Opened 15 months ago

Last modified 4 months ago

#14069 new bug

RTS linker maps code as writable

Reported by: bgamari Owned by:
Priority: high Milestone: 8.8.1
Component: Runtime System (Linker) Version: 8.0.1
Keywords: newcomer Cc: romanzolotarev, angerman, lelf, sjakobi
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: None/Unknown Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s): Phab:D4817
Wiki Page:

Description (last modified by bgamari)

GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default.

Instead we should first map pages as PROT_READ | PROT_WRITE, perform any necessary relocations (which requires writing), and then mprotect it to PROT_READ | PROT_EXEC.

To find the relevant code grep for PROT_EXEC in the rts/ directory.

Change History (14)

comment:1 Changed 15 months ago by bgamari

Description: modified (diff)
Version 0, edited 15 months ago by bgamari (next)

comment:2 Changed 15 months ago by bgamari

Cc: romanzolotarev added

CCing romanzolotarev who expressed interest in this on Twitter.

comment:3 Changed 15 months ago by angerman

Cc: angerman added

This is already in the aarch64/mach-o linker. And I believe the aarch64/elf linker could possibly be doing this already as well.

Feel free to query me on IRC:angerman, or twitter:angerman_io.

Otherwise if no one picks this up, I'll try to get around to it.

comment:4 Changed 15 months ago by romanzolotarev

Ben, thank you for keeping me in the loop.

Last edited 15 months ago by romanzolotarev (previous) (diff)

comment:5 Changed 9 months ago by lelf

Cc: lelf added

comment:6 Changed 9 months ago by bgamari

Keywords: newcomer added
Milestone: 8.4.18.6.1

This won't be fixed for 8.4, although I do hope someone picks it up for 8.6. This strikes me as a rather serious yet easy-to-fix security issue.

comment:7 Changed 8 months ago by sjakobi

Cc: sjakobi added

comment:8 Changed 6 months ago by mcandre

Same goes for HardenedBSD; a handful of Haskell programs can run, but common things like HLint, aeson, and shake fail to compile or operate in WX environments.

comment:9 Changed 4 months ago by SantiM

Owner: set to SantiM

I'm working with a friend on this bug as part of ZuriHac, we'll be sending changes for different files affected.

comment:10 Changed 4 months ago by SantiM

Differential Rev(s): Phab:D4817

comment:11 Changed 4 months ago by bgamari

Milestone: 8.6.18.8.1

This won't be fixed in 8.6. Bumping to 8.8.

comment:12 Changed 4 months ago by Ben Gamari <ben@…>

In 67c422c/ghc:

rts/linker/{SymbolExtras,elf_got}.c: map code as read-only

protect mmaped addresses from writes after being initially manipulated

Test Plan: ./validate

Reviewers: bgamari, erikd, simonmar

Reviewed By: bgamari

Subscribers: angerman, carlostome, rwbarton, thomie, carter

GHC Trac Issues: #14069

Differential Revision: https://phabricator.haskell.org/D4817

comment:13 Changed 4 months ago by bgamari

Resolution: fixed
Status: newclosed

comment:14 Changed 4 months ago by SantiM

Owner: SantiM deleted
Resolution: fixed
Status: closednew

Let's leave this open, there's more occurrences of mmap that were not protected in Phab:D4817

Note: See TracTickets for help on using tickets.