lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jun 2020 09:20:31 -0700 From: Kees Cook <keescook@...omium.org> To: Ard Biesheuvel <ardb@...nel.org> Cc: Arvind Sankar <nivedita@...m.mit.edu>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Fangrui Song <maskray@...gle.com>, Dmitry Golovin <dima@...ovin.in>, clang-built-linux <clang-built-linux@...glegroups.com>, Masahiro Yamada <masahiroy@...nel.org>, Daniel Kiper <daniel.kiper@...cle.com>, Sedat Dilek <sedat.dilek@...il.com>, Nathan Chancellor <natechancellor@...il.com>, Arnd Bergmann <arnd@...db.de>, "H . J . Lu" <hjl@...rceware.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v3 7/7] x86/boot: Check that there are no runtime relocations On Mon, Jun 29, 2020 at 06:11:59PM +0200, Ard Biesheuvel wrote: > On Mon, 29 Jun 2020 at 18:09, Kees Cook <keescook@...omium.org> wrote: > > > > On Mon, Jun 29, 2020 at 10:09:28AM -0400, Arvind Sankar wrote: > > > Add a linker script check that there are no runtime relocations, and > > > remove the old one that tries to check via looking for specially-named > > > sections in the object files. > > > > > > Drop the tests for -fPIE compiler option and -pie linker option, as they > > > are available in all supported gcc and binutils versions (as well as > > > clang and lld). > > > > > > Signed-off-by: Arvind Sankar <nivedita@...m.mit.edu> > > > Reviewed-by: Ard Biesheuvel <ardb@...nel.org> > > > Reviewed-by: Fangrui Song <maskray@...gle.com> > > > --- > > > arch/x86/boot/compressed/Makefile | 28 +++----------------------- > > > arch/x86/boot/compressed/vmlinux.lds.S | 8 ++++++++ > > > 2 files changed, 11 insertions(+), 25 deletions(-) > > > > Reviewed-by: Kees Cook <keescook@...omium.org> > > > > question below ... > > > > > diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S > > > index a4a4a59a2628..a78510046eec 100644 > > > --- a/arch/x86/boot/compressed/vmlinux.lds.S > > > +++ b/arch/x86/boot/compressed/vmlinux.lds.S > > > @@ -42,6 +42,12 @@ SECTIONS > > > *(.rodata.*) > > > _erodata = . ; > > > } > > > + .rel.dyn : { > > > + *(.rel.*) > > > + } > > > + .rela.dyn : { > > > + *(.rela.*) > > > + } > > > .got : { > > > *(.got) > > > } > > > > Should these be marked (INFO) as well? > > > > Given that sections marked as (INFO) will still be emitted into the > ELF image, it does not really make a difference to do this for zero > sized sections. Oh, I misunderstood -- I though they were _not_ emitted; I see now what you said was not allocated. So, disk space used for the .got.plt case, but not memory space used. Sorry for the confusion! -Kees > > > > @@ -85,3 +91,5 @@ ASSERT(SIZEOF(.got.plt) == 0 || SIZEOF(.got.plt) == 0x18, "Unexpected GOT/PLT en > > > #else > > > ASSERT(SIZEOF(.got.plt) == 0 || SIZEOF(.got.plt) == 0xc, "Unexpected GOT/PLT entries detected!") > > > #endif > > > + > > > +ASSERT(SIZEOF(.rel.dyn) == 0 && SIZEOF(.rela.dyn) == 0, "Unexpected runtime relocations detected!") > > > > I think I should be doing this same ASSERT style for other explicit > > DISCARDS in my orphan series so we'll notice if they change, instead > > of being silently dropped if they grow. > > -- Kees Cook
Powered by blists - more mailing lists