[Bug 2006739] Re: [FFe] Include Memory Tagging Extension support in the arm64 glibc build
Launchpad Bug Tracker
2006739 at bugs.launchpad.net
Mon Mar 27 09:30:18 UTC 2023
This bug was fixed in the package glibc - 2.37-0ubuntu2
---------------
glibc (2.37-0ubuntu2) lunar; urgency=medium
* d/p/u/lp2007599*.patch: add tunables for s390x (LP: #2007599)
* d/p/any/local-ldso-disable-hwcap: fix compilation error (LP: #2006485)
* d/sysdeps/arm64.mk: enable Memory Tagging Extension (MTE) checking on arm64
(LP: #2006739)
* d/control: declare a Breaks on older cyrus-imapd (LP: #2011326)
* d/control: Fix missing version bumps that could cause issues on upgrades
* Cherry-pick patches from upstream maintenance branch:
- 0001-cdefs-Limit-definition-of-fortification-macros.patch
- 0002-LoongArch-Add-new-relocation-types.patch
- 0003-Use-64-bit-time_t-interfaces-in-strftime-and-strptim.patch
- 0004-Account-for-grouping-in-printf-width-bug-30068.patch
- 0005-NEWS-Document-CVE-2023-25139.patch
- 0006-elf-Smoke-test-ldconfig-p-against-system-etc-ld.so.c.patch
- 0007-stdlib-Undo-post-review-change-to-16adc58e73f3-BZ-27.patch
- 0008-elf-Restore-ldconfig-libc6-implicit-soname-logic-BZ-.patch
-- Simon Chopin <schopin at ubuntu.com> Thu, 16 Mar 2023 09:44:01 +0100
** Changed in: glibc (Ubuntu)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-25139
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2006739
Title:
[FFe] Include Memory Tagging Extension support in the arm64 glibc
build
Status in glibc package in Ubuntu:
Fix Released
Bug description:
[Proposed changes]
Enable memory tagging support in the arm64 build of glibc. Memory
tagging is a security feature in some ARM64 CPUs to detect memory
safety issues by adding tags to small memory regions, allowing runtime
checking of pointer provenance.
Even when included in the build, this feature is disabled by default and can be enabled using tunables:
https://www.gnu.org/software/libc/manual/html_node/Memory-Related-Tunables.html
This has been enabled in Debian unstable since December 2011.
The actual code change can be seen there:
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/glibc/commit/?id=3e6f5fb8e0bc4094a4d73159bf5865130f019290
[Rationale]
I believe this change falls under the HWE umbrella. Additionally, I
believe the risks are minimal due to the feature being disabled by
default, and having been deployed in Debian for a while.
[Original report]
Hello,
For Debian Bookworm, Memory Tagging Extension (MTE) support is enabled in glibc:
https://sources.debian.org/src/glibc/2.35-3/debian/sysdeps/arm64.mk/
Would it be possible to please do a similar thing for the Ubuntu
package?
For more information, please see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995269
===
glibc 2.33 onwards has support for 'Memory Tagging Extension' on
arm64. Could you please enable this feature (by setting
--enable-memory-tagging in the config).
The effect is to add colouring bits into heap pointers so that typical
illegal accesses (either temporally or spatially) can be detected and
faulted. Glibc just has the userspace heap tagging - there is also
corresponding kernel support.
The functionality operates on arm ISA 8.5 or later, which has extra
instructions to manipulate the tag bits in pointers.
The details are explained in
https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf
The implementation has been designed so that it is safe to enable in
distros (which makes a change!). ifunc and HWCAP are used to link
MTE-ready versions of relevant functions on hardware supporting
ARMv8.5 instruction set or later. On eailer hardware things will work
just as they do now.
Here is the (trivial) patch:
diff -u debian/sysdeps/arm64.mk~ debian/sysdeps/arm64.mk
--- debian/sysdeps/arm64.mk~ 2021-08-24 14:31:06.000000000 +0000
+++ debian/sysdeps/arm64.mk 2021-09-28 19:43:58.782118977 +0000
@@ -1,2 +1,2 @@
# configuration options for all flavours
-extra_config_options = --enable-multi-arch --enable-static-pie
+extra_config_options = --enable-multi-arch --enable-static-pie --enable-memory-tagging
--
Wookey
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2006739/+subscriptions
More information about the foundations-bugs
mailing list