Audit imprecise cheri_setbounds() use:

[brooksdavis]

• [ ] libc
  • [ ] libthr
  • [ ] rtld
  • [ ] kernel - execve
  • [ ] kernel - overall

[arichardson]

One thing I noticed in RTLD is that PCC (and in the MIPS PLT ABI CGP) allow accesses past the end of the captable due to representability.

The captable needs to be covered by PCC, but it has to be part of the data segment since we need to dynamically initialize it. The range [start of rodata/text -> end of captable] is unlikely to be precisely representable, but LLD makes this a lot worse by aligning all segments to multiples of 0x10000. We should probably reduce that alignment to pack the segments closer together. For some reason the .captable section also ends up near the end of the data segment, so we always cover .data... I'll open some LLD issues and try to improve the situation shortly.

[jrtc27]

It aligns to 0x10000 because that's what the MIPS ABI requires due to page sizes. RISC-V stays at 0x1000. Specifically, many architectures allow for a variety of page sizes to be used as the base granularity (independent from superpages), and so without further information the linker needs to choose the maximum in order to guarantee page alignment. This is also true on AArch64, Hexagon, PPC, PPC64 and SPARCV9. If we want to change CHERI to mandate 4K pages on MIPS then we can (and set the right default in lld), and certainly all our implementations have that, but that's currently not strictly guaranteed by our specification.

If you want to experiment with whether that helps, you can add -z max-page-size=4096 to your linker flags to override it.

EDIT: Discussion of this should be on the corresponding LLVM issue