From: Mark Kettenis <mark.kettenis@xs4all.nl>
To: yao@codesourcery.com
Cc: gdb-patches@sourceware.org
Subject: Re: [PATCH 0/7 V2] Trust readonly sections if target has memory protection
Date: Thu, 12 Sep 2013 09:49:00 -0000 [thread overview]
Message-ID: <201309120949.r8C9nFsJ016506@glazunov.sibelius.xs4all.nl> (raw)
In-Reply-To: <52317B66.3020602@codesourcery.com> (message from Yao Qi on Thu, 12 Sep 2013 16:29:26 +0800)
> Date: Thu, 12 Sep 2013 16:29:26 +0800
> From: Yao Qi <yao@codesourcery.com>
>
> On 09/10/2013 12:05 PM, Yao Qi wrote:
> >> Even on systems that have an MMU that can mark pages read-only, system
> >> >calls like mprotect(2) can be used to make read-only pages
> >> >(temporarily) writable. This is done by the OpenBSD dynamic linker
> >> >during relocation processing. I expect other systems implementing
> >> >strict W^X to do the same. Enabling trust-readonly-sections on such
> >> >systems would be a bad idea.
> > If GDB can monitor mprotect syscall, it can still trust readonly
> > sections if their pages are not changed to writable by mprotect.
> >
> > GDB is able to 'catch syscall mprotect', only on linux-nat
> > unfortunately. It doesn't work on remote target
> >
> > "catch syscall" support in the remote protocol
> > https://sourceware.org/bugzilla/show_bug.cgi?id=13585
> >
> > Similarly, GDB can monitor function VirtualProtect on Windows target
> > too.
>
> Do we have a concrete criteria to reject or accept this patch series?
> I need this to plan for my next step. Here are some possibilities in
> my brain,
>
> 1. This series is rejected because GDB is incorrect when program uses
> mprotect and change some readonly pages, unless....
I'm certainly not outright rejecting it. But you'll certainly need to
rethink in which contexts it is safe/acceptable that "auto" actually
turns on the trust-readonly-sections feature. That decision should
probably be done on a per-architecture, per-OS basis, and only for
remote debugging.
> 2. ... GDB is able to monitor syscall mprotect, and trust readonly
> sections if they are still readonly in the process's space.
Of course monitoring syscalls comes with a performance penalty as
well. Worse, it will affect the timing of the program you're
debugging, so turning it on by default would probably be a seriously
bad idea unless you can intercept "just" the mprotect syscalls.
> 3. This series can be accepted. I am wondering how popular that user
> program modifies readonly sections in process space by mprotect. Do we
> really sacrifice the performance of GDB in some common cases, like
> remote debugging, for this corner case? I'd like to add doc for the
> case using mprotect and remind user to turn trust-readonly-sections off
> by him/her self.
It will happen for *any* dynamically linked binary on OpenBSD. I
expect the same to be true for many security-enhanced Linux variants.
But running strace on a randomly chosen binary from Ubuntu 10.4
suggests its not common there. There are a couple of mprotect calls,
but none that add PROT_WRITE permission.
Personally, I think trust-readonly-sections remains a dangerous
feature that should only be enabled by people who know what they're
doing. Having GDB print values for variables that are different from
what the program itself is actually seeing would be very frustrating
and potentially waste a lot of my time. But I only really care about
native debugging.
next prev parent reply other threads:[~2013-09-12 9:49 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 2:03 [PATCH 0/3] " Yao Qi
2013-09-06 2:03 ` [PATCH 1/3] set trust-readonly-sections off in test cases Yao Qi
2013-09-06 5:56 ` Eli Zaretskii
2013-09-06 17:23 ` Pedro Alves
2013-09-06 2:03 ` [PATCH 2/3] Trust readonly sections if target has memory protection Yao Qi
2013-09-06 6:05 ` Eli Zaretskii
2013-09-06 9:07 ` Yao Qi
2013-09-06 9:24 ` Eli Zaretskii
2013-09-06 2:03 ` [PATCH 3/3] Linux " Yao Qi
2013-09-06 5:57 ` [PATCH 0/3] Trust readonly sections if target " Eli Zaretskii
2013-09-06 8:24 ` Yao Qi
2013-09-06 8:45 ` Eli Zaretskii
2013-09-06 13:03 ` Joel Brobecker
2013-09-06 13:27 ` Yao Qi
2013-09-06 13:32 ` Eli Zaretskii
2013-09-06 14:17 ` Pierre Muller
[not found] ` <"000d01ceab0b$d53ae600$7fb0b200$@muller"@ics-cnrs.unistra.fr>
2013-09-06 14:38 ` Eli Zaretskii
2013-09-06 14:52 ` Joel Brobecker
2013-09-06 15:56 ` Eli Zaretskii
2013-09-06 18:10 ` Joel Brobecker
2013-09-06 18:36 ` Eli Zaretskii
2013-09-06 13:00 ` Joel Brobecker
2013-09-08 12:04 ` [PATCH 0/7 V2] " Yao Qi
2013-09-08 12:04 ` [PATCH 1/7] Emit a warning when writing to a readonly section and trust_readonly is true Yao Qi
2013-09-08 15:10 ` Eli Zaretskii
2013-09-08 12:05 ` [PATCH 5/7] DOC and NEWS Yao Qi
2013-09-08 12:05 ` [PATCH 6/7] Linux has memory protection Yao Qi
2013-09-08 12:05 ` [PATCH 4/7] Trust readonly sections if target " Yao Qi
2013-09-08 15:13 ` Eli Zaretskii
2013-09-09 7:49 ` Yao Qi
2013-09-09 16:25 ` Eli Zaretskii
2013-09-08 12:05 ` [PATCH 3/7] New function windows_init_abi Yao Qi
2013-09-08 12:05 ` [PATCH 7/7] Windows has memory protection Yao Qi
2013-09-08 12:05 ` [PATCH 2/7] set trust-readonly-sections off in test cases Yao Qi
2013-09-09 19:16 ` [PATCH 0/7 V2] Trust readonly sections if target has memory protection Mark Kettenis
2013-09-10 4:06 ` Yao Qi
2013-09-12 8:30 ` Yao Qi
2013-09-12 9:49 ` Mark Kettenis [this message]
2013-09-13 8:17 ` Yao Qi
2013-09-30 17:50 ` Pedro Alves
2013-09-30 18:08 ` Pedro Alves
2013-10-07 22:29 ` Stan Shebs
2013-10-08 12:18 ` Pedro Alves
2013-10-08 12:47 ` Abid, Hafiz
2013-10-08 13:36 ` tmirza
2013-10-09 2:24 ` Doug Evans
2013-10-23 10:16 ` Yao Qi
2013-10-15 0:44 ` Yao Qi
2013-09-20 2:47 ` [PATCH 0/7 V3] " Yao Qi
2013-09-20 2:47 ` [PATCH 3/7] New function windows_init_abi Yao Qi
2013-09-30 18:23 ` Pedro Alves
2013-10-01 6:47 ` Yao Qi
2013-10-01 9:35 ` Pedro Alves
2013-10-01 13:23 ` Yao Qi
2013-09-20 2:47 ` [PATCH 5/7] DOC and NEWS Yao Qi
2013-09-20 8:21 ` Eli Zaretskii
2013-09-20 2:47 ` [PATCH 2/7] set trust-readonly-sections off in test cases Yao Qi
2013-09-20 2:47 ` [PATCH 6/7] Linux has memory protection Yao Qi
2013-09-20 2:47 ` [PATCH 4/7] Trust readonly sections if target has memory protection and in remote debugging Yao Qi
2013-09-20 2:47 ` [PATCH 7/7] Windows has memory protection Yao Qi
2013-09-20 2:47 ` [PATCH 1/7] Emit a query when writing to a readonly section and trust_readonly is true Yao Qi
2013-09-29 13:51 ` [PATCH 0/7 V3] Trust readonly sections if target has memory protection Yao Qi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201309120949.r8C9nFsJ016506@glazunov.sibelius.xs4all.nl \
--to=mark.kettenis@xs4all.nl \
--cc=gdb-patches@sourceware.org \
--cc=yao@codesourcery.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox