lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKwvOdnNzd6wZoDJEgwjnEuTusU8jUcsLDiYoKipkcTubQ+t5g@mail.gmail.com>
Date:   Wed, 18 Nov 2020 15:24:04 -0800
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Nathan Chancellor <natechancellor@...il.com>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Michal Marek <michal.lkml@...kovi.net>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        Russell King <linux@...linux.org.uk>,
        Florian Fainelli <f.fainelli@...il.com>,
        Arnd Bergmann <arnd@...db.de>,
        Abbott Liu <liuwenliang@...wei.com>,
        Linus Walleij <linus.walleij@...aro.org>,
        Jian Cai <jiancai@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Mike Rapoport <rppt@...ux.ibm.com>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        Fangrui Song <maskray@...gle.com>,
        Dan Rue <dan.rue@...aro.org>, Mark Brown <broonie@...nel.org>,
        Alan Modra <amodra@...il.com>
Subject: Re: [PATCH] kbuild: Always link with '-z norelro'

On Wed, Nov 18, 2020 at 3:07 PM Ard Biesheuvel <ardb@...nel.org> wrote:
>
> On Thu, 19 Nov 2020 at 00:05, Nick Desaulniers <ndesaulniers@...gle.com> wrote:
> >
> > > > > > > To avoid playing whack-a-mole with different architectures over time,
> > > > > > > hoist '-z norelro' into the main Makefile. This does not affect ld.bfd
> > > > > > > because '-z norelro' is the default for it.
> >
> > Fangrui pointed out off list that this might need an ld-option wrapper
> > for older versions of GNU binutils.  Dan was showing me some build
> > logs today, and I thought I spotted such warnings about `-z norelro
> > will be ignored`.
>
> Does ld-option catch options that cause warnings but no errors?

$ ld.bfd -z foo /dev/null
ld.bfd: warning: -z foo ignored
ld.bfd: warning: cannot find entry symbol _start; not setting start address
➜ echo $?
0

Probably not. Can be a version check then (yuck); next is to find when
ld.bfd supported `-z norelro`.

commit 8c37241be3b1 in binutils looks like it.
Date:   Tue May 11 17:08:38 2004 +0000

which looks like either
2004-05-17 19:46:23 +0000  (tag: binutils-2_15)
or
2005-05-02 22:04:18 +0000  (tag: binutils-2_16)

So I think that would be fine then, since the kernel only supports 2.23+.

Though maybe it's
commit 5fd104addfddb68844fb8df67be832ee98ad9888
    Emit a warning when -z relro is unsupported

    ld silently accepts -z relro and -z norelro for targets that lack the
    necessary GNU_RELRO support.  This patch makes those targets emit a
    warning instead, and adds testsuite infrastructure to detect when
    relro is unsupported.

So maybe then alpha and xtensa are getting new warnings (IIUC).  If
that's the case, then we might not be able to set `-z norelro`
globally, and instead have to play whack a mole per architecture.
-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ