Skip to content

Commit f5d025d

Browse files
smithp35smithp35
authored
[AAELF64] Document structure protection relocations (ARM-software#340)
The structure protection extension [1], introduces two new relocations: R_AARCH64_PATCHINST which replaces an instruction with the result of the relocation if the referenced symbol is defined. The relocation is intended to implement deactivation symbols [2], which can be used to "undo" structure protection when it isn't safe to apply. R_AARCH64_FUNCINIT64 generates a R_AARCH64_IRELATIVE relocation at the place. This is similar to R_AARCH64_ABS64 referencing a symbol of binding STB_GNU_UNIQUE, with the main difference being that R_AARCH64_FUNCINIT64 references non STB_GNU_UNIQUE symbols. The relocation is used to initialize function pointers in static structs at load time by calling the equivalent of an ifunc resolver function that returns the signed address. [1] https://discourse.llvm.org/t/rfc-structure-protection-a-family-of-uaf-mitigation-techniques/85555 [2] https://discourse.llvm.org/t/rfc-deactivation-symbols/85556
1 parent 39e3257 commit f5d025d

File tree

1 file changed

+92
-25
lines changed

1 file changed

+92
-25
lines changed

aaelf64/aaelf64.rst

Lines changed: 92 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
.. _SYM-VER: http://www.akkadia.org/drepper/symbol-versioning
1919
.. _TLSDESC: http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf
2020
.. _MTEEXTENSIONS: https://www.kernel.org/doc/html/latest/arm64/memory-tagging-extension.html#core-dump-support
21+
.. _STRUCTPROT: https://discourse.llvm.org/t/rfc-structure-protection-a-family-of-uaf-mitigation-techniques/85555
2122
.. _SYSVABI64: https://github.com/ARM-software/abi-aa/releases
2223
.. _VFABI64: https://github.com/ARM-software/abi-aa/releases
2324

@@ -291,6 +292,8 @@ changes to the content of the document for that release.
291292
| 2025Q2 | 9\ :sup:`th` | - In `Call and Jump relocations`_ added |
292293
| | April 2025 | static linker requirements on veneers |
293294
| | | when BTI guarded pages are used. |
295+
| | | - Added section for structure protection|
296+
| | | extension relocations. |
294297
+---------------+--------------------+-----------------------------------------+
295298

296299
References
@@ -300,31 +303,33 @@ This document refers to, or is referred to by, the following documents.
300303

301304
.. table::
302305

303-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
304-
| Ref | External reference or URL | Title |
305-
+==============================+==============================================================================================+=============================================================================+
306-
| AAELF64 | Source for this document | ELF for the Arm 64-bit Architecture (AArch64). |
307-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
308-
| AAPCS64_ | IHI 0055 | Procedure Call Standard for the Arm 64-bit Architecture |
309-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
310-
| Addenda32_ | IHI 0045 | Addenda to, and Errata in, the ABI for the Arm Architecture |
311-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
312-
| PAuthABIELF64_ | pauthabielf64 | PAuth Extension to ELF for the Arm 64-bit Architecture |
313-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
314-
| LSB_ | http://www.linuxbase.org/ | Linux Standards Base |
315-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
316-
| SCO-ELF_ | http://www.sco.com/developers/gabi/ | System V Application Binary Interface – DRAFT |
317-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
318-
| LINUX_ABI_ | https://github.com/hjl-tools/linux-abi/wiki | Linux Extensions to gABI |
319-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
320-
| SYM-VER_ | http://people.redhat.com/drepper/symbol-versioning | GNU Symbol Versioning |
321-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
322-
| TLSDESC_ | http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf | TLS Descriptors for Arm. Original proposal document |
323-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
324-
| MTEEXTENSIONS_ | https://www.kernel.org/doc/html/latest/arm64/memory-tagging-extension.html#core-dump-support | Linux Kernel MTE core dump format |
325-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
326-
| SYSVABI64_ | sysvabi64 | System V Application Binary Interface (ABI) for the Arm 64-bit Architecture |
327-
+------------------------------+----------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
306+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
307+
| Ref | External reference or URL | Title |
308+
+================+===================================================================================================+=============================================================================+
309+
| AAELF64 | Source for this document | ELF for the Arm 64-bit Architecture (AArch64). |
310+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
311+
| AAPCS64_ | IHI 0055 | Procedure Call Standard for the Arm 64-bit Architecture |
312+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
313+
| Addenda32_ | IHI 0045 | Addenda to, and Errata in, the ABI for the Arm Architecture |
314+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
315+
| PAuthABIELF64_ | pauthabielf64 | PAuth Extension to ELF for the Arm 64-bit Architecture |
316+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
317+
| LSB_ | http://www.linuxbase.org/ | Linux Standards Base |
318+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
319+
| SCO-ELF_ | http://www.sco.com/developers/gabi/ | System V Application Binary Interface – DRAFT |
320+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
321+
| LINUX_ABI_ | https://github.com/hjl-tools/linux-abi/wiki | Linux Extensions to gABI |
322+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
323+
| STRUCTPROT_ | https://discourse.llvm.org/t/rfc-structure-protection-a-family-of-uaf-mitigation-techniques/85555 | Structure Field Protection |
324+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
325+
| SYM-VER_ | http://people.redhat.com/drepper/symbol-versioning | GNU Symbol Versioning |
326+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
327+
| TLSDESC_ | http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf | TLS Descriptors for Arm. Original proposal document |
328+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
329+
| MTEEXTENSIONS_ | https://www.kernel.org/doc/html/latest/arm64/memory-tagging-extension.html#core-dump-support | Linux Kernel MTE core dump format |
330+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
331+
| SYSVABI64_ | sysvabi64 | System V Application Binary Interface (ABI) for the Arm 64-bit Architecture |
332+
+----------------+---------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+
328333

329334
Terms and abbreviations
330335
-----------------------
@@ -1778,6 +1783,68 @@ The ``PAUTH`` and ``ENCD`` operators are defined in `PAUTHABIELF64`_.
17781783
| 597 | \- | R\_AARCH64\_AUTH\_TLSDESC\_ADD\_LO12 | G(ENCD(GTLSDESC(S))) | See `PAUTHABIELF64`_ |
17791784
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
17801785

1786+
Relocations for Structure Protection Extension
1787+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1788+
1789+
The Structure Protection Extension defines a number of static
1790+
relocations. The Structure Protection Extension is described in
1791+
[STRUCTPROT_]. The Structure Protection Extension is in Alpha state.
1792+
1793+
The structure protection relocations use the following additional operator:
1794+
1795+
- ``FUNCINIT(S + A)`` The place is relocated at run-time with a ``R_AARCH64_IRELATIVE`` relocation with no referenced symbol and the value of S + A in the addend field.
1796+
1797+
.. class:: structure-protection-instruction-relocations
1798+
1799+
.. table:: Structure Protection Instruction Relocations
1800+
1801+
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
1802+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
1803+
+============+============+========================================+======================================+======================+
1804+
| 316 | \- | R\_AARCH64\_PATCHINST | S + A | See below |
1805+
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
1806+
1807+
The referenced symbol for ``R_AARCH64_PATCHINST`` must either be
1808+
undefined, or have section index ``SHN_ABS``. If the referenced symbol
1809+
is undefined the relocation has no effect, otherwise write bits [31:0]
1810+
of X at 4 byte-aligned place P. Check that 0 <= X < 2\ :sup:`32`.
1811+
1812+
``R_AARCH64_PATCHINST`` may occur at the same offset as another
1813+
relocation, for example when patching a branch and link instruction
1814+
with its associated ``R_AARCH64_CALL26`` relocation. The object
1815+
producer is responsible for ordering ``R_AARCH64_PATCHINST`` after all
1816+
other non ``R_AARCH64_PATCHINST`` relocations at the same
1817+
``r_offset``. The ``R_AARCH64_PATCHINST`` relocation always starts a
1818+
new relocation composition sequence.
1819+
1820+
The requirements for a static linker that supports
1821+
``R_AARCH64_PATCHINST`` are limited to resolving the relocation. All
1822+
other static linker processing of relocations such as `Call and jump
1823+
relocations`_, `Program Linkage Table (PLT) Sequences and Usage
1824+
Models`_ and `Relocation optimization`_ may ignore
1825+
``R_AARCH64_PATCHINST``.
1826+
1827+
The intended use case for ``R_AARCH64_PATCHINST`` is to replace
1828+
an instruction with a ``NOP``. Uses of the relocation for
1829+
other instructions is limited to what can be constructed with ``S +
1830+
A``. Responsibility for using ``R_AARCH64_PATCHINST`` outside of the
1831+
Structure Protection Extension is out of scope of the ABI.
1832+
1833+
.. class:: structure-protection-data-relocations
1834+
1835+
.. table:: Structure Protection Data Relocations
1836+
1837+
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
1838+
| ELF64 Code | ELF32 Code | Name | Operation | Comment |
1839+
+============+============+========================================+======================================+======================+
1840+
| 317 | \- | R\_AARCH64\_FUNCINIT64 | FUNCINIT(S + A) | See below |
1841+
+------------+------------+----------------------------------------+--------------------------------------+----------------------+
1842+
1843+
The ``R_AARCH64_FUNCINIT64`` referenced symbol must be a function that
1844+
does not have a type of ``STT_GNU_IFUNC``. The referenced symbol must
1845+
be non-pre-emptible and have an address that is known at static link
1846+
time.
1847+
17811848
Dynamic relocations
17821849
^^^^^^^^^^^^^^^^^^^
17831850

0 commit comments

Comments
 (0)