From patchwork Fri Apr 22 19:01:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 53132 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9CB323856DC6 for ; Fri, 22 Apr 2022 19:05:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9CB323856DC6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1650654338; bh=+4IhDuM6MhjJ8/n8Xx75N94dfZF/0fWhyLySSBjbUDg=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=RMX4yYJbeGsnxqRWL0gHaYGUfGBN3WrC8RGrMlfO3S9Z3Eny3Ol1zGMRipLjdoMtj wXXacld412O/HpQQgGD2ZfRAYSDJcqkZqbX4OChkAS1/h8zoVDkY0I9vayivr5wtip zScXka4PUwbMbExMGNw1W2jl/SnnQlwqcG53w7ZA= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) by sourceware.org (Postfix) with ESMTPS id 5EB3E3858427 for ; Fri, 22 Apr 2022 19:01:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5EB3E3858427 Received: by mail-pl1-x636.google.com with SMTP id s14so12797393plk.8 for ; Fri, 22 Apr 2022 12:01:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+4IhDuM6MhjJ8/n8Xx75N94dfZF/0fWhyLySSBjbUDg=; b=QooVIMnJnn7YjD4CwpnoZY9vx9clQmAGp5ZvpmZOhs9kwFXNS+OfEYmRDlDZ3cD9fu rhZyg9br8ed2hDj0wl4CLBDzUxFxQu+4RvfDlXgt4oclBBNmoEFTHhTwwQ144cS6LuJc Q0wo2AOPmrIx2u9VgSSgkk47n4jWTc0PmoYSWxzwC8YAw0nIzdD23HzNLOxZ719T19Ck 6ke692/NiFFlA9dswv5+Xjnese22zVScTK+oX2FtDNvOoMmXDhoRP1B0cs73yJQF1Klv fmHF+1vwtNwWmSMsdszjRGWtJ+qJo9pra0D/Kjc3SZdVJvhs1LKHQOZl+pL2wmTpRVOv jXLw== X-Gm-Message-State: AOAM531WHYo1YT/cfsin+8jE1BMpBjdA4DPfE4QuLxZOSVPFMGyoKUYy q2PRmXsuCE6KospOZAoYVPw= X-Google-Smtp-Source: ABdhPJxAXXEw/sv+JbosRRb6es3mfkpAWbdCRZjdXAlzNJMMkS6hiqlMQvUFH34CrEvOmoFoPNX0cw== X-Received: by 2002:a17:902:b58b:b0:15b:5a3f:814b with SMTP id a11-20020a170902b58b00b0015b5a3f814bmr5639150pls.154.1650654103235; Fri, 22 Apr 2022 12:01:43 -0700 (PDT) Received: from gnu-tgl-3.localdomain ([172.58.35.133]) by smtp.gmail.com with ESMTPSA id g6-20020a17090a714600b001d7f3bb11d7sm3274430pjs.53.2022.04.22.12.01.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 12:01:42 -0700 (PDT) Received: from gnu-tgl-3.. (localhost [IPv6:::1]) by gnu-tgl-3.localdomain (Postfix) with ESMTP id 74F0BC0287; Fri, 22 Apr 2022 12:01:41 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH v11 6/7] Add --disable-default-dt-relr Date: Fri, 22 Apr 2022 12:01:38 -0700 Message-Id: <20220422190139.2615492-7-hjl.tools@gmail.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220422190139.2615492-1-hjl.tools@gmail.com> References: <20220422190139.2615492-1-hjl.tools@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-3027.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Enable DT_RELR in glibc shared libraries and position independent executables (PIE) automatically if linker supports -z pack-relative-relocs. Also add a new configuration option, --disable-default-dt-relr, to avoid DT_RELR usage in glibc shared libraries and PIEs. Reviewed-by: Fangrui Song --- INSTALL | 6 ++++++ Makeconfig | 19 +++++++++++++++++++ Makerules | 2 ++ configure | 18 ++++++++++++++++++ configure.ac | 13 +++++++++++++ elf/Makefile | 4 +++- manual/install.texi | 5 +++++ 7 files changed, 66 insertions(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index b68884ccd6..09c9920a77 100644 --- a/INSTALL +++ b/INSTALL @@ -139,6 +139,12 @@ if 'CFLAGS' is specified it must enable optimization. For example: used with the GCC option, -static-pie, which is available with GCC 8 or above, to create static PIE. +'--disable-default-dt-relr' + Don't enable DT_RELR in glibc shared libraries and position + independent executables (PIE). By default, DT_RELR is enabled in + glibc shared libraries and position independent executables on + targets that support it. + '--enable-cet' '--enable-cet=permissive' Enable Intel Control-flow Enforcement Technology (CET) support. diff --git a/Makeconfig b/Makeconfig index 0aa5fb0099..b75f28f837 100644 --- a/Makeconfig +++ b/Makeconfig @@ -358,6 +358,23 @@ else real-static-start-installed-name = $(static-start-installed-name) endif +# Linker option to enable and disable DT-RELR. +ifeq ($(have-dt-relr),yes) +dt-relr-ldflag = -Wl,-z,pack-relative-relocs +no-dt-relr-ldflag = -Wl,-z,nopack-relative-relocs +else +dt-relr-ldflag = +no-dt-relr-ldflag = +endif + +# Default linker option for DT-RELR. +ifeq (yes,$(build-dt-relr-default)) +default-rt-relr-ldflag = $(dt-relr-ldflag) +else +default-rt-relr-ldflag = $(no-dt-relr-ldflag) +endif +LDFLAGS-rtld += $(default-rt-relr-ldflag) + relro-LDFLAGS = -Wl,-z,relro LDFLAGS.so += $(relro-LDFLAGS) LDFLAGS-rtld += $(relro-LDFLAGS) @@ -413,6 +430,7 @@ link-extra-libs-tests = $(libsupport) # Command for linking PIE programs with the C library. ifndef +link-pie +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ -Wl,-O1 -nostdlib -nostartfiles \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ @@ -445,6 +463,7 @@ endif ifndef +link-static +link-static-before-inputs = -nostdlib -nostartfiles -static \ $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \ $(+preinit) $(+prectorT) diff --git a/Makerules b/Makerules index 428464f092..7c1da551bf 100644 --- a/Makerules +++ b/Makerules @@ -536,6 +536,7 @@ lib%.so: lib%_pic.a $(+preinit) $(+postinit) $(link-libc-deps) define build-shlib-helper $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \ $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \ -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \ @@ -595,6 +596,7 @@ endef define build-module-helper $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ -B$(csu-objpfx) $(load-map-file) \ $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \ $(link-test-modules-rpath-link) \ diff --git a/configure b/configure index 5a730dc5fc..91152a5154 100755 --- a/configure +++ b/configure @@ -767,6 +767,7 @@ enable_sanity_checks enable_shared enable_profile enable_default_pie +enable_default_dt_relr enable_timezone_tools enable_hardcoded_path_in_tests enable_hidden_plt @@ -1424,6 +1425,7 @@ Optional Features: --enable-profile build profiled library [default=no] --disable-default-pie Do not build glibc programs and the testsuite as PIE [default=no] + --disable-dt-relr Do not enable DT_RELR in glibc [default=no] --disable-timezone-tools do not install timezone tools [default=install] --enable-hardcoded-path-in-tests @@ -3440,6 +3442,13 @@ else default_pie=yes fi +# Check whether --enable-default-dt-relr was given. +if test "${enable_default_dt_relr+set}" = set; then : + enableval=$enable_default_dt_relr; default_dt_relr=$enableval +else + default_dt_relr=yes +fi + # Check whether --enable-timezone-tools was given. if test "${enable_timezone_tools+set}" = set; then : enableval=$enable_timezone_tools; enable_timezone_tools=$enableval @@ -7029,6 +7038,15 @@ fi config_vars="$config_vars enable-static-pie = $libc_cv_static_pie" +# Disable build-dt-relr-default if linker does not support it or if glibc +# is configured with --disable-default-dt-relr. +build_dt_relr_default=$default_dt_relr +if test "x$build_dt_relr_default" != xno; then + build_dt_relr_default=$libc_cv_dt_relr +fi +config_vars="$config_vars +build-dt-relr-default = $build_dt_relr_default" + # Set the `multidir' variable by grabbing the variable from the compiler. # We do it once and save the result in a generated makefile. libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` diff --git a/configure.ac b/configure.ac index a045f6608e..c4198af9dc 100644 --- a/configure.ac +++ b/configure.ac @@ -197,6 +197,11 @@ AC_ARG_ENABLE([default-pie], [Do not build glibc programs and the testsuite as PIE @<:@default=no@:>@]), [default_pie=$enableval], [default_pie=yes]) +AC_ARG_ENABLE([default-dt-relr], + AS_HELP_STRING([--disable-dt-relr], + [Do not enable DT_RELR in glibc @<:@default=no@:>@]), + [default_dt_relr=$enableval], + [default_dt_relr=yes]) AC_ARG_ENABLE([timezone-tools], AS_HELP_STRING([--disable-timezone-tools], [do not install timezone tools @<:@default=install@:>@]), @@ -1825,6 +1830,14 @@ if test "$libc_cv_static_pie" = "yes"; then fi LIBC_CONFIG_VAR([enable-static-pie], [$libc_cv_static_pie]) +# Disable build-dt-relr-default if linker does not support it or if glibc +# is configured with --disable-default-dt-relr. +build_dt_relr_default=$default_dt_relr +if test "x$build_dt_relr_default" != xno; then + build_dt_relr_default=$libc_cv_dt_relr +fi +LIBC_CONFIG_VAR([build-dt-relr-default], [$build_dt_relr_default]) + # Set the `multidir' variable by grabbing the variable from the compiler. # We do it once and save the result in a generated makefile. libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` diff --git a/elf/Makefile b/elf/Makefile index bd9d03f527..c9f5876119 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -1648,6 +1648,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so $(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \ + $(default-rt-relr-ldflag) \ -L$(subst :, -L,$(rpath-link)) \ -Wl,-rpath-link=$(rpath-link) \ $< -Wl,-F,$(objpfx)filtmod2.so @@ -2447,7 +2448,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so # artificial, large note in tst-big-note-lib.o and invalidate the # test. $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o - $(LINK.o) -shared -o $@ $(LDFLAGS.so) $< + $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(default-rt-relr-ldflag) $< $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so @@ -2756,6 +2757,7 @@ $(objpfx)tst-ro-dynamic: $(objpfx)tst-ro-dynamic-mod.so $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \ tst-ro-dynamic-mod.map $(LINK.o) -nostdlib -nostartfiles -shared -o $@ \ + $(default-rt-relr-ldflag) \ -Wl,--script=tst-ro-dynamic-mod.map \ $(objpfx)tst-ro-dynamic-mod.os diff --git a/manual/install.texi b/manual/install.texi index fcfb6901e4..e446ac66c4 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -167,6 +167,11 @@ and architecture support it, static executables are built as static PIE and the resulting glibc can be used with the GCC option, -static-pie, which is available with GCC 8 or above, to create static PIE. +@item --disable-default-dt-relr +Don't enable DT_RELR in glibc shared libraries and position independent +executables (PIE). By default, DT_RELR is enabled in glibc shared +libraries and position independent executables on targets that support it. + @item --enable-cet @itemx --enable-cet=permissive Enable Intel Control-flow Enforcement Technology (CET) support. When