How to disable Execute-only Memory globally with gradle and cmake?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to disable Execute-only Memory globally with gradle and cmake?

zhang kai
Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:

make -j ENABLE_XOM=false

How can we do this with gradle and cmake?

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

Dan Albert
I'm a little confused by the history here. It seems that that support got removed in https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?

+enh might know the requirements.

On Thu, Jun 25, 2020 at 8:43 AM zhang kai <[hidden email]> wrote:
Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:

make -j ENABLE_XOM=false

How can we do this with gradle and cmake?

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAFVaGhu636an1fk3qHOT%2Be1RV%2B6Dd%3DE31D%3DDiLRQiJd%2BgjviBQ%40mail.gmail.com.
enh
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

enh
yeah, XOM conflicts with ("breaks") PAN, which is the more important
mitigation, so was removed.

On Thu, Jun 25, 2020 at 12:38 PM Dan Albert <[hidden email]> wrote:

>
> I'm a little confused by the history here. It seems that that support got removed in https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?
>
> +enh might know the requirements.
>
> On Thu, Jun 25, 2020 at 8:43 AM zhang kai <[hidden email]> wrote:
>>
>> Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:
>>
>> make -j ENABLE_XOM=false
>>
>>
>> How can we do this with gradle and cmake?
>>
>> --
>> You received this message because you are subscribed to the Google Groups "android-ndk" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAJgzZor4MC3Co5orqe_ruUmvKs0w4KaVmsw97A2%2BOQBTKJ-RGw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

Dan Albert
Thanks for confirming. I couldn't really pick apart the timeline. Was it removed in 30, but required in 29? Does this affect apps, or just system components? I suspect it doesn't affect apps since I really should have heard something if it did...

On Thu, Jun 25, 2020 at 12:40 PM enh <[hidden email]> wrote:
yeah, XOM conflicts with ("breaks") PAN, which is the more important
mitigation, so was removed.

On Thu, Jun 25, 2020 at 12:38 PM Dan Albert <[hidden email]> wrote:
>
> I'm a little confused by the history here. It seems that that support got removed in https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?
>
> +enh might know the requirements.
>
> On Thu, Jun 25, 2020 at 8:43 AM zhang kai <[hidden email]> wrote:
>>
>> Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:
>>
>> make -j ENABLE_XOM=false
>>
>>
>> How can we do this with gradle and cmake?
>>
>> --
>> You received this message because you are subscribed to the Google Groups "android-ndk" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAFVaGhshk14fLK1eAhronE2fG%3D08Y1Xgg8_DFJCPCfKKYzsO2A%40mail.gmail.com.
enh
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

enh
http://b/147300048 was the internal bug. they did say "we'll probably
need to update the documentation at
https://source.android.com/devices/tech/debug/execute-only-memory to
reflect that this was only a Q feature", but apparently never did :-(

i've reopened the bug to get the docs fixed.

On Thu, Jun 25, 2020 at 12:54 PM Dan Albert <[hidden email]> wrote:

>
> Thanks for confirming. I couldn't really pick apart the timeline. Was it removed in 30, but required in 29? Does this affect apps, or just system components? I suspect it doesn't affect apps since I really should have heard something if it did...
>
> On Thu, Jun 25, 2020 at 12:40 PM enh <[hidden email]> wrote:
>>
>> yeah, XOM conflicts with ("breaks") PAN, which is the more important
>> mitigation, so was removed.
>>
>> On Thu, Jun 25, 2020 at 12:38 PM Dan Albert <[hidden email]> wrote:
>> >
>> > I'm a little confused by the history here. It seems that that support got removed in https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?
>> >
>> > +enh might know the requirements.
>> >
>> > On Thu, Jun 25, 2020 at 8:43 AM zhang kai <[hidden email]> wrote:
>> >>
>> >> Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:
>> >>
>> >> make -j ENABLE_XOM=false
>> >>
>> >>
>> >> How can we do this with gradle and cmake?
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "android-ndk" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAJgzZoo04S8iyV-fia8x4m8rEV9MgC2oPjq4H0dSbyzmbOU6HQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

Glenn Kasten
FYI there's a good public article here that defines XOM, PAN, and explains the interaction problem:
  https://www.vdoo.com/blog/pan-and-xom-when-security-features-collide

On Thursday, June 25, 2020 at 1:00:03 PM UTC-7, enh wrote:
<a href="http://b/147300048" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fb%2F147300048\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEJk_bKKANq3aTW3lb12VkR-lKpaA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fb%2F147300048\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEJk_bKKANq3aTW3lb12VkR-lKpaA&#39;;return true;">http://b/147300048 was the internal bug. they did say "we'll probably
need to update the documentation at
<a href="https://source.android.com/devices/tech/debug/execute-only-memory" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://source.android.com/devices/tech/debug/execute-only-memory&#39;;return true;" onclick="this.href=&#39;https://source.android.com/devices/tech/debug/execute-only-memory&#39;;return true;">https://source.android.com/devices/tech/debug/execute-only-memory to
reflect that this was only a Q feature", but apparently never did :-(

i've reopened the bug to get the docs fixed.

On Thu, Jun 25, 2020 at 12:54 PM Dan Albert <[hidden email]> wrote:

>
> Thanks for confirming. I couldn't really pick apart the timeline. Was it removed in 30, but required in 29? Does this affect apps, or just system components? I suspect it doesn't affect apps since I really should have heard something if it did...
>
> On Thu, Jun 25, 2020 at 12:40 PM enh <[hidden email]> wrote:
>>
>> yeah, XOM conflicts with ("breaks") PAN, which is the more important
>> mitigation, so was removed.
>>
>> On Thu, Jun 25, 2020 at 12:38 PM Dan Albert <[hidden email]> wrote:
>> >
>> > I'm a little confused by the history here. It seems that that support got removed in <a href="https://android-review.googlesource.com/c/platform/build/soong/+/1232532" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://android-review.googlesource.com/c/platform/build/soong/+/1232532&#39;;return true;" onclick="this.href=&#39;https://android-review.googlesource.com/c/platform/build/soong/+/1232532&#39;;return true;">https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?
>> >
>> > +enh might know the requirements.
>> >
>> > On Thu, Jun 25, 2020 at 8:43 AM zhang kai <[hidden email]> wrote:
>> >>
>> >> Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:
>> >>
>> >> make -j ENABLE_XOM=false
>> >>
>> >>
>> >> How can we do this with gradle and cmake?
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "android-ndk" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> >> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com&#39;;return true;">https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/541956f9-fa6e-4717-8b70-94724f758b3eo%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Execute-only Memory globally with gradle and cmake?

zhang kai
In reply to this post by Dan Albert
When our app builds with target API level 30, the app randomly crashes with message: "Cause: execute-only (no-read) memory access error; likely due to data in .text.". When we change the API level to 28 the app runs fine. Do we need to update something? like ndk version?


在 2020年6月26日星期五 UTC+8上午3:54:49,Dan Albert写道:
Thanks for confirming. I couldn't really pick apart the timeline. Was it removed in 30, but required in 29? Does this affect apps, or just system components? I suspect it doesn't affect apps since I really should have heard something if it did...

On Thu, Jun 25, 2020 at 12:40 PM enh <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="BDuJAuhTAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">e...@...> wrote:
yeah, XOM conflicts with ("breaks") PAN, which is the more important
mitigation, so was removed.

On Thu, Jun 25, 2020 at 12:38 PM Dan Albert <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="BDuJAuhTAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dana...@...> wrote:
>
> I'm a little confused by the history here. It seems that that support got removed in <a href="https://android-review.googlesource.com/c/platform/build/soong/+/1232532" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://android-review.googlesource.com/c/platform/build/soong/+/1232532&#39;;return true;" onclick="this.href=&#39;https://android-review.googlesource.com/c/platform/build/soong/+/1232532&#39;;return true;">https://android-review.googlesource.com/c/platform/build/soong/+/1232532 (I filed a doc bug for that). Is this actually required in 29?
>
> +enh might know the requirements.
>
> On Thu, Jun 25, 2020 at 8:43 AM zhang kai <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="BDuJAuhTAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">kylerz...@...> wrote:
>>
>> Hi, with API level 29 or higher, Execute-only Memory is enabled by default for all 64-bit binaries in the build system. Unfortunately, our project uses a lot of third-party libraries that don't support this. So we need to disable Execute-only Memory(XOM) globally for our project. The document says we can disable it by:
>>
>> make -j ENABLE_XOM=false
>>
>>
>> How can we do this with gradle and cmake?
>>
>> --
>> You received this message because you are subscribed to the Google Groups "android-ndk" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="BDuJAuhTAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">andro...@googlegroups.com.
>> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com&#39;;return true;">https://groups.google.com/d/msgid/android-ndk/a1545612-b8e6-47e4-828a-b23f51198265o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/beba1669-b39d-4415-9cbc-6ab92cb90cb4o%40googlegroups.com.