lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 17 Dec 2020 19:36:58 -0700
From:   Nathan Chancellor <natechancellor@...il.com>
To:     Nick Desaulniers <ndesaulniers@...gle.com>
Cc:     Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        kernel-team <kernel-team@...roid.com>,
        Peter Smith <Peter.Smith@....com>,
        clang-built-linux <clang-built-linux@...glegroups.com>,
        stable <stable@...r.kernel.org>,
        Ard Biesheuvel <ardb@...nel.org>,
        Fāng-ruì Sòng <maskray@...gle.com>,
        Quentin Perret <qperret@...gle.com>,
        Alan Modra <amodra@...il.com>,
        "kernelci . org bot" <bot@...nelci.org>,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] arm64: link with -z norelro for LLD or aarch64-elf

On Thu, Dec 17, 2020 at 04:24:32PM -0800, 'Nick Desaulniers' via Clang Built Linux wrote:
> With GNU binutils 2.35+, linking with BFD produces warnings for vmlinux:
> aarch64-linux-gnu-ld: warning: -z norelro ignored
> 
> BFD can produce this warning when the target emulation mode does not
> support RELRO program headers, and -z relro or -z norelro is passed.
> 
> Alan Modra clarifies:
>   The default linker emulation for an aarch64-linux ld.bfd is
>   -maarch64linux, the default for an aarch64-elf linker is
>   -maarch64elf.  They are not equivalent.  If you choose -maarch64elf
>   you get an emulation that doesn't support -z relro.
> 
> The ARCH=arm64 kernel prefers -maarch64elf, but may fall back to
> -maarch64linux based on the toolchain configuration.
> 
> LLD will always create RELRO program header regardless of target
> emulation.
> 
> To avoid the above warning when linking with BFD, pass -z norelro only
> when linking with LLD or with -maarch64linux.
> 
> Cc: Alan Modra <amodra@...il.com>
> Cc: Fāng-ruì Sòng <maskray@...gle.com>
> Fixes: 3b92fa7485eb ("arm64: link with -z norelro regardless of CONFIG_RELOCATABLE")
> Reported-by: kernelci.org bot <bot@...nelci.org>
> Reported-by: Quentin Perret <qperret@...gle.com>
> Acked-by: Ard Biesheuvel <ardb@...nel.org>
> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>

Reviewed-by: Nathan Chancellor <natechancellor@...il.com>

> ---
> Changes V1 -> V2:
> * s/relocation types/program headers/
> * s/newer GNU binutils/GNU binutils 2.35+/
> * Pick up Ard's Ack.
> 
> Note: maintainers may want to pick up the following tag:
> 
> Fixes: 3bbd3db86470 ("arm64: relocatable: fix inconsistencies in linker script and options")
> 
> or drop the existing fixes tag (this patch is more so in response to
> change to BFD to warn than fix a kernel regression, IMO, but I don't
> care). Either way, it would be good to fix this for the newly minted
> v5.10.y.

Should probably have

Cc: stable@...r.kernel.org

then.

> I'll probably be offline for the next two weeks for the holidays, so no
> promises on quick replies. Happy holidays+new year!
> 
> 
>  arch/arm64/Makefile | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 6be9b3750250..90309208bb28 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -10,7 +10,7 @@
>  #
>  # Copyright (C) 1995-2001 by Russell King
>  
> -LDFLAGS_vmlinux	:=--no-undefined -X -z norelro
> +LDFLAGS_vmlinux	:=--no-undefined -X
>  
>  ifeq ($(CONFIG_RELOCATABLE), y)
>  # Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour
> @@ -115,16 +115,20 @@ KBUILD_CPPFLAGS	+= -mbig-endian
>  CHECKFLAGS	+= -D__AARCH64EB__
>  # Prefer the baremetal ELF build target, but not all toolchains include
>  # it so fall back to the standard linux version if needed.
> -KBUILD_LDFLAGS	+= -EB $(call ld-option, -maarch64elfb, -maarch64linuxb)
> +KBUILD_LDFLAGS	+= -EB $(call ld-option, -maarch64elfb, -maarch64linuxb -z norelro)
>  UTS_MACHINE	:= aarch64_be
>  else
>  KBUILD_CPPFLAGS	+= -mlittle-endian
>  CHECKFLAGS	+= -D__AARCH64EL__
>  # Same as above, prefer ELF but fall back to linux target if needed.
> -KBUILD_LDFLAGS	+= -EL $(call ld-option, -maarch64elf, -maarch64linux)
> +KBUILD_LDFLAGS	+= -EL $(call ld-option, -maarch64elf, -maarch64linux -z norelro)
>  UTS_MACHINE	:= aarch64
>  endif
>  
> +ifeq ($(CONFIG_LD_IS_LLD), y)
> +KBUILD_LDFLAGS	+= -z norelro
> +endif
> +
>  CHECKFLAGS	+= -D__aarch64__
>  
>  ifeq ($(CONFIG_DYNAMIC_FTRACE_WITH_REGS),y)
> -- 
> 2.29.2.684.gfbc64c5ab5-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ