Remove fdelt_chk back-compat code and sanity check #18862

pull fanquake wants to merge 2 commits into bitcoin:master from fanquake:remove_fdelt_chk_back_compat changing 6 files +2 −100
  1. fanquake commented at 8:43 am on May 4, 2020: member

    https://github.com/bitcoin/bitcoin/commit/ae30d40e50e9d63d875d29d54d22147b09fc420c The return type of fdelt_chk changed from unsigned long int to long int in glibc 2.16. See this commit. Now that we require glibc >=2.17 we can remove our back-compat code.

    https://github.com/bitcoin/bitcoin/commit/ab7bce584ae02bf25e2e91aa54f9b0249427127d While looking at the above changes, I noticed that our glibc fdelt sanity check doesn’t seem to be checking anything. fdelt_warn() also isn’t something we’d want to actually “trigger” at runtime, as doing so would cause bitcoind to abort.

    The comments:

    // trigger: Call FD_SET to trigger __fdelt_chk. FORTIFY_SOURCE must be defined // as >0 and optimizations must be set to at least -O2.

    suggest calling FD_SET to check the invocation of fdelt_chk (this is aliased with fdelt_warn in glibc). However just calling FD_SET() will not necessarily cause the compiler to insert a call to fd_warn().

    Whether or not GCC (recent Clang should work, but may use different heuristics) inserts a call to fdelt_warn() depends on if the compiler can determine if the value passed in is a compile time constant (using __builtin_constant_p) and whether the value is < 0 or >= FD_SETSIZE. The glibc implementation is here. This means our check should never cause a call to be inserted.

    Compiling master without --glibc-back-compat (if you do pass --glibc-back-compat the outcome is still the same; however the abort will only happen with >=FD_SETSIZE as that is what our fdelt_warn() checks for), there are no calls to fdelt_warn() inserted by the compiler:

     0objdump -dC bitcoind | grep sanity_fdelt
     1...
     20000000000399d20 <sanity_test_fdelt()>:
     3  399d20:       48 81 ec 98 00 00 00    sub    $0x98,%rsp
     4  399d27:       b9 10 00 00 00          mov    $0x10,%ecx
     5  399d2c:       64 48 8b 04 25 28 00    mov    %fs:0x28,%rax
     6  399d33:       00 00
     7  399d35:       48 89 84 24 88 00 00    mov    %rax,0x88(%rsp)
     8  399d3c:       00
     9  399d3d:       31 c0                   xor    %eax,%eax
    10  399d3f:       48 89 e7                mov    %rsp,%rdi
    11  399d42:       fc                      cld
    12  399d43:       f3 48 ab                rep stos %rax,%es:(%rdi)
    13  399d46:       48 8b 84 24 88 00 00    mov    0x88(%rsp),%rax
    14  399d4d:       00
    15  399d4e:       64 48 33 04 25 28 00    xor    %fs:0x28,%rax
    16  399d55:       00 00
    17  399d57:       75 0d                   jne    399d66 <sanity_test_fdelt()+0x46>
    18  399d59:       b8 01 00 00 00          mov    $0x1,%eax
    19  399d5e:       48 81 c4 98 00 00 00    add    $0x98,%rsp
    20  399d65:       c3                      retq
    21  399d66:       e8 85 df c8 ff          callq  27cf0 <__stack_chk_fail@plt>
    22  399d6b:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
    

    If you modify the sanity test to pass -1 or FD_SETSIZE to FD_SET, you’ll see calls to fdelt_warn inserted, and the runtime behaviour is an abort as expected.

     0diff --git a/src/compat/glibc_sanity_fdelt.cpp b/src/compat/glibc_sanity_fdelt.cpp
     1index 87140d0c7..16974bfa0 100644
     2--- a/src/compat/glibc_sanity_fdelt.cpp
     3+++ b/src/compat/glibc_sanity_fdelt.cpp
     4@@ -20,7 +20,7 @@ bool sanity_test_fdelt()
     5 {
     6     fd_set fds;
     7     FD_ZERO(&fds);
     8-    FD_SET(0, &fds);
     9+    FD_SET(FD_SETSIZE, &fds);
    10     return FD_ISSET(0, &fds);
    11 }
    12 #endif
    
     00000000000399d20 <sanity_test_fdelt()>:
     1  399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
     2  399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
     3  399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
     4  399d33:	00 00 
     5  399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
     6  399d3c:	00 
     7  399d3d:	31 c0                	xor    %eax,%eax
     8  399d3f:	48 89 e7             	mov    %rsp,%rdi
     9  399d42:	fc                   	cld    
    10  399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
    11  399d46:	48 c7 c7 ff ff ff ff 	mov    $0xffffffffffffffff,%rdi
    12  399d4d:	e8 3e ff ff ff       	callq  399c90 <__fdelt_warn>
    13  399d52:	0f b6 04 24          	movzbl (%rsp),%eax
    14  399d56:	83 e0 01             	and    $0x1,%eax
    15  399d59:	48 8b 94 24 88 00 00 	mov    0x88(%rsp),%rdx
    16  399d60:	00 
    17  399d61:	64 48 33 14 25 28 00 	xor    %fs:0x28,%rdx
    18  399d68:	00 00 
    19  399d6a:	75 08                	jne    399d74 <sanity_test_fdelt()+0x54>
    20  399d6c:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
    21  399d73:	c3                   	retq   
    22  399d74:	e8 77 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
    23  399d79:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
    
    0src/bitcoind
    1*** buffer overflow detected ***: src/bitcoind terminated
    2Aborted
    

    I think the test should should be removed and replaced (if possible) with additional checks in security-check.py. I was thinking about adding a version of this script as part of the output, but that needs more thought. I’ll address this in a follow up.

  2. fanquake added the label Build system on May 4, 2020
  3. fanquake added the label Needs gitian build on May 4, 2020
  4. fanquake added the label Needs Guix build on May 4, 2020
  5. laanwj commented at 2:35 pm on May 4, 2020: member
    ACK if this passes the gitian build. This was a backward compatibility function for compatibility with old libc, it (including its sanity check) might no longer be needed.
  6. DrahtBot commented at 4:53 pm on May 4, 2020: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    No conflicts as of last run.

  7. DrahtBot commented at 1:29 pm on May 6, 2020: member

    Gitian builds

    File commit fbd522721cb89ef0efea0c1bc912c00b268d1c2a(master) commit a8f87e2400c23dc862c5f1a7417a9c9a9200acc3(master and this pull)
    bitcoin-core-linux-0.21-res.yml d8ca613a4fe8256a... 66b1e92f64772166...
    bitcoin-core-osx-0.21-res.yml d8e9784290b7e11a... 2f2807a25eaf1e26...
    bitcoin-core-win-0.21-res.yml 9fbe5a1f58d3ebbc... 6b437ebf7c2ebb93...
    *-aarch64-linux-gnu-debug.tar.gz 68a9a39ec36cbed2... f0f5a39378eeb454...
    *-aarch64-linux-gnu.tar.gz c4c9d98c18ac8d69... 69dd0f00253925c2...
    *-arm-linux-gnueabihf-debug.tar.gz 040c0a4971178429... 86cf4f82c0906a46...
    *-arm-linux-gnueabihf.tar.gz 9a9b2af69edf6221... 2832611bc2f79a95...
    *-osx-unsigned.dmg 5aa18c88ffc0c32c... c0af112da3ddf808...
    *-osx64.tar.gz 2c777921c43fd9b4... 1500443cda24e6cd...
    *-riscv64-linux-gnu-debug.tar.gz 0ebf3ca4d2b52400... 9b9860f10c54832a...
    *-riscv64-linux-gnu.tar.gz 22dfb6bf774fd577... 045401d434f89ec8...
    *-win64-debug.zip 657e164c6335053a... 2e6edcd25d2690d5...
    *-win64-setup-unsigned.exe 316100ef42f12b7a... 85f72f620fd94bdb...
    *-win64.zip f91651bea4685766... bcefa86df0e9d7d2...
    *-x86_64-linux-gnu-debug.tar.gz 617fd73aed93ec87... 65081f23d8331ef5...
    *-x86_64-linux-gnu.tar.gz a995ec2a7729141c... 768513cf891cf4bb...
    *.tar.gz c52ade0f24a7225e... 1a1432caac80b3d1...
    linux-build.log b0ce0d32e6daf419... f057d1172be548e4...
    osx-build.log af7f743adb7be8ea... cbeaeca97cef3c6f...
    win-build.log b421925d0046eb64... f62ef987fabbf2f8...
    bitcoin-core-linux-0.21-res.yml.diff 24ec6963e24f3e1c...
    bitcoin-core-osx-0.21-res.yml.diff 15f7bed2cdc2efb4...
    bitcoin-core-win-0.21-res.yml.diff 80190b52cb0d6656...
    linux-build.log.diff 9e7b4dba9347053a...
    osx-build.log.diff 6535c50b65f84929...
    win-build.log.diff 9c6269796e068ef4...
  8. DrahtBot removed the label Needs gitian build on May 6, 2020
  9. DrahtBot commented at 1:48 pm on May 6, 2020: member

    🐙 This pull request conflicts with the target branch and needs rebase.

  10. DrahtBot added the label Needs rebase on May 6, 2020
  11. build: remove fdelt_chk backwards compatibility code
    Now that we require glibc 2.17 or later, we no longer need to check for
    different return types in fdelt_chk. It was changed from unsigned long
    int to long int in glibc 2.16 . See this commit:
    https://sourceware.org/git/?p=glibc.git;a=commit;h=ceb9e56b3d1f8c1922e0526c2e841373843460e2
    and related issue:
    https://sourceware.org/bugzilla/show_bug.cgi?id=14210.
    8bf1540cc2
  12. test: remove glibc fdelt sanity check
    As is, this sanity check doesn't seem to be testing fdelt_chk, because
    passing a value of "0" to FD_SET wont cause the compiler to insert any
    calls to fdelt_chk().
    
    The documentation is a little misleading. If we actually triggered fdelt_chk
    at runtime, bitcoind would abort. I think this check would be better replaced
    (if possible) by additional checks in security-check.py.
    
    The compiler may insert a call to fdelt_warn() (aliased with fdelt_chk
    in glibc) at compile time if it can determine that an invalid value is
    being passed to FD_SET.
    
    These checks are essentially; value < 0 or value >= FD_SETSIZE along
    with a check for wether the value is a compile time constant.
    
    If the compiler can determine an invalid value is being passed, a call
    to fdelt_warn will be inserted. Passing 0 should never cause a call to
    be inserted.
    
    You can check this after compiling:
    ```bash
    objdump -dC bitcoind | grep sanity_fdelt
    ...
    0000000000399d20 <sanity_test_fdelt()>:
      399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
      399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
      399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
      399d33:	00 00
      399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
      399d3c:	00
      399d3d:	31 c0                	xor    %eax,%eax
      399d3f:	48 89 e7             	mov    %rsp,%rdi
      399d42:	fc                   	cld
      399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
      399d46:	48 8b 84 24 88 00 00 	mov    0x88(%rsp),%rax
      399d4d:	00
      399d4e:	64 48 33 04 25 28 00 	xor    %fs:0x28,%rax
      399d55:	00 00
      399d57:	75 0d                	jne    399d66 <sanity_test_fdelt()+0x46>
      399d59:	b8 01 00 00 00       	mov    $0x1,%eax
      399d5e:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
      399d65:	c3                   	retq
      399d66:	e8 85 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
      399d6b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
    
    ```
    
    To test, you could modify this test to pass -1 to FD_SET, and check
    that a call to fdelt_warn() is inserted, and that running bitcoind
    fails. i.e:
    
    ```bash
    0000000000399d20 <sanity_test_fdelt()>:
      399d20:	48 81 ec 98 00 00 00 	sub    $0x98,%rsp
      399d27:	b9 10 00 00 00       	mov    $0x10,%ecx
      399d2c:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
      399d33:	00 00
      399d35:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
      399d3c:	00
      399d3d:	31 c0                	xor    %eax,%eax
      399d3f:	48 89 e7             	mov    %rsp,%rdi
      399d42:	fc                   	cld
      399d43:	f3 48 ab             	rep stos %rax,%es:(%rdi)
      399d46:	48 c7 c7 ff ff ff ff 	mov    $0xffffffffffffffff,%rdi
      399d4d:	e8 3e ff ff ff       	callq  399c90 <__fdelt_warn>
      399d52:	0f b6 04 24          	movzbl (%rsp),%eax
      399d56:	83 e0 01             	and    $0x1,%eax
      399d59:	48 8b 94 24 88 00 00 	mov    0x88(%rsp),%rdx
      399d60:	00
      399d61:	64 48 33 14 25 28 00 	xor    %fs:0x28,%rdx
      399d68:	00 00
      399d6a:	75 08                	jne    399d74 <sanity_test_fdelt()+0x54>
      399d6c:	48 81 c4 98 00 00 00 	add    $0x98,%rsp
      399d73:	c3                   	retq
      399d74:	e8 77 df c8 ff       	callq  27cf0 <__stack_chk_fail@plt>
      399d79:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
    
    ```
    
    ```bash
    ./src/bitcoind
    *** buffer overflow detected ***: src/bitcoind terminated
    Aborted
    ```
    df6bde031b
  13. fanquake force-pushed on May 7, 2020
  14. fanquake removed the label Needs rebase on May 7, 2020
  15. DrahtBot commented at 7:40 pm on May 9, 2020: member

    Guix builds

    File commit f54753293fe7355e4280944d766f22054b560ba1(master) commit fc2dcbad222723476dbe951480005f519e7b0d9b(master and this pull)
    *-aarch64-linux-gnu-debug.tar.gz d5006db2694bec1b... d05e1c4eaef07582...
    *-aarch64-linux-gnu.tar.gz 0afefe2db48f05dc... dfdc8f189bc78d3a...
    *-arm-linux-gnueabihf-debug.tar.gz 04a8d59114298233... 2dfca6cdefe4b983...
    *-arm-linux-gnueabihf.tar.gz 211f51d96261451c... c295944554e5c51f...
    *-riscv64-linux-gnu-debug.tar.gz 445f037907a24424... 4aa26c98c23fe03d...
    *-riscv64-linux-gnu.tar.gz b2015050299c1a4b... 1a822e3d4db0ce92...
    *-win-unsigned.tar.gz 9438cf09ce3d4397... b1051f8980380dea...
    *-win64-debug.zip dce64611fca35d1b... 08b0bedf15bc0c22...
    *-win64-setup-unsigned.exe 6e0d3c918efc06dd... 25d0d2961875d974...
    *-win64.zip 1a26dc815a5e2126... 40cb6263b002b3ed...
    *-x86_64-linux-gnu-debug.tar.gz d0b621fb9a721aba... 61a077170d2c8ea2...
    *-x86_64-linux-gnu.tar.gz 2c527d43a27c956e... ede902a3966fe95e...
    *.tar.gz cc9ae34886e9e8d1... 7aca3aefd2b4495b...
    guix_build.log 7af6197133c336db... 46b70ee92ab25d34...
    guix_build.log.diff cf71d876f8eb7dc2...
  16. DrahtBot removed the label Needs Guix build on May 9, 2020
  17. laanwj commented at 2:11 pm on May 13, 2020: member
    ACK df6bde031b24112abf3a94337a2c096698acde6e
  18. laanwj merged this on May 13, 2020
  19. laanwj closed this on May 13, 2020

  20. fanquake deleted the branch on May 13, 2020
  21. sidhujag referenced this in commit f2791f758f on May 14, 2020
  22. deadalnix referenced this in commit 5c0e43d97c on Jun 4, 2020
  23. DrahtBot locked this on Feb 15, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 03:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me