[v3,08/16] elf: Enable relro for static build

Message ID 20191217214728.2886-8-adhemerval.zanella@linaro.org
State New
Headers show
Series
  • [v2,01/16] linux: Fix vDSO macros build with time64 interfaces
Related show

Commit Message

Adhemerval Zanella Dec. 17, 2019, 9:47 p.m.
Changes from previous version:

  - The tests were removed and instead I will use the ones proposed
    by Florian's patch 'elf: Add tests for working RELRO protection'
    [1].  I also plan to send additional coverage for '.data.rel.ro'
    which trigger failures for the static case on both partial and
    full relro which is fixed by this patch once the patch is
    upstream.

--

The code is similar to the one at elf/dl-reloc.c, where it checks for
the l_relro_size from the link_map (obtained from PT_GNU_RELRO header
from program headers) and calls_dl_protected_relro.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64le-linux-gnu,
aarch64-linux-gnu, s390x-linux-gnu, and sparc64-linux-gnu.  I also
check with --enable-static pie on x86_64-linux-gnu, i686-linux-gnu,
and aarch64-linux-gnu which seems the only architectures where
static PIE is actually working (as per 9d7a3741c9e, on
arm-linux-gnueabihf, powerpc64{le}-linux-gnu, and s390x-linux-gnu
I am seeing runtime issues not related to my patch).

[1] https://sourceware.org/ml/libc-alpha/2019-10/msg00059.html
---
 elf/dl-support.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

-- 
2.17.1

Comments

Siddhesh Poyarekar Jan. 2, 2020, 12:07 p.m. | #1
On 18/12/19 3:17 am, Adhemerval Zanella wrote:
> Changes from previous version:

> 

>   - The tests were removed and instead I will use the ones proposed

>     by Florian's patch 'elf: Add tests for working RELRO protection'

>     [1].  I also plan to send additional coverage for '.data.rel.ro'

>     which trigger failures for the static case on both partial and

>     full relro which is fixed by this patch once the patch is

>     upstream.

> 

> --

> 

> The code is similar to the one at elf/dl-reloc.c, where it checks for

> the l_relro_size from the link_map (obtained from PT_GNU_RELRO header

> from program headers) and calls_dl_protected_relro.

> 

> Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64le-linux-gnu,

> aarch64-linux-gnu, s390x-linux-gnu, and sparc64-linux-gnu.  I also

> check with --enable-static pie on x86_64-linux-gnu, i686-linux-gnu,

> and aarch64-linux-gnu which seems the only architectures where

> static PIE is actually working (as per 9d7a3741c9e, on

> arm-linux-gnueabihf, powerpc64{le}-linux-gnu, and s390x-linux-gnu

> I am seeing runtime issues not related to my patch).

> 

> [1] https://sourceware.org/ml/libc-alpha/2019-10/msg00059.html

> ---

>  elf/dl-support.c | 18 ++++++++++++++----

>  1 file changed, 14 insertions(+), 4 deletions(-)

> 


OK.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Patch

diff --git a/elf/dl-support.c b/elf/dl-support.c
index 5526d5ee6e..b2b1b12f6f 100644
--- a/elf/dl-support.c
+++ b/elf/dl-support.c
@@ -367,14 +367,24 @@  _dl_non_dynamic_init (void)
   if (_dl_platform != NULL)
     _dl_platformlen = strlen (_dl_platform);
 
-  /* Scan for a program header telling us the stack is nonexecutable.  */
   if (_dl_phdr != NULL)
-    for (uint_fast16_t i = 0; i < _dl_phnum; ++i)
-      if (_dl_phdr[i].p_type == PT_GNU_STACK)
+    for (const ElfW(Phdr) *ph = _dl_phdr; ph < &_dl_phdr[_dl_phnum]; ++ph)
+      switch (ph->p_type)
 	{
-	  _dl_stack_flags = _dl_phdr[i].p_flags;
+	/* Check if the stack is nonexecutable.  */
+	case PT_GNU_STACK:
+	  _dl_stack_flags = ph->p_flags;
+	  break;
+
+	case PT_GNU_RELRO:
+	  _dl_main_map.l_relro_addr = ph->p_vaddr;
+	  _dl_main_map.l_relro_size = ph->p_memsz;
 	  break;
 	}
+
+  /* Setup relro on the binary itself.  */
+  if (_dl_main_map.l_relro_size != 0)
+    _dl_protect_relro (&_dl_main_map);
 }
 
 #ifdef DL_SYSINFO_IMPLEMENTATION