lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK7LNAQz6f_1jsp22HRRQqwfb6jh8_BGMgyUtE9TK8ENoHzJxQ@mail.gmail.com>
Date:   Thu, 5 Jan 2023 22:44:09 +0900
From:   Masahiro Yamada <masahiroy@...nel.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Ard Biesheuvel <ardb@...nel.org>,
        Guenter Roeck <linux@...ck-us.net>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        Yoshinori Sato <ysato@...rs.sourceforge.jp>,
        Rich Felker <dalias@...c.org>, Arnd Bergmann <arnd@...db.de>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Palmer Dabbelt <palmer@...osinc.com>
Subject: Re: Linux 6.2-rc2

On Wed, Jan 4, 2023 at 3:34 AM Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> On Tue, Jan 3, 2023 at 2:59 AM Ard Biesheuvel <ardb@...nel.org> wrote:
> >
> > The purpose of this change is to prevent .note.GNU-stack from deciding
> > the section type of the .notes output section, and so keeping it in
> > its own section should be sufficient. E.g.,
> >
> > -       /DISCARD/ : { *(.note.GNU-stack) }                              \
> > +       .note.GNU-stack : { *(.note.GNU-stack) }                        \
>
> This seems to work for everybody, so let's go with this. Masahiro?
>
>                Linus



Sorry for the delay, I completely missed this thread.


Tested-by: Masahiro Yamada <masahiroy@...nel.org>



It works for me, but the comment block above should be
changed accordingly, for example:

  /*
 - * Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler.
 + * Separte note.GNU-stack, which is emitted as PROGBITS by the compiler.
   * Otherwise, the type of .notes section would become PROGBITS
instead of NOTES.
   */


This change, however, leaves an empty .note.GNU-stack section in vmlinux.



I personally prefer discarding .note.GNU-stack entirely because
GNU linker does not leave empty .note.GNU-stack when linking
user-space programs.



Because I did not notice the discussion was happening in this thread,
I submitted a different approach for fixing s390, and it was quickly merged:

  https://lore.kernel.org/lkml/20230105031306.1455409-1-masahiroy@kernel.org/

This approach requires RUNTIME_DISCARD_EXIT for each architecture, though.

I do not know how Michael will fix powerpc.







While I was looking into this issue,
I noticed the real issue is,
how to discard sections is up to arch maintainers.



[1] Most architectures discard .exit.* sections at run-time.

     Just run
      git grep EXIT_TEXT
       or
     find . -name vmlinux.lds.S | xargs grep "at runtime"


[2] If .exit.* is allocated, then later discarded, it is kept.
    (the first occurrence wins, in other words,
    the sections defined in /DISCARD/ are not necessarily discarded)


[3]  Despite the fact of [1], many architectures forget to
     define RUNTIME_DISCARD_EXIT.
     They still work because they put DISCARD
     at the end of their linker scripts.


[4]  arm64 puts DISCARD at the beginning of the linker
     script, and defines RUNTIME_DISCARD_EXIT because otherwise
     .exit* are discarded due to the "first wins" rule.


[5]  If we really want to discard more sections, we often end
     up with moving DISCARD up, and at this point, we realize
     that RUNTIME_DISCARD_EXIT is missing.





I think it is unreadable (and fragile)
to keep/discard sections depending on the particular
order in the linker scripts.


Is there any better approach to make sure to discard
sections defined in DISCARDS?






--
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ