[RFC PATCH liburing v1 0/3] Introduce '--use-libc' option

[RFC PATCH liburing v1 0/3] Introduce '--use-libc' option

[Ammar Faizi]

Hi Jens,
Hi Stefan and Guillem,

This is an RFC patch series to introduce the '--use-libc' option to the
configure script.

Currently, when compiling liburing on x86, x86-64, and aarch64
architectures, the resulting binary lacks the linkage with the standard
C library (libc).

To address the concerns raised by Linux distribution package maintainers
regarding security, it is necessary to enable the linkage of libc to
liburing. Especially right now, when the security of io_uring is being
scrutinized. By incorporating the '--use-libc' option, developers can
now enhance the overall hardening of liburing by utilizing compiler
features such as the stack protector and address sanitizer.

See the following links for viewing the discussion:
Link: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Link: https://lore.kernel.org/io-uring/20230621100447.GD2667602@fedora
Link: https://lore.kernel.org/io-uring/ZJLkXC7QffsoCnpu@thunder.hadrons.org

There are three patches in this series.

  - The first patch removes the '--nolibc' option from the configure
    script as it is no longer needed. The default build on x86, x86-64,
    and aarch64 architectures is still not using libc.

  - The second patch introduces the '--use-libc' option to the configure
    script. This option enables the linkage of libc to liburing.

  - The third patch allows the use of the stack protector when building
    liburing with libc.

Please review. Thank you.

Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---

Ammar Faizi (3):
  configure: Remove --nolibc option
  configure: Introduce '--use-libc' option
  src/Makefile: Allow using stack protector with libc

 configure    | 40 +++++++++++++++-------------------------
 src/Makefile |  7 +++----
 2 files changed, 18 insertions(+), 29 deletions(-)


base-commit: 49fa118c58422bad38cb96fea0f10af60691baa9
-- 
Ammar Faizi

[RFC PATCH liburing v1 1/3] configure: Remove --nolibc option

[Ammar Faizi]

This option was deprecated and planned to be removed. Now remove it.

Co-authored-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---
 configure | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/configure b/configure
index 28f3eb0aee24f9ea..a16ffca83d678364 100755
--- a/configure
+++ b/configure
@@ -5,22 +5,6 @@ set -e
 cc=${CC:-gcc}
 cxx=${CXX:-g++}
 
-#
-# TODO(ammarfaizi2): Remove this notice and `--nolibc` option.
-#
-nolibc_deprecated() {
-  echo "";
-  echo "=================================================================";
-  echo "";
-  echo "  --nolibc option is deprecated and has no effect.";
-  echo "  It will be removed in a future liburing release.";
-  echo "";
-  echo "  liburing on x86-64, x86 (32-bit) and aarch64 always use CONFIG_NOLIBC.";
-  echo "";
-  echo "=================================================================";
-  echo "";
-}
-
 for opt do
   optarg=$(expr "x$opt" : 'x[^=]*=\(.*\)' || true)
   case "$opt" in
@@ -42,8 +26,6 @@ for opt do
   ;;
   --cxx=*) cxx="$optarg"
   ;;
-  --nolibc) nolibc_deprecated
-  ;;
   *)
     echo "ERROR: unknown option $opt"
     echo "Try '$0 --help' for more information"
@@ -91,7 +73,6 @@ Options: [defaults in brackets after descriptions]
   --datadir=PATH           install shared data in PATH [$datadir]
   --cc=CMD                 use CMD as the C compiler
   --cxx=CMD                use CMD as the C++ compiler
-  --nolibc                 build liburing without libc
 EOF
 exit 0
 fi
-- 
Ammar Faizi

[RFC PATCH liburing v1 2/3] configure: Introduce '--use-libc' option

[Ammar Faizi]

Currently, when compiling liburing on x86, x86-64, and aarch64
architectures, the resulting binary lacks the linkage with the standard
C library (libc).

To address the concerns raised by Linux distribution package maintainers
regarding security, it is necessary to enable the linkage of libc to
liburing. Especially right now, when the security of io_uring is being
scrutinized. By incorporating the '--use-libc' option, developers can
now enhance the overall hardening of liburing by utilizing compiler
features such as the stack protector and address sanitizer.

Link: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Link: https://lore.kernel.org/io-uring/20230621100447.GD2667602@fedora
Link: https://lore.kernel.org/io-uring/ZJLkXC7QffsoCnpu@thunder.hadrons.org
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Guillem Jover <guillem@hadrons.org>
Co-authored-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---
 configure | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/configure b/configure
index a16ffca83d678364..46afb7285a1ea8d0 100755
--- a/configure
+++ b/configure
@@ -26,6 +26,8 @@ for opt do
   ;;
   --cxx=*) cxx="$optarg"
   ;;
+  --use-libc) use_libc=yes
+  ;;
   *)
     echo "ERROR: unknown option $opt"
     echo "Try '$0 --help' for more information"
@@ -73,6 +75,7 @@ Options: [defaults in brackets after descriptions]
   --datadir=PATH           install shared data in PATH [$datadir]
   --cc=CMD                 use CMD as the C compiler
   --cxx=CMD                use CMD as the C++ compiler
+  --use-libc               use libc for liburing (useful for hardening)
 EOF
 exit 0
 fi
@@ -382,10 +385,13 @@ fi
 print_config "NVMe uring command support" "$nvme_uring_cmd"
 
 #############################################################################
-#
-# Currently, CONFIG_NOLIBC is only enabled on x86-64, x86 (32-bit) and aarch64.
-#
-cat > $TMPC << EOF
+liburing_nolibc="no"
+if test "$use_libc" != "yes"; then
+
+  #
+  # Currently, CONFIG_NOLIBC only supports x86-64, x86 (32-bit) and aarch64.
+  #
+  cat > $TMPC << EOF
 int main(void){
 #if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__)
   return 0;
@@ -394,10 +400,13 @@ int main(void){
 #endif
 }
 EOF
-if compile_prog "" "" "nolibc support"; then
-  liburing_nolibc="yes"
+
+  if compile_prog "" "" "nolibc"; then
+    liburing_nolibc="yes"
+  fi
 fi
-print_config "nolibc support" "$liburing_nolibc";
+
+print_config "nolibc" "$liburing_nolibc";
 #############################################################################
 
 ####################################################
-- 
Ammar Faizi

[RFC PATCH liburing v1 3/3] src/Makefile: Allow using stack protector with libc

[Ammar Faizi]

Currently, the stack protector is forcefully disabled. Let's allow using
the stack protector feature only if libc is used.

The stack protector will remain disabled by default if no custom CFLAGS
are provided. This ensures the default behavior doesn't change while
still offering the option to enable the stack protector.

Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Guillem Jover <guillem@hadrons.org>
Co-authored-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
---
 src/Makefile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/Makefile b/src/Makefile
index 951c48fc6797be75..c4c28cbe87c7a8de 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -10,9 +10,8 @@ CPPFLAGS ?=
 override CPPFLAGS += -D_GNU_SOURCE \
 	-Iinclude/ -include ../config-host.h \
 	-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-CFLAGS ?= -g -O3 -Wall -Wextra
+CFLAGS ?= -g -O3 -Wall -Wextra -fno-stack-protector
 override CFLAGS += -Wno-unused-parameter \
-	-fno-stack-protector \
 	-DLIBURING_INTERNAL \
 	$(LIBURING_CFLAGS)
 SO_CFLAGS=-fPIC $(CFLAGS)
@@ -46,8 +45,8 @@ liburing_srcs := setup.c queue.c register.c syscall.c version.c
 
 ifeq ($(CONFIG_NOLIBC),y)
 	liburing_srcs += nolibc.c
-	override CFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin
-	override CPPFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin
+	override CFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin -fno-stack-protector
+	override CPPFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin -fno-stack-protector
 	override LINK_FLAGS += -nostdlib -nodefaultlibs
 endif
 
-- 
Ammar Faizi

Re: [RFC PATCH liburing v1 3/3] src/Makefile: Allow using stack protector with libc

[Thomas Weißschuh]

On 2023-06-23 00:20:29+0700, Ammar Faizi wrote:
> Currently, the stack protector is forcefully disabled. Let's allow using
> the stack protector feature only if libc is used.
> 
> The stack protector will remain disabled by default if no custom CFLAGS
> are provided. This ensures the default behavior doesn't change while
> still offering the option to enable the stack protector.

FYI

There are patches in the pipeline that enable stackprotector support for
nolibc [0]. They should land in 6.5.

It only supports "global" mode and not per-thread-data.
But as nolibc does not support threads anyways that should not matter.
A compiler flag has to be passed though, but that can be automated [1].

So the -fno-stack-protector can probably be removed completely.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/tree/tools/include/nolibc/stackprotector.h?h=dev.2023.06.16a
[1] https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/tree/tools/testing/selftests/nolibc/Makefile?h=dev.2023.06.16a#n81

> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Guillem Jover <guillem@hadrons.org>
> Co-authored-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
> Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
> ---
>  src/Makefile | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/src/Makefile b/src/Makefile
> index 951c48fc6797be75..c4c28cbe87c7a8de 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -10,9 +10,8 @@ CPPFLAGS ?=
>  override CPPFLAGS += -D_GNU_SOURCE \
>  	-Iinclude/ -include ../config-host.h \
>  	-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
> -CFLAGS ?= -g -O3 -Wall -Wextra
> +CFLAGS ?= -g -O3 -Wall -Wextra -fno-stack-protector
>  override CFLAGS += -Wno-unused-parameter \
> -	-fno-stack-protector \
>  	-DLIBURING_INTERNAL \
>  	$(LIBURING_CFLAGS)
>  SO_CFLAGS=-fPIC $(CFLAGS)
> @@ -46,8 +45,8 @@ liburing_srcs := setup.c queue.c register.c syscall.c version.c
>  
>  ifeq ($(CONFIG_NOLIBC),y)
>  	liburing_srcs += nolibc.c
> -	override CFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin
> -	override CPPFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin
> +	override CFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin -fno-stack-protector
> +	override CPPFLAGS += -nostdlib -nodefaultlibs -ffreestanding -fno-builtin -fno-stack-protector
>  	override LINK_FLAGS += -nostdlib -nodefaultlibs
>  endif
>  
> -- 
> Ammar Faizi
> 

Re: [RFC PATCH liburing v1 3/3] src/Makefile: Allow using stack protector with libc

[Ammar Faizi]

On Thu, Jun 22, 2023 at 07:57:38PM +0200, Thomas Weißschuh wrote:
> There are patches in the pipeline that enable stackprotector support for
> nolibc [0]. They should land in 6.5.

That's interesting. I haven't been following Willy's tree for a while.
Hope 6.4 stable goes well by the end of this week.

> It only supports "global" mode and not per-thread-data.
> But as nolibc does not support threads anyways that should not matter.
> A compiler flag has to be passed though, but that can be automated [1].
> 
> So the -fno-stack-protector can probably be removed completely.
> 
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/tree/tools/include/nolibc/stackprotector.h?h=dev.2023.06.16a
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git/tree/tools/testing/selftests/nolibc/Makefile?h=dev.2023.06.16a#n81

This is a bit problematic because liburing.so and liburing.a must also
be compatible with apps that use libc. Note that liburing nolibc is also
used by apps that use libc.

The problem when an app uses libc.so and liburing.a:

Stack-protector functions from liburing nolibc will override the
stack-protector functions from libc because statically linked functions
will take precedence. The end result, the app will always use the
"global" mode stack protector even if it's multithreaded. There may be a
way to make those functions private to liburing only, but I don't know.

We had a similar problem with memset() in liburing:

https://git.kernel.org/pub/scm/linux/kernel/git/axboe/liburing.git/commit/?id=db5403e58083bef48d72656d7dea53a9f7affef4

Also, the app has to be compiled with those specific flags, which is out
of our control. Plus, I wonder if there is a chance to call
__stack_chk_init() from a static library point of view where we don't
control the entry point (__start).

Therefore, I won't implement the stack protector for liburing under
CONFIG_NOLIBC enabled. So far, I see that using the stack protector for
liburing nolibc is more trouble than it's worth.

But anyway, it's nice to see your stack protector work.

Regards,
-- 
Ammar Faizi

Re: [RFC PATCH liburing v1 0/3] Introduce '--use-libc' option

[Jens Axboe]

On Fri, 23 Jun 2023 00:20:26 +0700, Ammar Faizi wrote:
> Hi Stefan and Guillem,
> 
> This is an RFC patch series to introduce the '--use-libc' option to the
> configure script.
> 
> Currently, when compiling liburing on x86, x86-64, and aarch64
> architectures, the resulting binary lacks the linkage with the standard
> C library (libc).
> 
> [...]

Applied, thanks!

[1/3] configure: Remove --nolibc option
      commit: 7eba81f6eb2d62d7835622267b483b95bdf0bcd5
[2/3] configure: Introduce '--use-libc' option
      commit: 151f80504d8cba262f0950b76953dd7441342163
[3/3] src/Makefile: Allow using stack protector with libc
      commit: 449ebc5a425f3a8b14c78357cbe9ab1011a797eb

Best regards,
-- 
Jens Axboe