From: Bastian Balthazar Bux Date: June 29 2005 10:36am Subject: [Patch]es x86 Assembler and text relocations List-Archive: http://lists.mysql.com/internals/26516 Message-Id: <42C27998.2030402@pnpitalia.it> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------060106010607080306020702" --------------060106010607080306020702 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Assembler code contained in some of the assembler string functions (used if "configure --enable-assembler") contain text relocations. This prevent the enforcement of some security policies if MySQL database is used. Full reference at "http://bugs.gentoo.org/42968" The patches attached cover MySQL versions 4.0, 4.1, 5.0. 035_x86_asm-pic-fixes-r0.patch ==> mysql-4.0 strings/longlong2str-x86.s strings/strings-x86.s 035_x86_asm-pic-fixes-r1.patch ==> mysql-4.1, mysql-5.0 strings/longlong2str-x86.s strings/my_strtoll10-x86.s strings/strings-x86.s Tests done: The environment described in the attached file mysqlbug_hardened_mysql-5.0.6_beta.txt is running a slave database of a production system. (and pass all the testsuite) On another x86 box it has run in many /not/ hardened environments, ranging from gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1 to gcc-4.0.1-beta20050507, glibc-2.3.5.20050421 without problem related to these patches. Benchmarking: Performances seem unchanged, or with not measurable differences (after few and quick tests). regards Francesco Riosa vivo at gentoo.org --------------060106010607080306020702 Content-Type: text/plain; name="mysqlbug_hardened_mysql-5.0.6_beta.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mysqlbug_hardened_mysql-5.0.6_beta.txt" Environment: System: Linux aps 2.6.11-hardened-r13 #1 Tue Jun 14 07:17:35 CEST 2005 i686 GNU/Linux Architecture: i686 Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc GCC: Reading specs from /usr/lib/gcc/i686-pc-linux-gnu/3.4.4/specs Configured with: /var/tmp/portage/gcc-3.4.4/work/gcc-3.4.4/configure --enable-version-specific-runtime-libs --prefix=/usr --bindir=/usr/i686-p c-linux-gnu/gcc-bin/3.4.4 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.4/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4 --ma ndir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4/info --with-gxx-include-dir=/usr/li b/gcc/i686-pc-linux-gnu/3.4.4/include/g++-v3 --host=i686-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system- zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libgcj --enable-languages=c,c++ --enable- shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu Thread model: posix gcc version 3.4.4 (Gentoo Hardened 3.4.4, ssp-3.4.4-1.0, pie-8.7.8) Compilation info: CC='i686-pc-linux-gnu-gcc' CFLAGS='-O2 -march=athlon-xp -fomit-frame-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS _DEFINE=1' CXX='i686-pc-linux-gnu-g++' CXXFLAGS='-O2 -march=athlon-xp -fomit-frame-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS_DE FINE=1 -fno-implicit-templates -felide-constructors -fno-exceptions -fno-rtti' LDFLAGS='' ASFLAGS='' LIBC: lrwxrwxrwx 1 root root 13 Jun 14 14:01 /lib/libc.so.6 -> libc-2.3.5.so -rwxr-xr-x 1 root root 1307808 Jun 14 05:09 /lib/libc-2.3.5.so -rw-r--r-- 1 root root 3162920 Jun 14 05:09 /usr/lib/libc.a -rwxr-xr-x 1 root root 204 Jun 14 05:09 /usr/lib/libc.so Configure command: ./configure '--prefix=/usr' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/us r/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libexecdir=/usr/sbin' '--sysconfdir=/etc/mysql' '--localstatedir=/var/lib/mysql' '- -with-low-memory' '--enable-assembler' '--enable-local-infile' '--with-mysqld-user=mysql' '--with-client-ldflags=-lstdc++' '--enable-thread-sa fe-client' '--with-comment=Gentoo Linux mysql-5.0.6_beta-r1' '--with-unix-socket-path=/var/run/mysqld/mysqld.sock' '--with-zlib-dir=/usr' '--w ith-lib-ccflags=-fPIC' '--without-embedded-server' '--without-readline' '--enable-shared' '--enable-static' '--with-libwrap' '--with-openssl' '--without-debug' '--with-bench' '--with-server' '--with-embedded-server' '--with-extra-tools' '--with-innodb' '--with-raid' '--with-extra-cha rsets=all' '--with-berkeley-db=./bdb' '--with-geometry' '--without-ndbcluster' '--with-big-tables' '--without-docs' '--with-archive-storage-en gine' '--with-csv-storage-engine' '--with-federated-storage-engine' '--with-blackhole-storage-engine' 'CFLAGS=-O2 -march=athlon-xp -fomit-fram e-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS_DEFINE=1' 'CXXFLAGS=-O2 -march=athlon-xp -fomit-frame-pointer -fforce-addr -fstack-pr otector -DHAVE_ERRNO_AS_DEFINE=1 -fno-implicit-templates -felide-constructors -fno-exceptions -fno-rtti' 'host_alias=i686-pc-linux-gnu' --------------060106010607080306020702 Content-Type: text/x-patch; name="035_x86_asm-pic-fixes-r1.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="035_x86_asm-pic-fixes-r1.patch" ###MY_VER_RANGE [4.1,5.1_alpha) diff -Nurp mysql/strings/longlong2str-x86.s mysql-fixed/strings/longlong2str-x86.s --- mysql/strings/longlong2str-x86.s 2005-05-13 12:32:11.000000000 +0100 +++ mysql-fixed/strings/longlong2str-x86.s 2005-05-25 01:19:32.000000000 +0100 @@ -19,6 +19,13 @@ .file "longlong2str.s" .version "1.01" + .section .rodata + .align 32 + .type _dig_vec_upper, @object + .size _dig_vec_upper, 37 +_dig_vec_upper: + .string "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" + .text .align 4 @@ -31,11 +38,14 @@ longlong2str: pushl %esi pushl %edi pushl %ebx + + call __i686.get_pc_thunk.bx + addl $_GLOBAL_OFFSET_TABLE_,%ebx + movl 100(%esp),%esi # Lower part of val movl 104(%esp),%ebp # Higher part of val movl 108(%esp),%edi # get dst - movl 112(%esp),%ebx # Radix - movl %ebx,%eax + movl 112(%esp),%eax # Radix testl %eax,%eax jge .L144 @@ -50,7 +60,7 @@ longlong2str: adcl $0,%ebp negl %ebp .L146: - negl %ebx # Change radix to positive + negl 112(%esp) # Change radix to positive jmp .L148 .align 4 .L144: @@ -77,13 +87,13 @@ longlong2str: movl %ebp,%eax # High part of value xorl %edx,%edx - divl %ebx + divl 112(%esp) movl %eax,%ebp movl %esi,%eax - divl %ebx + divl 112(%esp) decl %ecx movl %eax,%esi # quotent in ebp:esi - movb _dig_vec_upper(%edx),%al # al is faster than dl + movb _dig_vec_upper@GOTOFF(%ebx,%edx),%al # al is faster than dl movb %al,(%ecx) # store value in buff .align 4 .L155: @@ -93,14 +103,13 @@ longlong2str: jl .L153 je .L10_mov # Ready movl %esi,%eax - movl $_dig_vec_upper,%ebp .align 4 .L154: # Do rest with integer precision cltd - divl %ebx + divl 112(%esp) decl %ecx - movb (%edx,%ebp),%dl # bh is always zero as ebx=radix < 36 + movb _dig_vec_upper@GOTOFF(%ebx,%edx),%dl testl %eax,%eax movb %dl,(%ecx) jne .L154 @@ -137,9 +146,6 @@ longlong2str: # .align 4 -.Ltmp: - .long 0xcccccccd - .align 4 .globl longlong10_to_str .type longlong10_to_str,@function @@ -202,7 +208,7 @@ longlong10_to_str: # The following code uses some tricks to change division by 10 to # multiplication and shifts - movl .Ltmp,%esi # set %esi to 0xcccccccd + movl $0xcccccccd,%esi # set %esi to 0xcccccccd .L10_40: movl %ebx,%eax @@ -221,3 +227,13 @@ longlong10_to_str: .L10end: .size longlong10_to_str,.L10end-longlong10_to_str + + .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits +.globl __i686.get_pc_thunk.bx + .hidden __i686.get_pc_thunk.bx + .type __i686.get_pc_thunk.bx, @function +__i686.get_pc_thunk.bx: + movl (%esp), %ebx + ret + + .section .note.GNU-stack,"",@progbits diff -Nurp mysql/strings/my_strtoll10-x86.s mysql-fixed/strings/my_strtoll10-x86.s --- mysql/strings/my_strtoll10-x86.s 2005-05-13 12:32:22.000000000 +0100 +++ mysql-fixed/strings/my_strtoll10-x86.s 2005-05-25 01:13:23.000000000 +0100 @@ -18,7 +18,7 @@ .file "my_strtoll10-x86.s" .version "01.01" -.data +.section .rodata .align 32 .type lfactor,@object .size lfactor,36 @@ -315,7 +315,11 @@ my_strtoll10: .Lend_i_and_j: movl %esi,%ecx subl -12(%ebp),%ecx # ecx= number of digits in second part - movl lfactor(,%ecx,4),%eax + + call __i686.get_pc_thunk.bx + addl $_GLOBAL_OFFSET_TABLE_,%ebx + + movl lfactor@GOTOFF(%ebx,%ecx,4),%eax jmp .L523 # Return -8(%ebp) * $1000000000 + edi @@ -400,3 +404,13 @@ my_strtoll10: .comm end_ptr,120,32 .comm error,120,32 .ident "Monty" + + .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits +.globl __i686.get_pc_thunk.bx + .hidden __i686.get_pc_thunk.bx + .type __i686.get_pc_thunk.bx, @function +__i686.get_pc_thunk.bx: + movl (%esp), %ebx + ret + + .section .note.GNU-stack,"",@progbits diff -Nurp mysql/strings/strings-x86.s mysql-fixed/strings/strings-x86.s --- mysql/strings/strings-x86.s 2005-05-13 12:32:40.000000000 +0100 +++ mysql-fixed/strings/strings-x86.s 2005-05-23 23:19:13.000000000 +0100 @@ -415,3 +415,5 @@ next_str: ret .strxmov_end: .size strxmov,.strxmov_end-strxmov + + .section .note.GNU-stack,"",@progbits --------------060106010607080306020702 Content-Type: text/x-patch; name="035_x86_asm-pic-fixes-r0.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="035_x86_asm-pic-fixes-r0.patch" ###MY_VER_RANGE [4.0.24,4.1_alpha) --- mysql-4.0.24/strings/longlong2str-x86.s 2005-03-05 00:38:14.000000000 +0000 +++ mysql-4.0.24-fixed/strings/longlong2str-x86.s 2005-05-17 01:37:52.000000000 +0100 @@ -19,6 +19,13 @@ .file "longlong2str.s" .version "1.01" + .section .rodata + .align 32 + .type _dig_vec, @object + .size _dig_vec, 37 +_dig_vec: + .string "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" + .text .align 4 @@ -31,11 +38,14 @@ longlong2str: pushl %esi pushl %edi pushl %ebx + + call __i686.get_pc_thunk.bx + addl $_GLOBAL_OFFSET_TABLE_,%ebx + movl 100(%esp),%esi # Lower part of val movl 104(%esp),%ebp # Higher part of val movl 108(%esp),%edi # get dst - movl 112(%esp),%ebx # Radix - movl %ebx,%eax + movl 112(%esp),%eax # Radix testl %eax,%eax jge .L144 @@ -50,7 +60,7 @@ longlong2str: adcl $0,%ebp negl %ebp .L146: - negl %ebx # Change radix to positive + negl 112(%esp) # Change radix to positive jmp .L148 .align 4 .L144: @@ -77,12 +87,12 @@ longlong2str: movl %ebp,%eax # High part of value xorl %edx,%edx - divl %ebx + divl 112(%esp) movl %eax,%ebp movl %esi,%eax - divl %ebx + divl 112(%esp) movl %eax,%esi # quotent in ebp:esi - movb _dig_vec(%edx),%al # al is faster than dl + movb _dig_vec@GOTOFF(%ebx,%edx),%al # al is faster than dl decl %ecx movb %al,(%ecx) # store value in buff .align 4 @@ -93,14 +103,13 @@ longlong2str: jl .L153 je .L160 # Ready movl %esi,%eax - movl $_dig_vec,%ebp .align 4 .L154: # Do rest with integer precision cltd - divl %ebx + divl 112(%esp) decl %ecx - movb (%edx,%ebp),%dl # bh is always zero as ebx=radix < 36 + movb _dig_vec@GOTOFF(%ebx,%edx),%dl testl %eax,%eax movb %dl,(%ecx) jne .L154 @@ -138,3 +147,13 @@ longlong10_to_str: .L10end: .size longlong10_to_str,.L10end-longlong10_to_str + + .section .gnu.linkonce.t.__i686.get_pc_thunk.bx,"ax",@progbits +.globl __i686.get_pc_thunk.bx + .hidden __i686.get_pc_thunk.bx + .type __i686.get_pc_thunk.bx, @function +__i686.get_pc_thunk.bx: + movl (%esp), %ebx + ret + + .section .note.GNU-stack,"",@progbits diff -Nurp mysql-4.0.24/strings/strings-x86.s mysql-4.0.24-fixed/strings/strings-x86.s --- mysql-4.0.24/strings/strings-x86.s 2005-03-05 00:38:15.000000000 +0000 +++ mysql-4.0.24-fixed/strings/strings-x86.s 2005-05-17 01:37:47.000000000 +0100 @@ -403,3 +403,5 @@ next_str: ret .strxmov_end: .size strxmov,.strxmov_end-strxmov + + .section .note.GNU-stack,"",@progbits --------------060106010607080306020702--