From: Carlos O'Donell <carlos@redhat.com>
To: "H.J. Lu" <hjl.tools@gmail.com>, Florian Weimer <fweimer@redhat.com>
Cc: Binutils <binutils@sourceware.org>,
GNU C Library <libc-alpha@sourceware.org>
Subject: Re: [PATCH] i386: Remove PLT0 and use non-lazy PLT if PLT0 is unused
Date: Mon, 08 May 2017 04:53:00 -0000 [thread overview]
Message-ID: <cfc101f3-c593-82f6-104d-35eb10debc9b@redhat.com> (raw)
In-Reply-To: <CAMe9rOorjioRY9t49f5hDnJ0Pr9vhDeDrZMBM=nOHn3rJgJq1A@mail.gmail.com>
On 05/07/2017 01:00 PM, H.J. Lu wrote:
> On Sat, May 6, 2017 at 11:55 AM, Florian Weimer <fweimer@redhat.com> wrote:
>> On 05/06/2017 05:11 PM, H.J. Lu wrote:
>>>
>>> 1. Call external function.
>>> 2. Call internal IFUNC function. The best implementation is selected
>>> for the target processor at run-time.
>>> 3. Act as the canonical function address.
>>
>>
>> Audit support is missing from this list. Audit support needs a PLT stub
>> which calls the audit trampoline with some sort of function index or
>> address.
>
> This behavior disables LD_AUDIT support with -z now, in addition to
>
> export LD_BIND_NOW=1
>
> or compiling with -fno-plt. Also should LD_AUDIT work on external
> calls inside shared objects linked with -z now?
Yes IMO, LD_AUDIT + -z now should force the GOT entries to remain forever
resolved to the stub PLT entry in a read-only mapping. This however means
keeping around the PLT entries, which is what you're trying to remove, but
shouldn't without an additional optimization flag.
>> I'm concerned that -z now in recent binutils (even without this patch)
>> removes audit support, when before, audit support was not impacted by -z now
>> (I think, I'm not sure on this point).
>>
>> We really must avoid hardening flags which have profound semantic
>> implications on generated binaries because it discourages people from
>> enabling them.
>
> The impacts for removing PLT0 with -z now are
>
> Cons:
>
> 1. LD_AUDIT no longer works.
This is bad. I know of lots of users that are going to be unhappy if we
continue to remove LD_AUDIT support. For now it works in their own applications,
but I'd like to see LD_AUDIT work with -z now.
> Pros:
>
> 1. Make the run-time behavior the same with "export LD_BIND_NOW=1".
Yes, but it's not a strong enough argument.
> 2. Disable LD_AUDIT to further improve security.
LD_LIBRARY_PATH is already just as dangerous, so is LD_PRELOAD.
And secure processes already ignore LD_AUDIT.
> I can add a new "-z audit" option to enable LD_AUDIT as much as
> possible, including
Why does an existing working feature need a new option?
Why not add a "-z noplt" like gcc has "-fnoplt" and make both options work
together to optimize away the lazy call sequence aspects of the binaries?
We could _also_ add a "-z audit" which is just there to force an error
if mixed with "-z noplt"
> --
> extern void foo (void);
>
> void *
> foo_p ()
> {
> foo ();
> return foo;
> }
> --
>
--
Cheers,
Carlos.
next prev parent reply other threads:[~2017-05-08 4:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-02 20:32 H.J. Lu
2017-05-04 16:31 ` H.J. Lu
2017-05-06 15:11 ` H.J. Lu
2017-05-06 18:55 ` Florian Weimer
2017-05-07 17:00 ` H.J. Lu
2017-05-08 4:53 ` Carlos O'Donell [this message]
2017-05-08 15:43 ` H.J. Lu
2017-05-08 15:54 ` Florian Weimer
2017-05-08 4:35 ` Carlos O'Donell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfc101f3-c593-82f6-104d-35eb10debc9b@redhat.com \
--to=carlos@redhat.com \
--cc=binutils@sourceware.org \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).