Menu

#383 libmpg123 is not compatible with SHSTK (Intel CET)

1.32.x
open
nobody
None
5
3 days ago
4 days ago
sunbeachbeforesunset
No

Hello!

SHSTK is an x64 security feature included in Intel CET. To enable SHSTK, every object file in a library must contain a .note.gnu.property section with the SHSTK bit set. However, the assembly files in libmpg123 do not generate this section, and as a result libmpg123.so is not recognized as SHSTK-compatible, which prevents SHSTK from being enabled in applications that link against libmpg123.

You can verify that with:

$ readelf -n /usr/lib/x86_64-linux-gnu/libmpg123.so.0 | grep SHSTK

Which gives no output.

To fix that, you could introduce a x86_64_defs.h based on src/libmpg123/aarch64_defs.h and modify it to set GNU_PROPERTY_X86_FEATURE_1_SHSTK instead, and then update all assembly files to include the new x86_64_defs.h.

Cheers!

Discussion

  • Thomas Orgis

    Thomas Orgis - 3 days ago

    Hm. You got a working example that does this in custom assembly files? Is the layout exactly the same on x86-64 as on ARM? What replaces __ARM_FEATURE_BTI_DEFAULT and __ARM_FEATURE_PAC_DEFAULT?

    I wonder how many of these annoying busywork items will crop up, making it more and more cumbersome to carry stand-alone assembly files.

    Maybe we need to go to inline asm, after all, at least for active architectures. We'd keep the files for 32 bit archs unchanged, I presume. But for now it is reasonable to get up to the same standard as arm64 on x86-64.

     

    • manx

      manx - 3 days ago

      Maybe we need to go to inline asm, after all, at least for active architectures.

      I would suggest also considering to change to intrinsics instead of inline asm. Intrinsics for SSE and AVX on amd64 (or NEON on arm64) are widely supported and compatible between all major compilers, while inline asm requires compiler-specific syntax.

      We'd keep the files for 32 bit archs unchanged, I presume.

      Changing all the x86 32bit asm implementations is very likely not worth the effort, totally agreed.

       

    • sunbeachbeforesunset

      sunbeachbeforesunset - 3 days ago

      GCC and Clang have a cet.h that you can include that defines the section, eg look at /usr/lib/gcc/x86_64-linux-gnu/13/include/cet.h, you could simply use:

      #if defined(__has_include) && __has_include(<cet.h>)
#include <cet.h>
#endif

      Or, if you don't want an include, you can copy the contents of cet.h into an mpg123 header.

      Note that cet.h defines support for both SHSTK and IBT, but Linux only supports SHSTK right now, so you may not want to advertise IBT support as there is no way to test it currently...

       

Log in to post a comment.