcontext/jump_fcontext was broken due to accidental duplication of shadow stack handling

If that's the case, you should definitively upstream your bug fix.

@arnaud-lb
Copy link
Member Author

I planed to do so, but do you confirm the duplication in boostorg/context#248 was a mistake?

@devnexen
Copy link
Member

yes :)

@arnaud-lb arnaud-lb mentioned this pull request Jun 15, 2024
Merged
@arnaud-lb arnaud-lb changed the base branch from PHP-8.3 to master August 28, 2024 16:09
@devnexen devnexen mentioned this pull request Sep 7, 2024
Closed
@arnaud-lb arnaud-lb changed the base branch from master to PHP-8.3 October 2, 2024 10:18
@arnaud-lb arnaud-lb removed request for adoy, bukka and derickr October 2, 2024 10:19
@arnaud-lb
Fix make_fcontext/jump_fcontext with SHSTK enabled
fc8f530 
Sync Zend/asm/*_x86_64_sysv_elf_gas.S with upstream
@arnaud-lb
Fix map_shadow_stack syscall number
5a94da0 
* Syscall number for map_shadow_stack has changed since initial support was
  added.
* Use SYS_map_shadow_stack instead of hard-coded number when possible
@arnaud-lb
Increase SHSTK stack size
5c724e2 
The shadow stack may need as much space as the fiber stack in the worse case, so
allocate a shadow stack the same size as the fiber stack. This matches what the
kernel does for the main stack.
@arnaud-lb
Enable SHSTK in CI
47ddf50
@arnaud-lb arnaud-lb requested a review from devnexen October 7, 2024 16:44
@devnexen
Copy link
Member

devnexen commented Oct 7, 2024
edited
Loading

can t reproduce the issues on CI locally, any luck ? nvm I actually can with my other laptop.

@arnaud-lb
Copy link
Member Author

Oh, I didn't notice this. I will check

@arnaud-lb
Copy link
Member Author

The LINUX_X64_RELEASE_NTS job is the last one running Ubuntu 22.04 I believe, and in this version the Glibc loader doesn't enable SHSTK. The program crashes on the rstorssp instruction because SHSTK is not enabled, if I understand correctly. This is not ideal, as it means we can not build with -fcf-protection in case the runtime may not enable SHSTK. Maybe the asm should skip the SSP setup/restore when SHSTK is not enabled.

@devnexen
Copy link
Member

devnexen commented Oct 8, 2024

The LINUX_X64_RELEASE_NTS job is the last one running Ubuntu 22.04 I believe, and in this version the Glibc loader doesn't enable SHSTK. The program crashes on the rstorssp instruction because SHSTK is not enabled, if I understand correctly. This is not ideal, as it means we can not build with -fcf-protection in case the runtime may not enable SHSTK. Maybe the asm should skip the SSP setup/restore when SHSTK is not enabled.

I think you re right, I get a SIGILL for those instructions in one intel machine but not the other (more modern distro).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devnexen devnexen Awaiting requested review from devnexen

Assignees
No one assigned
Labels
Category: Build System Category: Engine
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arnaud-lb @devnexen