Opened 2 years ago

Last modified 7 months ago

#14069 new bug

RTS linker maps code as writable

Reported by: bgamari Owned by: rockbmb
Priority: high Milestone: 8.8.1
Component: Runtime System (Linker) Version: 8.0.1
Keywords: newcomer Cc: romanzolotarev, angerman, lelf, sjakobi, kgardas, neosimsim, qnikst, watashi
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: None/Unknown Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s): Phab:D4817
Wiki Page:

Description (last modified by bgamari)

GHC's RTS linker maps executable code in writable pages, representing a significant potential exploit point for arbitrary code execution. OpenBSD disallows running program that do this by default.

Instead we should first map pages as PROT_READ | PROT_WRITE, perform any necessary relocations (which requires writing), and then mprotect it to PROT_READ | PROT_EXEC.

To find the relevant code grep for PROT_EXEC in the rts/ directory.

Change History (22)

comment:1 Changed 2 years ago by bgamari

Description: modified (diff)

This was previously mentioned on #13624.

Last edited 2 years ago by bgamari (previous) (diff)

comment:2 Changed 2 years ago by bgamari

Cc: romanzolotarev added

CCing romanzolotarev who expressed interest in this on Twitter.

comment:3 Changed 2 years ago by angerman

Cc: angerman added

This is already in the aarch64/mach-o linker. And I believe the aarch64/elf linker could possibly be doing this already as well.

Feel free to query me on IRC:angerman, or twitter:angerman_io.

Otherwise if no one picks this up, I'll try to get around to it.

comment:4 Changed 2 years ago by romanzolotarev

Ben, thank you for adding me to the loop.

Version 0, edited 2 years ago by romanzolotarev (next)

comment:5 Changed 21 months ago by lelf

Cc: lelf added

comment:6 Changed 20 months ago by bgamari

Keywords: newcomer added

This won't be fixed for 8.4, although I do hope someone picks it up for 8.6. This strikes me as a rather serious yet easy-to-fix security issue.

comment:7 Changed 19 months ago by sjakobi

Cc: sjakobi added

comment:8 Changed 18 months ago by mcandre

Same goes for HardenedBSD; a handful of Haskell programs can run, but common things like HLint, aeson, and shake fail to compile or operate in WX environments.

comment:9 Changed 16 months ago by SantiM

Owner: set to SantiM

I'm working with a friend on this bug as part of ZuriHac, we'll be sending changes for different files affected.

comment:10 Changed 16 months ago by SantiM

Differential Rev(s): Phab:D4817

comment:11 Changed 15 months ago by bgamari


This won't be fixed in 8.6. Bumping to 8.8.

comment:12 Changed 15 months ago by Ben Gamari <ben@…>

In 67c422c/ghc:

rts/linker/{SymbolExtras,elf_got}.c: map code as read-only

protect mmaped addresses from writes after being initially manipulated

Test Plan: ./validate

Reviewers: bgamari, erikd, simonmar

Reviewed By: bgamari

Subscribers: angerman, carlostome, rwbarton, thomie, carter

GHC Trac Issues: #14069

Differential Revision:

comment:13 Changed 15 months ago by bgamari

Resolution: fixed
Status: newclosed

comment:14 Changed 15 months ago by SantiM

Owner: SantiM deleted
Resolution: fixed
Status: closednew

Let's leave this open, there's more occurrences of mmap that were not protected in Phab:D4817

comment:15 Changed 10 months ago by kgardas

Cc: kgardas added

comment:16 Changed 10 months ago by neosimsim

Cc: neosimsim added

comment:17 Changed 10 months ago by qnikst

Cc: qnikst added

List of files that have mmap, but do not have mprotect around: rts/Linker/LoadArchive.c rts/Linker/Elf.c rts/Linker/M32Alloc.c

Should all of them be worked on in one pass or should we do some preparatory work before?

comment:18 Changed 10 months ago by sgraf

qnikst: That's up to you, really. If you think it makes sense to do it all in one patch, just do it. I suspect that it will be a rather small change, so I'd do it all in one.

comment:19 Changed 7 months ago by rockbmb

I'm preparing a patch to address the remaining changes here, do you mind if I go ahead @qnikst? I'd like to avoid duplicating work you may have already done.

comment:20 Changed 7 months ago by qnikst

@rockbmb, feel free to do that I'm currently stuck on this ticket.

comment:21 Changed 7 months ago by watashi

Cc: watashi added

comment:22 Changed 7 months ago by rockbmb

Owner: set to rockbmb
Note: See TracTickets for help on using tickets.