Auth handler and restorer

[jchlanda]

Previously restorer was only stripped, while handler was left untouched. Without authenticating kernel would receive a signed address and use it, as is, to call the signal handler, which would result in an invalid memory access.

[jchlanda]

@kovdan01

[kovdan01]

Thanks @jchlanda! Do I get it right that this was already tested with rust? If so, LGTM

[jchlanda]

Thanks @jchlanda! Do I get it right that this was already tested with rust? If so, LGTM

Yeap, https://github.com/rust-lang/rust/blob/main/tests/ui/abi/stack-probes.rs#L1 - the original failing test that uncovered this for us - is passing with this patch.

[atrosinenko]

@kovdan01 I wonder if we have to account for -fptrauth-function-pointer-type-discrimination here?

[kovdan01]

@kovdan01 I wonder if we have to account for -fptrauth-function-pointer-type-discrimination here?

We do, but our current musl implementation does not support it anyway (there are other similar places). So trying to account for it here would be pretending that we support that everywhere, while this is simply not true. I'll file an issue on this.

@jchlanda Could you please add a has_feature check against fn type discr, and if it's present, just fall to a preprocessor error?

[kovdan01]

I'll file an issue on this.

See #9

[kovdan01]

Yeap, https://github.com/rust-lang/rust/blob/main/tests/ui/abi/stack-probes.rs#L1 - the original failing test that uncovered this for us - is passing with this patch.

@jchlanda Thanks! Just double-checking: the remaining tests are also passing, right? :) I mean, when experimenting with this yesterday and when switching from strip to auth, I had many other new failures. These are probably guarded now with your checks against SIG_DFL and SIG_IGN. So, does this mean that everything else is also passing?

[jchlanda]

Yeap, https://github.com/rust-lang/rust/blob/main/tests/ui/abi/stack-probes.rs#L1 - the original failing test that uncovered this for us - is passing with this patch.

@jchlanda Thanks! Just double-checking: the remaining tests are also passing, right? :) I mean, when experimenting with this yesterday and when switching from strip to auth, I had many other new failures. These are probably guarded now with your checks against SIG_DFL and SIG_IGN. So, does this mean that everything else is also passing?

Yeap, that would be my guess, trying to auth those two will obviously fail. All the rust tests are passing with this patch.

@jchlanda Could you please add a has_feature check against fn type discr, and if it's present, just fall to a preprocessor error?

Aye, done.

[atrosinenko]

Looks like this patch unintentionally "rendered" TABs as 8 spaces (accidentally spotted this as my Github interface preference is set to 4 spaces), though I'm not sure we care about this here.

[jchlanda]

Looks like this patch unintentionally "rendered" TABs as 8 spaces (accidentally spotted this as my Github interface preference is set to 4 spaces), though I'm not sure we care about this here.

@atrosinenko apologies, that’s from my clang-format. I can't see a formatting config in the repo; how do you usually handle code style here?

[atrosinenko]

I can't see a formatting config in the repo; how do you usually handle code style here?

I use this repo in a read-only manner most of the time :) Maybe @kovdan01 has something to suggest, but I guess we don't care for code style here as much as in the LLVM repo (where code style was semi-automatically enforced for a long time and thus it is much easier for the new patches to adhere to the rules). I'm not sure, maybe there is something similar in Musl upstream, but I'm not sure we are contributing there actively. To my understanding, this fork of Musl is kind of proof-of-concept for testing, @kovdan01 please correct me if I'm wrong.

[jchlanda]

I can't see a formatting config in the repo; how do you usually handle code style here?

I use this repo in a read-only manner most of the time :) Maybe @kovdan01 has something to suggest, but I guess we don't care for code style here as much as in the LLVM repo (where code style was semi-automatically enforced for a long time and thus it is much easier for the new patches to adhere to the rules). I'm not sure, maybe there is something similar in Musl upstream, but I'm not sure we are contributing there actively. To my understanding, this fork of Musl is kind of proof-of-concept for testing, @kovdan01 please correct me if I'm wrong.

I've done something similar-looking to what we already have in the files. Also tabs, instead of spaces.

[atrosinenko]

Looks good, thank you!

[atrosinenko]

@jchlanda Oh, I forgot to say that you can ask me to merge this PR on your behalf if no more changes are planned and no reviews are waited for :)

[jchlanda]

@jchlanda Oh, I forgot to say that you can ask me to merge this PR on your behalf if no more changes are planned and no reviews are waited for :)

That would be great, thank you.

[atrosinenko]

FYI In https://github.com/access-softek/pauth-toolchain-build-scripts the particular hashes of llvm-project and musl are hard-coded in ./config, meaning if you rely on these scripts, you have to either change the version locally or commit that update (maybe after landing other patches to musl if more are planned).