[Bug c/111518] New: relro protection not working in riscv

[Bug c/111518] New: relro protection not working in riscv

[sattdeepan.d at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111518

            Bug ID: 111518
           Summary: relro protection not working in riscv
           Product: gcc
           Version: 13.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sattdeepan.d at samsung dot com
  Target Milestone: ---

-z,relro and/or -z,now flag not working on riscv arch.


Address of printf overwritten to custom address passed as argument, but it
expected to be readonly when full relro protection is enabled

Test code to reproduce(test_relro.c):
-----------------------------------------------

#include <stdio.h>
#include <stdlib.h>


int main(int argc, int *argv[])
{
size_t *p = (size_t *) strtol(argv[1], NULL, 16);

p[0] = 0xdeadbeef;

printf("RELRO: %p\n", p);

return 0;
}
-----------------------------------------------

Steps to reproduce:

1. Turn off ASLR:
  echo 0 > /proc/sys/kernel/randomise_va_space

1. Compile with -z,relro,-z,now flag:
gcc -g -Wl,-z,norelro -O0  -o test_partial test_relro.c

2. Check printf address in GOT:
sattdeepan@sri-9052:~$ objdump -R test_partial | grep printf
0000000000012020 R_RISCV_JUMP_SLOT  printf@GLIBC_2.27

3. Running with gdb:
gdb -q test_partial

4. Get load address of printf function:
<base address of main> - <main offset> + <printf offset in GOT>
0x10586 - 0x10586 +  0x12020 ==> 0x12020

5. Pass load address of main as argument

gdb-peda$ r 0x12020
Starting program: /home/user/test_full_riscv 0x12020
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/riscv64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
Warning: 'set logging off', an alias for the command 'set logging enabled', is
deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is
deprecated.
Use 'set logging enabled on'.
0x00000000deadbeee in ?? () ====> address of printf overwritten to custom
address passed as argument, but it expected to be readonly
gdb-peda$

[Bug c/111518] relro protection not working in riscv

[palmer at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111518

palmer at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |palmer at gcc dot gnu.org

--- Comment #1 from palmer at gcc dot gnu.org ---
(In reply to sattdeepan from comment #0)
> 1. Compile with -z,relro,-z,now flag:
> gcc -g -Wl,-z,norelro -O0  -o test_partial test_relro.c

Those don't match: the comment says relro+now, but the command line says
norelro.  I'm just double checking to make sure the run is from a relro+now
build, as opposed to a norelro build.

Also, I get a warning building the code.  I don't think it'll result in bad
behavior here, though.

$ riscv64-unknown-linux-gnu-gcc test.c -o test
test.c: In function ‘main’:
test.c:7:35: warning: passing argument 1 of ‘strtol’ from incompatible pointer
type [-Wincompatible-pointer-types]
    7 | size_t *p = (size_t *) strtol(argv[1], NULL, 16);
      |                               ~~~~^~~
      |                                   |
      |                                   int *
In file included from test.c:2:
/usr/riscv64-unknown-linux-gnu/usr/include/stdlib.h:177:48: note: expected
‘const char * restrict’ but argument is of type ‘int *’
  177 | extern long int strtol (const char *__restrict __nptr,
      |                         ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~

[Bug c/111518] relro protection not working in riscv

[schwab@linux-m68k.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111518

--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
That's a linker bug, please report to https://sourceware.org/bugzilla/.

[Bug target/111518] relro protection not working in riscv

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111518

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |MOVED

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
GCC is not involed in the relazation part of the linker which seems like is
causing this issue ...