Re: binutils ld and new PT_GNU_PROPERTY segment

[Szabolcs Nagy <szabolcs.nagy@arm.com>]

The 04/01/2020 10:46, Florian Weimer via Libc-alpha wrote:
> * Fangrui Song:
> 
> > Below is my understanding of these matters. Hope they will be useful for
> > interested stakeholders (for example, AArch64 devs, though PT_GNU_PROPERTY is
> > currently driven by x86) who don't follow the discussions so closely.
> >
> > 1. We need PT_GNU_PROPERTY.
> 
> >  Old linkers don't know the special processing on input .note.gnu.property sections.
> >  The output .note.gnu.property does not take -z ibt/-z shstk/-z force-bti/-z pac-plt into account =>
> >  invalid.
> >  The produced PT_NOTE may contain multiple NT_GNU_PROPERTY_TYPE_0 => invalid [3]
> 
> In practice, we can recognize binaries produced by old linkers when the
> object has been linked on a CET-enabled distribution because the
> produced notes are always invalid.  The glibc dynamic loader already
> checks for this and does not enable CET in this case.
> 
> ld -r involving exactly one CET-enabled object and one or more non-CET
> objects is still problematic, of course, but it seems an unlikely
> outcome.  The only way I can see this happening is with a CET-by-default
> GCC (such as the one Ubuntu uses), but then you still would have to use
> another linker (not /usr/bin/ld).  So even that seems like a fringe
> issue to me.

why only -r is problematic?

i thought linking exactly one marked object and other non-marked
ones with an old linker will have the (incorrect) marking on the
output that cannot be recognised as wrong.

this is why my plan for aarch64 is to only check PT_GNU_PROPERTY
in glibc (which implies a new linker), i believe the kernel
patches do so too.

> 
> In short, we looked at this situation, and still think that it's
> supportable.
> 
> >  Also note that sh_addralign(.note.gnu.property)=8 on a 64-bit
> >  platform, while
> >  sh_addralign(.note.gnu.build-id)=sh_addralign(.note.ABI-tag)=...=4
> >  (ancient mistake made by at least Linux/FreeBSD/NetBSD/...) GNU ld
> >  before PR ld/23658 may create corrupted PT_NOTE.
> 
> Yes, we ran into some of these issues in our distribution and had to
> rebuild a few objects.
> 
> >  For at least the above reasons, loaders are better not interpreting PT_NOTE.
> >  glibc/sysdeps/x86/dl-prop.h is currently interpreting PT_NOTE => it
> >  should be fixed.
> 
> I'm not sure we can do that for backwards compatibility reasons.  The
> ABI has been out there for several years now.

on non-x86 targets it can be still done.

> >  Given point 1 and 3, this comment deserves a reconsideration:
> >
> >  > Binaries with .note.gnu.property section have been put into many
> >  > OS releases.  We must support them.
> >
> > 2. .note.gnu.property behaves strangely, unlike a regular SHT_NOTE.
> >   For a .note.gnu.property aware linker (newer GNU ld, newer lld),
> >  .note.gnu.property input sections are dropped.
> >
> >  (We have .note.GNU-stack and .note.GNU-split-stack which both require special processing, but
> >  they are SHT_PROGBITS.)
> >
> > 3. We need SHT_GNU_PROPERTY.
> >  The output .note.gnu.property being SHT_NOTE causes linkers to place the section in both PT_NOTE
> >  and PT_GNU_PROPERTY.
> >  PT_NOTE, as explained by point 1 above, can cause trouble to old loaders.
> >  Have we proved that "older linker-produced concatenated PT_NOTE cannot cause trouble to loaders interpreting PT_NOTE"?
> >
> >  SHT_GNU_PROPERTY does not contribute to PT_NOTE and will not cause any problem to old loaders
> >  interpreting PT_NOTE.
> 
> Yes, I agree that it's desirable to add SHT_GNU_PROPERTY.

+1