Remove fdelt_chk back-compat code and sanity check

fanquake commented at 8:43 am on May 4, 2020: member

https://github.com/bitcoin/bitcoin/commit/ae30d40e50e9d63d875d29d54d22147b09fc420c The return type of fdelt_chk changed from unsigned long int to long int in glibc 2.16. See this commit. Now that we require glibc >=2.17 we can remove our back-compat code.

https://github.com/bitcoin/bitcoin/commit/ab7bce584ae02bf25e2e91aa54f9b0249427127d While looking at the above changes, I noticed that our glibc fdelt sanity check doesn’t seem to be checking anything. fdelt_warn() also isn’t something we’d want to actually “trigger” at runtime, as doing so would cause bitcoind to abort.

The comments:

// trigger: Call FD_SET to trigger __fdelt_chk. FORTIFY_SOURCE must be defined // as >0 and optimizations must be set to at least -O2.

suggest calling FD_SET to check the invocation of fdelt_chk (this is aliased with fdelt_warn in glibc). However just calling FD_SET() will not necessarily cause the compiler to insert a call to fd_warn().

Whether or not GCC (recent Clang should work, but may use different heuristics) inserts a call to fdelt_warn() depends on if the compiler can determine if the value passed in is a compile time constant (using __builtin_constant_p) and whether the value is < 0 or >= FD_SETSIZE. The glibc implementation is here. This means our check should never cause a call to be inserted.

Compiling master without --glibc-back-compat (if you do pass --glibc-back-compat the outcome is still the same; however the abort will only happen with >=FD_SETSIZE as that is what our fdelt_warn() checks for), there are no calls to fdelt_warn() inserted by the compiler:

 0objdump -dC bitcoind | grep sanity_fdelt
 1...
 20000000000399d20 <sanity_test_fdelt()>:
 3  399d20:       48 81 ec 98 00 00 00    sub    $0x98,%rsp
 4  399d27:       b9 10 00 00 00          mov    $0x10,%ecx
 5  399d2c:       64 48 8b 04 25 28 00    mov    %fs:0x28,%rax
 6  399d33:       00 00
 7  399d35:       48 89 84 24 88 00 00    mov    %rax,0x88(%rsp)
 8  399d3c:       00
 9  399d3d:       31 c0                   xor    %eax,%eax
10  399d3f:       48 89 e7                mov    %rsp,%rdi
11  399d42:       fc                      cld
12  399d43:       f3 48 ab                rep stos %rax,%es:(%rdi)
13  399d46:       48 8b 84 24 88 00 00    mov    0x88(%rsp),%rax
14  399d4d:       00
15  399d4e:       64 48 33 04 25 28 00    xor    %fs:0x28,%rax
16  399d55:       00 00
17  399d57:       75 0d                   jne    399d66 <sanity_test_fdelt()+0x46>
18  399d59:       b8 01 00 00 00          mov    $0x1,%eax
19  399d5e:       48 81 c4 98 00 00 00    add    $0x98,%rsp
20  399d65:       c3                      retq
21  399d66:       e8 85 df c8 ff          callq  27cf0 <__stack_chk_fail@plt>
22  399d6b:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)

If you modify the sanity test to pass -1 or FD_SETSIZE to FD_SET, you’ll see calls to fdelt_warn inserted, and the runtime behaviour is an abort as expected.

 0diff --git a/src/compat/glibc_sanity_fdelt.cpp b/src/compat/glibc_sanity_fdelt.cpp
 1index 87140d0c7..16974bfa0 100644
 2--- a/src/compat/glibc_sanity_fdelt.cpp
 3+++ b/src/compat/glibc_sanity_fdelt.cpp
 4@@ -20,7 +20,7 @@ bool sanity_test_fdelt()
 5 {
 6     fd_set fds;
 7     FD_ZERO(&fds);
 8-    FD_SET(0, &fds);
 9+    FD_SET(FD_SETSIZE, &fds);
10     return FD_ISSET(0, &fds);
11 }
12 #endif

 00000000000399d20 <sanity_test_fdelt()>:
 1  399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
 2  399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
 3  399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
 4  399d33:	00 00 
 5  399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
 6  399d3c:	00 
 7  399d3d:	31 c0                	xor    %eax,%eax
 8  399d3f:	48 89 e7             	mov    %rsp,%rdi
 9  399d42:	fc                   	cld    
10  399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
11  399d46:	48 c7 c7 ff ff ff ff 	mov    $0xffffffffffffffff,%rdi
12  399d4d:	e8 3e ff ff ff       	callq  399c90 <__fdelt_warn>
13  399d52:	0f b6 04 24          	movzbl (%rsp),%eax
14  399d56:	83 e0 01             	and    $0x1,%eax
15  399d59:	48 8b 94 24 88 00 00 	mov    0x88(%rsp),%rdx
16  399d60:	00 
17  399d61:	64 48 33 14 25 28 00 	xor    %fs:0x28,%rdx
18  399d68:	00 00 
19  399d6a:	75 08                	jne    399d74 <sanity_test_fdelt()+0x54>
20  399d6c:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
21  399d73:	c3                   	retq   
22  399d74:	e8 77 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
23  399d79:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)

0src/bitcoind
1*** buffer overflow detected ***: src/bitcoind terminated
2Aborted

I think the test should should be removed and replaced (if possible) with additional checks in security-check.py. I was thinking about adding a version of this script as part of the output, but that needs more thought. I’ll address this in a follow up.

fanquake added the label Build system on May 4, 2020

fanquake added the label Needs gitian build on May 4, 2020

fanquake added the label Needs Guix build on May 4, 2020

laanwj commented at 2:35 pm on May 4, 2020: member

ACK if this passes the gitian build. This was a backward compatibility function for compatibility with old libc, it (including its sanity check) might no longer be needed.

DrahtBot commented at 4:53 pm on May 4, 2020: member

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

DrahtBot commented at 1:29 pm on May 6, 2020: member

Gitian builds

File	commit fbd522721cb89ef0efea0c1bc912c00b268d1c2a(master)	commit a8f87e2400c23dc862c5f1a7417a9c9a9200acc3(master and this pull)
bitcoin-core-linux-0.21-res.yml	`d8ca613a4fe8256a...`	`66b1e92f64772166...`
bitcoin-core-osx-0.21-res.yml	`d8e9784290b7e11a...`	`2f2807a25eaf1e26...`
bitcoin-core-win-0.21-res.yml	`9fbe5a1f58d3ebbc...`	`6b437ebf7c2ebb93...`
*-aarch64-linux-gnu-debug.tar.gz	`68a9a39ec36cbed2...`	`f0f5a39378eeb454...`
*-aarch64-linux-gnu.tar.gz	`c4c9d98c18ac8d69...`	`69dd0f00253925c2...`
*-arm-linux-gnueabihf-debug.tar.gz	`040c0a4971178429...`	`86cf4f82c0906a46...`
*-arm-linux-gnueabihf.tar.gz	`9a9b2af69edf6221...`	`2832611bc2f79a95...`
*-osx-unsigned.dmg	`5aa18c88ffc0c32c...`	`c0af112da3ddf808...`
*-osx64.tar.gz	`2c777921c43fd9b4...`	`1500443cda24e6cd...`
*-riscv64-linux-gnu-debug.tar.gz	`0ebf3ca4d2b52400...`	`9b9860f10c54832a...`
*-riscv64-linux-gnu.tar.gz	`22dfb6bf774fd577...`	`045401d434f89ec8...`
*-win64-debug.zip	`657e164c6335053a...`	`2e6edcd25d2690d5...`
*-win64-setup-unsigned.exe	`316100ef42f12b7a...`	`85f72f620fd94bdb...`
*-win64.zip	`f91651bea4685766...`	`bcefa86df0e9d7d2...`
*-x86_64-linux-gnu-debug.tar.gz	`617fd73aed93ec87...`	`65081f23d8331ef5...`
*-x86_64-linux-gnu.tar.gz	`a995ec2a7729141c...`	`768513cf891cf4bb...`
*.tar.gz	`c52ade0f24a7225e...`	`1a1432caac80b3d1...`
linux-build.log	`b0ce0d32e6daf419...`	`f057d1172be548e4...`
osx-build.log	`af7f743adb7be8ea...`	`cbeaeca97cef3c6f...`
win-build.log	`b421925d0046eb64...`	`f62ef987fabbf2f8...`
bitcoin-core-linux-0.21-res.yml.diff		`24ec6963e24f3e1c...`
bitcoin-core-osx-0.21-res.yml.diff		`15f7bed2cdc2efb4...`
bitcoin-core-win-0.21-res.yml.diff		`80190b52cb0d6656...`
linux-build.log.diff		`9e7b4dba9347053a...`
osx-build.log.diff		`6535c50b65f84929...`
win-build.log.diff		`9c6269796e068ef4...`

DrahtBot removed the label Needs gitian build on May 6, 2020

DrahtBot commented at 1:48 pm on May 6, 2020: member

🐙 This pull request conflicts with the target branch and needs rebase.

DrahtBot added the label Needs rebase on May 6, 2020

build: remove fdelt_chk backwards compatibility code

Now that we require glibc 2.17 or later, we no longer need to check for
different return types in fdelt_chk. It was changed from unsigned long
int to long int in glibc 2.16 . See this commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=ceb9e56b3d1f8c1922e0526c2e841373843460e2
and related issue:
https://sourceware.org/bugzilla/show_bug.cgi?id=14210.

8bf1540cc2

test: remove glibc fdelt sanity check

As is, this sanity check doesn't seem to be testing fdelt_chk, because
passing a value of "0" to FD_SET wont cause the compiler to insert any
calls to fdelt_chk().

The documentation is a little misleading. If we actually triggered fdelt_chk
at runtime, bitcoind would abort. I think this check would be better replaced
(if possible) by additional checks in security-check.py.

The compiler may insert a call to fdelt_warn() (aliased with fdelt_chk
in glibc) at compile time if it can determine that an invalid value is
being passed to FD_SET.

These checks are essentially; value < 0 or value >= FD_SETSIZE along
with a check for wether the value is a compile time constant.

If the compiler can determine an invalid value is being passed, a call
to fdelt_warn will be inserted. Passing 0 should never cause a call to
be inserted.

You can check this after compiling:
```bash
objdump -dC bitcoind | grep sanity_fdelt
...
0000000000399d20 <sanity_test_fdelt()>:
  399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
  399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
  399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
  399d33:	00 00
  399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
  399d3c:	00
  399d3d:	31 c0                	xor    %eax,%eax
  399d3f:	48 89 e7             	mov    %rsp,%rdi
  399d42:	fc                   	cld
  399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
  399d46:	48 8b 84 24 88 00 00 	mov    0x88(%rsp),%rax
  399d4d:	00
  399d4e:	64 48 33 04 25 28 00 	xor    %fs:0x28,%rax
  399d55:	00 00
  399d57:	75 0d                	jne    399d66 <sanity_test_fdelt()+0x46>
  399d59:	b8 01 00 00 00       	mov    $0x1,%eax
  399d5e:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
  399d65:	c3                   	retq
  399d66:	e8 85 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
  399d6b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)

```

To test, you could modify this test to pass -1 to FD_SET, and check
that a call to fdelt_warn() is inserted, and that running bitcoind
fails. i.e:

```bash
0000000000399d20 <sanity_test_fdelt()>:
  399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
  399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
  399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
  399d33:	00 00
  399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
  399d3c:	00
  399d3d:	31 c0                	xor    %eax,%eax
  399d3f:	48 89 e7             	mov    %rsp,%rdi
  399d42:	fc                   	cld
  399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
  399d46:	48 c7 c7 ff ff ff ff 	mov    $0xffffffffffffffff,%rdi
  399d4d:	e8 3e ff ff ff       	callq  399c90 <__fdelt_warn>
  399d52:	0f b6 04 24          	movzbl (%rsp),%eax
  399d56:	83 e0 01             	and    $0x1,%eax
  399d59:	48 8b 94 24 88 00 00 	mov    0x88(%rsp),%rdx
  399d60:	00
  399d61:	64 48 33 14 25 28 00 	xor    %fs:0x28,%rdx
  399d68:	00 00
  399d6a:	75 08                	jne    399d74 <sanity_test_fdelt()+0x54>
  399d6c:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
  399d73:	c3                   	retq
  399d74:	e8 77 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
  399d79:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)

```

```bash
./src/bitcoind
*** buffer overflow detected ***: src/bitcoind terminated
Aborted
```

df6bde031b

fanquake force-pushed on May 7, 2020

fanquake removed the label Needs rebase on May 7, 2020

DrahtBot commented at 7:40 pm on May 9, 2020: member

Guix builds

File	commit f54753293fe7355e4280944d766f22054b560ba1(master)	commit fc2dcbad222723476dbe951480005f519e7b0d9b(master and this pull)
*-aarch64-linux-gnu-debug.tar.gz	`d5006db2694bec1b...`	`d05e1c4eaef07582...`
*-aarch64-linux-gnu.tar.gz	`0afefe2db48f05dc...`	`dfdc8f189bc78d3a...`
*-arm-linux-gnueabihf-debug.tar.gz	`04a8d59114298233...`	`2dfca6cdefe4b983...`
*-arm-linux-gnueabihf.tar.gz	`211f51d96261451c...`	`c295944554e5c51f...`
*-riscv64-linux-gnu-debug.tar.gz	`445f037907a24424...`	`4aa26c98c23fe03d...`
*-riscv64-linux-gnu.tar.gz	`b2015050299c1a4b...`	`1a822e3d4db0ce92...`
*-win-unsigned.tar.gz	`9438cf09ce3d4397...`	`b1051f8980380dea...`
*-win64-debug.zip	`dce64611fca35d1b...`	`08b0bedf15bc0c22...`
*-win64-setup-unsigned.exe	`6e0d3c918efc06dd...`	`25d0d2961875d974...`
*-win64.zip	`1a26dc815a5e2126...`	`40cb6263b002b3ed...`
*-x86_64-linux-gnu-debug.tar.gz	`d0b621fb9a721aba...`	`61a077170d2c8ea2...`
*-x86_64-linux-gnu.tar.gz	`2c527d43a27c956e...`	`ede902a3966fe95e...`
*.tar.gz	`cc9ae34886e9e8d1...`	`7aca3aefd2b4495b...`
guix_build.log	`7af6197133c336db...`	`46b70ee92ab25d34...`
guix_build.log.diff		`cf71d876f8eb7dc2...`

DrahtBot removed the label Needs Guix build on May 9, 2020

laanwj commented at 2:11 pm on May 13, 2020: member

ACK df6bde031b24112abf3a94337a2c096698acde6e

laanwj merged this on May 13, 2020

laanwj closed this on May 13, 2020

fanquake deleted the branch on May 13, 2020

sidhujag referenced this in commit f2791f758f on May 14, 2020

deadalnix referenced this in commit 5c0e43d97c on Jun 4, 2020

DrahtBot locked this on Feb 15, 2022

Remove fdelt_chk back-compat code and sanity check #18862

Conflicts

Gitian builds

Guix builds