Opened 19 months ago

Last modified 6 days ago

#14069 new bug

RTS linker maps code as writable

Reported by: bgamari Owned by:
Priority: high Milestone: 8.8.1
Component: Runtime System (Linker) Version: 8.0.1
Keywords: newcomer Cc: romanzolotarev, angerman, lelf, sjakobi, kgardas, neosimsim, qnikst
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: None/Unknown Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s): Phab:D4817
Wiki Page:

Description (last modified by bgamari)

GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default.

Instead we should first map pages as PROT_READ | PROT_WRITE, perform any necessary relocations (which requires writing), and then mprotect it to PROT_READ | PROT_EXEC.

To find the relevant code grep for PROT_EXEC in the rts/ directory.

Change History (20)

comment:1 Changed 19 months ago by bgamari

Description: modified (diff)
Version 0, edited 19 months ago by bgamari (next)

comment:2 Changed 19 months ago by bgamari

Cc: romanzolotarev added

CCing romanzolotarev who expressed interest in this on Twitter.

comment:3 Changed 19 months ago by angerman

Cc: angerman added

This is already in the aarch64/mach-o linker. And I believe the aarch64/elf linker could possibly be doing this already as well.

Feel free to query me on IRC:angerman, or twitter:angerman_io.

Otherwise if no one picks this up, I'll try to get around to it.

comment:4 Changed 19 months ago by romanzolotarev

Ben, thank you for keeping me in the loop.

Last edited 19 months ago by romanzolotarev (previous) (diff)

comment:5 Changed 13 months ago by lelf

Cc: lelf added

comment:6 Changed 13 months ago by bgamari

Keywords: newcomer added

This won't be fixed for 8.4, although I do hope someone picks it up for 8.6. This strikes me as a rather serious yet easy-to-fix security issue.

comment:7 Changed 12 months ago by sjakobi

Cc: sjakobi added

comment:8 Changed 11 months ago by mcandre

Same goes for HardenedBSD; a handful of Haskell programs can run, but common things like HLint, aeson, and shake fail to compile or operate in WX environments.

comment:9 Changed 8 months ago by SantiM

Owner: set to SantiM

I'm working with a friend on this bug as part of ZuriHac, we'll be sending changes for different files affected.

comment:10 Changed 8 months ago by SantiM

Differential Rev(s): Phab:D4817

comment:11 Changed 8 months ago by bgamari


This won't be fixed in 8.6. Bumping to 8.8.

comment:12 Changed 8 months ago by Ben Gamari <ben@…>

In 67c422c/ghc:

rts/linker/{SymbolExtras,elf_got}.c: map code as read-only

protect mmaped addresses from writes after being initially manipulated

Test Plan: ./validate

Reviewers: bgamari, erikd, simonmar

Reviewed By: bgamari

Subscribers: angerman, carlostome, rwbarton, thomie, carter

GHC Trac Issues: #14069

Differential Revision:

comment:13 Changed 8 months ago by bgamari

Resolution: fixed
Status: newclosed

comment:14 Changed 8 months ago by SantiM

Owner: SantiM deleted
Resolution: fixed
Status: closednew

Let's leave this open, there's more occurrences of mmap that were not protected in Phab:D4817

comment:15 Changed 3 months ago by kgardas

Cc: kgardas added

comment:16 Changed 3 months ago by neosimsim

Cc: neosimsim added

comment:17 Changed 3 months ago by qnikst

Cc: qnikst added

List of files that have mmap, but do not have mprotect around: rts/Linker/LoadArchive.c rts/Linker/Elf.c rts/Linker/M32Alloc.c

Should all of them be worked on in one pass or should we do some preparatory work before?

comment:18 Changed 3 months ago by sgraf

qnikst: That's up to you, really. If you think it makes sense to do it all in one patch, just do it. I suspect that it will be a rather small change, so I'd do it all in one.

comment:19 Changed 7 days ago by rockbmb

I'm preparing a patch to address the remaining changes here, do you mind if I go ahead @qnikst? I'd like to avoid duplicating work you may have already done.

comment:20 Changed 6 days ago by qnikst

@rockbmb, feel free to do that I'm currently stuck on this ticket.

Note: See TracTickets for help on using tickets.