From dbc9636d86d0ef8b25fc2e64e7f1372f605a4ddb Mon Sep 17 00:00:00 2001 From: dbuck Date: Tue, 16 Jan 2018 04:20:19 -0500 Subject: [PATCH] 8187045: [linux] Not all libraries in the VM are linked with -z,noexecstack Reviewed-by: dholmes, erikj --- agent/src/os/linux/Makefile | 5 +- make/linux/makefiles/gcc.make | 4 +- make/linux/makefiles/jsig.make | 4 +- src/share/vm/prims/whitebox.cpp | 22 +++++- test/runtime/execstack/TestCheckJDK.java | 67 +++++++++++++++++++ .../whitebox/sun/hotspot/WhiteBox.java | 5 +- 6 files changed, 101 insertions(+), 6 deletions(-) create mode 100644 test/runtime/execstack/TestCheckJDK.java diff --git a/agent/src/os/linux/Makefile b/agent/src/os/linux/Makefile index dfbb0b9eb..dc4850e20 100644 --- a/agent/src/os/linux/Makefile +++ b/agent/src/os/linux/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -76,6 +76,9 @@ ifneq ($(_HAS_HASH_STYLE_GNU),) endif LFLAGS_LIBSA += $(LDFLAGS_HASH_STYLE) +LDFLAGS_NO_EXEC_STACK="-Wl,-z,noexecstack" +LFLAGS_LIBSA += $(LDFLAGS_NO_EXEC_STACK) + $(LIBSA): $(ARCH) $(OBJS) mapfile $(GCC) -shared $(LFLAGS_LIBSA) -o $(LIBSA) $(OBJS) $(LIBS) diff --git a/make/linux/makefiles/gcc.make b/make/linux/makefiles/gcc.make index 272afceae..c4375cc01 100644 --- a/make/linux/makefiles/gcc.make +++ b/make/linux/makefiles/gcc.make @@ -1,5 +1,5 @@ # -# Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -303,6 +303,8 @@ endif LFLAGS += $(LDFLAGS_HASH_STYLE) +LDFLAGS_NO_EXEC_STACK="-Wl,-z,noexecstack" + # Use $(MAPFLAG:FILENAME=real_file_name) to specify a map file. MAPFLAG = -Xlinker --version-script=FILENAME diff --git a/make/linux/makefiles/jsig.make b/make/linux/makefiles/jsig.make index 6e1395948..5831bbc7f 100644 --- a/make/linux/makefiles/jsig.make +++ b/make/linux/makefiles/jsig.make @@ -1,5 +1,5 @@ # -# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -44,7 +44,7 @@ LIBJSIG_MAPFILE = $(MAKEFILES_DIR)/mapfile-vers-jsig # cause problems with interposing. See CR: 6466665 # LFLAGS_JSIG += $(MAPFLAG:FILENAME=$(LIBJSIG_MAPFILE)) -LFLAGS_JSIG += -D_GNU_SOURCE -D_REENTRANT $(LDFLAGS_HASH_STYLE) +LFLAGS_JSIG += -D_GNU_SOURCE -D_REENTRANT $(LDFLAGS_HASH_STYLE) $(LDFLAGS_NO_EXEC_STACK) # DEBUG_BINARIES overrides everything, use full -g debug information ifeq ($(DEBUG_BINARIES), true) diff --git a/src/share/vm/prims/whitebox.cpp b/src/share/vm/prims/whitebox.cpp index c3e0688ab..3495b8dfb 100644 --- a/src/share/vm/prims/whitebox.cpp +++ b/src/share/vm/prims/whitebox.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -158,6 +158,9 @@ WB_ENTRY(void, WB_AddToSystemClassLoaderSearch(JNIEnv* env, jobject o, jstring s } WB_END +#ifdef LINUX +#include "utilities/elfFile.hpp" +#endif WB_ENTRY(jlong, WB_GetCompressedOopsMaxHeapSize(JNIEnv* env, jobject o)) { return (jlong)Arguments::max_heap_for_compressed_oops(); @@ -1010,6 +1013,21 @@ void WhiteBox::register_methods(JNIEnv* env, jclass wbclass, JavaThread* thread, } } +// Checks that the library libfile has the noexecstack bit set. +WB_ENTRY(jboolean, WB_CheckLibSpecifiesNoexecstack(JNIEnv* env, jobject o, jstring libfile)) + jboolean ret = false; +#ifdef LINUX + // Can't be in VM when we call JNI. + ThreadToNativeFromVM ttnfv(thread); + const char* lf = env->GetStringUTFChars(libfile, NULL); + CHECK_JNI_EXCEPTION_(env, 0); + ElfFile ef(lf); + ret = (jboolean) ef.specifies_noexecstack(); + env->ReleaseStringUTFChars(libfile, lf); +#endif + return ret; +WB_END + #define CC (char*) static JNINativeMethod methods[] = { @@ -1121,6 +1139,8 @@ static JNINativeMethod methods[] = { (void*)&WB_GetNMethod }, {CC"isMonitorInflated", CC"(Ljava/lang/Object;)Z", (void*)&WB_IsMonitorInflated }, {CC"forceSafepoint", CC"()V", (void*)&WB_ForceSafepoint }, + {CC"checkLibSpecifiesNoexecstack", CC"(Ljava/lang/String;)Z", + (void*)&WB_CheckLibSpecifiesNoexecstack}, }; #undef CC diff --git a/test/runtime/execstack/TestCheckJDK.java b/test/runtime/execstack/TestCheckJDK.java new file mode 100644 index 000000000..e22d60390 --- /dev/null +++ b/test/runtime/execstack/TestCheckJDK.java @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test Testexecstack.java + * @summary Searches for all libraries in test VM and checks that they + * have the noexecstack bit set. + * @requires (os.family == "linux") + * @library /testlibrary /testlibrary/whitebox + * @build sun.hotspot.WhiteBox + * @run driver ClassFileInstaller sun.hotspot.WhiteBox + * sun.hotspot.WhiteBox$WhiteBoxPermission + * @run main/othervm -Xbootclasspath/a:. -XX:+UnlockDiagnosticVMOptions -XX:+WhiteBoxAPI + * TestCheckJDK + */ + +import com.oracle.java.testlibrary.Asserts; +import sun.hotspot.WhiteBox; + +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; + +public class TestCheckJDK { + static boolean testPassed = true; + private static final WhiteBox WB = WhiteBox.getWhiteBox(); + + static void checkExecStack(Path file) { + String filename = file.toString(); + if (filename.endsWith(".so")) { + if (!WB.checkLibSpecifiesNoexecstack(filename)) { + System.out.println("Library does not have the noexecstack bit set: " + filename); + testPassed = false; + } + } + } + + public static void main(String[] args) throws Throwable { + String vmInstallDir = System.getProperty("java.home"); + + Files.walk(Paths.get(vmInstallDir)).filter(Files::isRegularFile).forEach(TestCheckJDK::checkExecStack); + + Asserts.assertTrue(testPassed, + "The tested VM contains libs that don't have the noexecstack " + + "bit set. They must be linked with -z,noexecstack."); + } +} diff --git a/test/testlibrary/whitebox/sun/hotspot/WhiteBox.java b/test/testlibrary/whitebox/sun/hotspot/WhiteBox.java index 6b3d3e348..69d38a512 100644 --- a/test/testlibrary/whitebox/sun/hotspot/WhiteBox.java +++ b/test/testlibrary/whitebox/sun/hotspot/WhiteBox.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -235,4 +235,7 @@ public class WhiteBox { // Class Data Sharing public native boolean isSharedClass(Class c); + + // Returns true on linux if library has the noexecstack flag set. + public native boolean checkLibSpecifiesNoexecstack(String libfilename); } -- GitLab