* [PATCH 0/4] Implement single global definition marker
@ 2021-06-20 23:36 H.J. Lu
2021-06-20 23:36 ` [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED H.J. Lu
` (4 more replies)
0 siblings, 5 replies; 18+ messages in thread
From: H.J. Lu @ 2021-06-20 23:36 UTC (permalink / raw)
To: libc-alpha
On systems with copy relocation:
* A copy in executable is created for the definition in a shared library
at run-time by ld.so.
* The copy is referenced by executable and shared libraries.
* Executable can access the copy directly.
Issues are:
* Overhead of a copy, time and space, may be visible at run-time.
* Read-only data in the shared library becomes read-write copy in
executable at run-time.
* Local access to data with the STV_PROTECTED visibility in the shared
library must use GOT.
On systems without function descriptor, function pointers vary depending
on where and how the functions are defined.
* If the function is defined in executable, it can be the address of
function body.
* If the function, including the function with STV_PROTECTED visibility,
is defined in the shared library, it can be the address of the PLT entry
in executable or shared library.
Issues are:
* The address of function body may not be used as its function pointer.
* ld.so needs to search loaded shared libraries for the function pointer
of the function with STV_PROTECTED visibility.
Here is a proposal to remove copy relocation and use canonical function
pointer:
1. Accesses, including in PIE and non-PIE, to undefined symbols must
use GOT.
a. Linker may optimize out GOT access if the data is defined in PIE or
non-PIE.
2. Read-only data in the shared library remain read-only at run-time
3. Address of global data with the STV_PROTECTED visibility in the shared
library is the address of data body.
a. Can use IP-relative access.
b. May need GOT without IP-relative access.
4. For systems without function descriptor,
a. All global function pointers of undefined functions in PIE and
non-PIE must use GOT. Linker may optimize out GOT access if the
function is defined in PIE or non-PIE.
b. Function pointer of functions with the STV_PROTECTED visibility in
executable and shared library is the address of function body.
i. Can use IP-relative access.
ii. May need GOT without IP-relative access.
iii. Branches to undefined functions may use PLT.
5. Single global definition marker:
Add GNU_PROPERTY_1_NEEDED:
#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
to indicate the needed properties by the object file.
Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:
#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.
a. Copy relocation should be disallowed at link-time and run-time.
b. Canonical function pointers are required at link-time and run-tima
Dynamic linker changes:
* Scan the single global definition marker on all components, including
the executable and its dependency shared libraries.
* When performing symbol lookup for references in an object without
single global definition:
a. Disallow copy relocations against protected data symbols in an object
with single global definition.
b. Disallow non-zero symbol values of undefined function symbols, which
are used as the function pointer, against protected function symbols in
an object with single global definition.
The corresponding binutils patches are posted at
https://sourceware.org/pipermail/binutils/2021-June/117091.html
and GCC patches are posted at
https://gcc.gnu.org/pipermail/gcc-patches/2021-June/573236.html
H.J. Lu (4):
Initial support for GNU_PROPERTY_1_NEEDED
Check -z single-global-definition and -fsingle-global-definition
Add run-time chesk for single global definition
Update tests for protected data and function symbols
configure | 73 +++++++++++++++++-
configure.ac | 37 ++++++++++
elf/Makefile | 54 ++++++++++++++
elf/dl-lookup.c | 5 ++
elf/elf.h | 17 +++++
elf/tst-protected1moda.c | 10 +--
elf/tst-protected1modb.c | 4 +-
elf/tst-protected2a.c | 130 +++++++++++++++++++++++++++++++++
elf/tst-protected2apie.c | 1 +
elf/tst-protected2b.c | 121 ++++++++++++++++++++++++++++++
elf/tst-protected2bpie.c | 1 +
elf/tst-protected2mod.h | 35 +++++++++
elf/tst-protected2moda.c | 52 +++++++++++++
elf/tst-protected2moda2.c | 41 +++++++++++
elf/tst-protected2modb.c | 45 ++++++++++++
elf/tst-protected2modb2.c | 28 +++++++
sysdeps/generic/dl-prop.h | 9 ++-
sysdeps/generic/dl-protected.h | 51 +++++++++++++
sysdeps/generic/link_map.h | 3 +-
sysdeps/x86/dl-prop.h | 19 +++--
sysdeps/x86/link_map.h | 2 +
21 files changed, 720 insertions(+), 18 deletions(-)
create mode 100644 elf/tst-protected2a.c
create mode 100644 elf/tst-protected2apie.c
create mode 100644 elf/tst-protected2b.c
create mode 100644 elf/tst-protected2bpie.c
create mode 100644 elf/tst-protected2mod.h
create mode 100644 elf/tst-protected2moda.c
create mode 100644 elf/tst-protected2moda2.c
create mode 100644 elf/tst-protected2modb.c
create mode 100644 elf/tst-protected2modb2.c
create mode 100644 sysdeps/generic/dl-protected.h
--
2.31.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
@ 2021-06-20 23:36 ` H.J. Lu
2021-06-21 7:06 ` Florian Weimer
2021-06-20 23:36 ` [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition H.J. Lu
` (3 subsequent siblings)
4 siblings, 1 reply; 18+ messages in thread
From: H.J. Lu @ 2021-06-20 23:36 UTC (permalink / raw)
To: libc-alpha
1. Add GNU_PROPERTY_1_NEEDED:
#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
to indicate the needed properties by the object file.
2. Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:
#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.
3. Scan GNU_PROPERTY_1_NEEDED property and store it in l_1_needed.
---
elf/elf.h | 17 +++++++++++++++++
sysdeps/generic/dl-prop.h | 9 ++++++++-
sysdeps/generic/link_map.h | 3 ++-
sysdeps/x86/dl-prop.h | 19 ++++++++++++++-----
sysdeps/x86/link_map.h | 2 ++
5 files changed, 43 insertions(+), 7 deletions(-)
diff --git a/elf/elf.h b/elf/elf.h
index 2a62b98d4a..45b107fdcf 100644
--- a/elf/elf.h
+++ b/elf/elf.h
@@ -1310,6 +1310,23 @@ typedef struct
/* No copy relocation on protected data symbol. */
#define GNU_PROPERTY_NO_COPY_ON_PROTECTED 2
+/* A 4-byte unsigned integer property: A bit is set if it is set in all
+ relocatable inputs. */
+#define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
+#define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
+
+/* A 4-byte unsigned integer property: A bit is set if it is set in any
+ relocatable inputs. */
+#define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
+#define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
+
+/* The needed properties by the object file. */
+#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
+
+/* Set if the object file requires canonical function pointers and
+ cannot be used with copy relocation. */
+#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
+
/* Processor-specific semantics, lo */
#define GNU_PROPERTY_LOPROC 0xc0000000
/* Processor-specific semantics, hi */
diff --git a/sysdeps/generic/dl-prop.h b/sysdeps/generic/dl-prop.h
index eaee8052b6..207aadb35d 100644
--- a/sysdeps/generic/dl-prop.h
+++ b/sysdeps/generic/dl-prop.h
@@ -47,7 +47,14 @@ static inline int __attribute__ ((always_inline))
_dl_process_gnu_property (struct link_map *l, int fd, uint32_t type,
uint32_t datasz, void *data)
{
- return 0;
+ /* Continue until GNU_PROPERTY_1_NEEDED is found. */
+ if (type == GNU_PROPERTY_1_NEEDED)
+ {
+ if (datasz == 4)
+ l->l_1_needed = *(unsigned int *) data;
+ return 0;
+ }
+ return 1;
}
#endif /* _DL_PROP_H */
diff --git a/sysdeps/generic/link_map.h b/sysdeps/generic/link_map.h
index a056184690..9f482b8c20 100644
--- a/sysdeps/generic/link_map.h
+++ b/sysdeps/generic/link_map.h
@@ -1 +1,2 @@
-/* No architecture specific definitions. */
+/* GNU_PROPERTY_1_NEEDED of this object. */
+unsigned int l_1_needed;
diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
index 56bd020b3c..385548fad3 100644
--- a/sysdeps/x86/dl-prop.h
+++ b/sysdeps/x86/dl-prop.h
@@ -97,6 +97,7 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
const ElfW(Addr) start = (ElfW(Addr)) note;
+ unsigned int needed_1 = 0;
unsigned int feature_1_and = 0;
unsigned int isa_1_needed = 0;
unsigned int last_type = 0;
@@ -141,7 +142,8 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
last_type = type;
if (type == GNU_PROPERTY_X86_FEATURE_1_AND
- || type == GNU_PROPERTY_X86_ISA_1_NEEDED)
+ || type == GNU_PROPERTY_X86_ISA_1_NEEDED
+ || type == GNU_PROPERTY_1_NEEDED)
{
/* The sizes of types which we are searching for are
4 bytes. There is no point to continue if this
@@ -151,12 +153,18 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
/* NB: Stop the scan only after seeing all types which
we are searching for. */
- _Static_assert ((GNU_PROPERTY_X86_ISA_1_NEEDED >
- GNU_PROPERTY_X86_FEATURE_1_AND),
+ _Static_assert (((GNU_PROPERTY_X86_ISA_1_NEEDED
+ > GNU_PROPERTY_X86_FEATURE_1_AND)
+ && (GNU_PROPERTY_X86_FEATURE_1_AND
+ > GNU_PROPERTY_1_NEEDED)),
"GNU_PROPERTY_X86_ISA_1_NEEDED > "
- "GNU_PROPERTY_X86_FEATURE_1_AND");
+ "GNU_PROPERTY_X86_FEATURE_1_AND && "
+ "GNU_PROPERTY_X86_FEATURE_1_AND > "
+ "GNU_PROPERTY_1_NEEDED");
if (type == GNU_PROPERTY_X86_FEATURE_1_AND)
feature_1_and = *(unsigned int *) ptr;
+ else if (type == GNU_PROPERTY_1_NEEDED)
+ needed_1 = *(unsigned int *) ptr;
else
{
isa_1_needed = *(unsigned int *) ptr;
@@ -187,9 +195,10 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
}
/* We get here only if there is one or no GNU property note. */
- if (isa_1_needed != 0 || feature_1_and != 0)
+ if (needed_1 != 0 || isa_1_needed != 0 || feature_1_and != 0)
{
l->l_property = lc_property_valid;
+ l->l_1_needed = needed_1;
l->l_x86_isa_1_needed = isa_1_needed;
l->l_x86_feature_1_and = feature_1_and;
}
diff --git a/sysdeps/x86/link_map.h b/sysdeps/x86/link_map.h
index 4c46a25f83..0c7e25dc96 100644
--- a/sysdeps/x86/link_map.h
+++ b/sysdeps/x86/link_map.h
@@ -29,3 +29,5 @@ unsigned int l_x86_feature_1_and;
/* GNU_PROPERTY_X86_ISA_1_NEEDED of this object. */
unsigned int l_x86_isa_1_needed;
+
+#include <sysdeps/generic/link_map.h>
--
2.31.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
2021-06-20 23:36 ` [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED H.J. Lu
@ 2021-06-20 23:36 ` H.J. Lu
2021-06-21 7:31 ` Andreas Schwab
2021-06-21 7:43 ` Florian Weimer
2021-06-20 23:36 ` [PATCH 3/4] Add run-time chesk for single global definition H.J. Lu
` (2 subsequent siblings)
4 siblings, 2 replies; 18+ messages in thread
From: H.J. Lu @ 2021-06-20 23:36 UTC (permalink / raw)
To: libc-alpha
1. Check linker support for -z single-global-definition. If
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
relocatable files:
a. Don't generate copy relocations.
b. Turn off extern_protected_data.
c. Treate reference to protected symbols with single global definition
as local.
d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
e. Add -z [no]single-global-definition to control single global
definition.
2. Check compiler support for -fsingle-global-definition:
a. Generate a single global definition marker in relocatable objects.
i. Always use GOT to access undefined data and function symbols,
including in PIE and non-PIE. These will avoid copy relocations in
executables.
ii. This is compatible with existing executables and shared libraries.
b. In executable and shared library, bind symbols with the STV_PROTECTED
visibility locally:
i. The address of data symbol is the address of data body.
ii. For systems without function descriptor, the function pointer is
the address of function body.
iii. The resulting shared libraries may not be incompatible with
executables which have copy relocations on protected symbols.
Size comparison of non-PIE builds with GCC 12 -O2:
1. On x86-64:
text data bss dec hex filename
190218 9672 416 200306 30e72 ld.so (original)
190258 9336 416 200010 30d4a ld.so (-fsingle-global-definition)
1917384 20232 52424 1990040 1e5d98 libc.so (original)
1919946 20240 52432 1992618 1e67aa libc.so (-fsingle-global-definition)
261734 10339 744 272817 429b1 localedef (original)
233084 41734 648 275466 4340a localedef (-fsingle-global-definition)
2. On i686:
text data bss dec hex filename
199369 6796 212 206377 32629 ld.so (original)
199381 6796 212 206389 32635 ld.so (-fsingle-global-definition)
2058080 11136 38856 2108072 202aa8 libc.so (original)
2058092 11136 38856 2108084 202ab4 libc.so (-fsingle-global-definition)
276207 9559 552 286318 45e6e localedef (original)
254249 33734 520 288503 466f7 localedef (-fsingle-global-definition)
---
configure | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
configure.ac | 37 ++++++++++++++++++++++++++
2 files changed, 109 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 9619c10991..5844dad68f 100755
--- a/configure
+++ b/configure
@@ -732,6 +732,7 @@ infodir
docdir
oldincludedir
includedir
+runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -844,6 +845,7 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1096,6 +1098,15 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1233,7 +1244,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir
+ libdir localedir mandir runstatedir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1386,6 +1397,7 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -5746,6 +5758,65 @@ fi
$as_echo "$libc_cv_insert" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking -z single-global-definition" >&5
+$as_echo_n "checking -z single-global-definition... " >&6; }
+if ${libc_cv_z_single_global_definition+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat > conftest.c <<EOF
+ __attribute__ ((visibility ("protected")))
+ void bar (void) {}
+ void *bar_p (void) { return &bar; }
+EOF
+ libc_cv_z_single_global_definition=no
+ if { ac_try='${CC-cc} -Wl,-z,single-global-definition
+ -nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+ -fPIC -shared $no_ssp -o conftest.so conftest.c
+ 1>&5'
+ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; }; then
+ libc_cv_z_single_global_definition=yes
+ else
+ libc_cv_z_single_global_definition=no
+ fi
+ rm -f conftest.*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_z_single_global_definition" >&5
+$as_echo "$libc_cv_z_single_global_definition" >&6; }
+config_vars="$config_vars
+have-z-single-global-definition = $libc_cv_z_single_global_definition"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fsingle-global-definition" >&5
+$as_echo_n "checking for -fsingle-global-definition... " >&6; }
+if ${libc_cv_fsingle_global_definition+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat > conftest.c <<EOF
+int foo;
+EOF
+ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -S
+ -fsingle-global-definition
+ conftest.c 1>&5'
+ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; }; then
+ libc_cv_fsingle_global_definition=yes
+ else
+ libc_cv_fsingle_global_definition=no
+ fi
+ rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_fsingle_global_definition" >&5
+$as_echo "$libc_cv_fsingle_global_definition" >&6; }
+config_vars="$config_vars
+have-fsingle-global-definition = $libc_cv_fsingle_global_definition"
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for broken __attribute__((alias()))" >&5
$as_echo_n "checking for broken __attribute__((alias()))... " >&6; }
if ${libc_cv_broken_alias_attribute+:} false; then :
diff --git a/configure.ac b/configure.ac
index 34ecbba540..26932812da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1222,6 +1222,43 @@ EOF
])
AC_SUBST(libc_cv_insert)
+AC_CACHE_CHECK(-z single-global-definition,
+ libc_cv_z_single_global_definition,
+ [cat > conftest.c <<EOF
+ __attribute__ ((visibility ("protected")))
+ void bar (void) {}
+ void *bar_p (void) { return &bar; }
+EOF
+ libc_cv_z_single_global_definition=no
+ if AC_TRY_COMMAND([${CC-cc} -Wl,-z,single-global-definition
+ -nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+ -fPIC -shared $no_ssp -o conftest.so conftest.c
+ 1>&AS_MESSAGE_LOG_FD]); then
+ libc_cv_z_single_global_definition=yes
+ else
+ libc_cv_z_single_global_definition=no
+ fi
+ rm -f conftest.*
+ ])
+LIBC_CONFIG_VAR([have-z-single-global-definition],
+ [$libc_cv_z_single_global_definition])
+
+AC_CACHE_CHECK(for -fsingle-global-definition,
+ libc_cv_fsingle_global_definition,
+ [cat > conftest.c <<EOF
+int foo;
+EOF
+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS -S
+ -fsingle-global-definition
+ conftest.c 1>&AS_MESSAGE_LOG_FD]); then
+ libc_cv_fsingle_global_definition=yes
+ else
+ libc_cv_fsingle_global_definition=no
+ fi
+ rm -f conftest*])
+LIBC_CONFIG_VAR([have-fsingle-global-definition],
+ [$libc_cv_fsingle_global_definition])
+
AC_CACHE_CHECK(for broken __attribute__((alias())),
libc_cv_broken_alias_attribute,
[cat > conftest.c <<EOF
--
2.31.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 3/4] Add run-time chesk for single global definition
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
2021-06-20 23:36 ` [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED H.J. Lu
2021-06-20 23:36 ` [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition H.J. Lu
@ 2021-06-20 23:36 ` H.J. Lu
2021-06-21 7:16 ` Florian Weimer
2021-06-20 23:36 ` [PATCH 4/4] Update tests for protected data and function symbols H.J. Lu
2021-06-21 20:05 ` [PATCH 0/4] Implement single global definition marker Joseph Myers
4 siblings, 1 reply; 18+ messages in thread
From: H.J. Lu @ 2021-06-20 23:36 UTC (permalink / raw)
To: libc-alpha
When performing symbol lookup for references in an object without single
global definition:
1. Disallow copy relocations against protected data symbols in an object
with single global definition.
2. Disallow non-zero symbol values of undefined function symbols, which
are used as the function pointer, against protected function symbols in
an object with single global definition.
---
elf/dl-lookup.c | 5 ++++
sysdeps/generic/dl-protected.h | 51 ++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 sysdeps/generic/dl-protected.h
diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
index eea217eb28..430359af39 100644
--- a/elf/dl-lookup.c
+++ b/elf/dl-lookup.c
@@ -24,6 +24,7 @@
#include <ldsodefs.h>
#include <dl-hash.h>
#include <dl-machine.h>
+#include <dl-protected.h>
#include <sysdep-cancel.h>
#include <libc-lock.h>
#include <tls.h>
@@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym)))
goto skip;
+ if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED)
+ _dl_check_protected_symbol (undef_name, undef_map, ref, map,
+ type_class);
+
switch (ELFW(ST_BIND) (sym->st_info))
{
case STB_WEAK:
diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h
new file mode 100644
index 0000000000..a530eb3e51
--- /dev/null
+++ b/sysdeps/generic/dl-protected.h
@@ -0,0 +1,51 @@
+/* Support for STV_PROTECTED visibility. Generic version.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#ifndef _DL_PROTECTED_H
+#define _DL_PROTECTED_H
+
+static inline void __attribute__ ((always_inline))
+_dl_check_protected_symbol (const char *undef_name,
+ const struct link_map *undef_map,
+ const ElfW(Sym) *ref,
+ const struct link_map *map,
+ int type_class)
+{
+ if (undef_map != NULL
+ && !(undef_map->l_1_needed
+ & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
+ && (map->l_1_needed
+ & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
+ {
+ if ((type_class & ELF_RTYPE_CLASS_COPY))
+ /* Disallow copy relocations against protected data symbols in
+ an object with single global definition. */
+ _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
+ undef_name, DSO_FILENAME (map->l_name));
+ else if (ref->st_value != 0
+ && ref->st_shndx == SHN_UNDEF
+ && (type_class & ELF_RTYPE_CLASS_PLT))
+ /* Disallow non-zero symbol values of undefined symbols, which
+ are used as the function pointer, against protected function
+ symbols in an object with single global definition. */
+ _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
+ undef_name, DSO_FILENAME (map->l_name));
+ }
+}
+
+#endif /* _DL_PROTECTED_H */
--
2.31.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH 4/4] Update tests for protected data and function symbols
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
` (2 preceding siblings ...)
2021-06-20 23:36 ` [PATCH 3/4] Add run-time chesk for single global definition H.J. Lu
@ 2021-06-20 23:36 ` H.J. Lu
2021-06-21 7:19 ` Florian Weimer
2021-06-21 20:05 ` [PATCH 0/4] Implement single global definition marker Joseph Myers
4 siblings, 1 reply; 18+ messages in thread
From: H.J. Lu @ 2021-06-20 23:36 UTC (permalink / raw)
To: libc-alpha
Protected data and function symbols don't work well without
-fsingle-global-definition:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
-fsingle-global-definition if possible so that GOT entries are used
for undefined data accesses.
2. Add tests for protected function pointers.
3. Build tst-prelink.c without single global definition to keepp COPY
relocation.
---
elf/Makefile | 54 ++++++++++++++++
elf/tst-protected1moda.c | 10 +--
elf/tst-protected1modb.c | 4 +-
elf/tst-protected2a.c | 130 ++++++++++++++++++++++++++++++++++++++
elf/tst-protected2apie.c | 1 +
elf/tst-protected2b.c | 121 +++++++++++++++++++++++++++++++++++
elf/tst-protected2bpie.c | 1 +
elf/tst-protected2mod.h | 35 ++++++++++
elf/tst-protected2moda.c | 52 +++++++++++++++
elf/tst-protected2moda2.c | 41 ++++++++++++
elf/tst-protected2modb.c | 45 +++++++++++++
elf/tst-protected2modb2.c | 28 ++++++++
12 files changed, 512 insertions(+), 10 deletions(-)
create mode 100644 elf/tst-protected2a.c
create mode 100644 elf/tst-protected2apie.c
create mode 100644 elf/tst-protected2b.c
create mode 100644 elf/tst-protected2bpie.c
create mode 100644 elf/tst-protected2mod.h
create mode 100644 elf/tst-protected2moda.c
create mode 100644 elf/tst-protected2moda2.c
create mode 100644 elf/tst-protected2modb.c
create mode 100644 elf/tst-protected2modb2.c
diff --git a/elf/Makefile b/elf/Makefile
index 38d08e03b8..abbb9a46b4 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -367,15 +367,59 @@ tests += tst-protected1a tst-protected1b
$(objpfx)tst-protected1a: $(addprefix $(objpfx),tst-protected1moda.so tst-protected1modb.so)
$(objpfx)tst-protected1b: $(addprefix $(objpfx),tst-protected1modb.so tst-protected1moda.so)
tst-protected1modb.so-no-z-defs = yes
+ifeq (yes,$(have-fsingle-global-definition))
+CFLAGS-tst-protected1a.c += -fsingle-global-definition
+CFLAGS-tst-protected1b.c += -fsingle-global-definition
+CFLAGS-tst-protected1moda.c += -fsingle-global-definition
+CFLAGS-tst-protected1modb.c += -fsingle-global-definition
+else
# These tests fail with GCC versions prior to 5.1 and with some versions
# of binutils. See https://sourceware.org/bugzilla/show_bug.cgi?id=17709
# and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65248 for details.
# Perhaps in future we can make these XFAILs conditional on some detection
# of compiler/linker behavior/version.
+# NB: These tests pass with -fsingle-global-definition when GOT entries
+# are used for undefined data accesses.
test-xfail-tst-protected1a = yes
test-xfail-tst-protected1b = yes
endif
+ifeq (yes,$(have-z-single-global-definition))
+LDFLAGS-tst-protected1moda.so += -Wl,-z,single-global-definition
+LDFLAGS-tst-protected1modb.so += -Wl,-z,single-global-definition
+endif
+endif
ifeq (yesyes,$(have-fpie)$(build-shared))
+ifeq (yes,$(have-z-single-global-definition))
+modules-names += tst-protected2moda tst-protected2modb
+tests += tst-protected2a tst-protected2b
+tests += tst-protected2apie tst-protected2bpie
+tests-pie += tst-protected2apie tst-protected2bpie
+test-extras += tst-protected2moda2 tst-protected2modb2
+extra-test-objs += tst-protected2moda2.os tst-protected2modb2.os
+LDFLAGS-tst-protected2moda.so += -Wl,-z,single-global-definition
+LDFLAGS-tst-protected2modb.so += -Wl,-z,single-global-definition
+CFLAGS-tst-protected2apie.c += $(PIE-ccflag)
+CFLAGS-tst-protected2bpie.c += $(PIE-ccflag)
+ifeq (yes,$(have-fsingle-global-definition))
+CFLAGS-tst-protected2a.c += -fsingle-global-definition
+CFLAGS-tst-protected2b.c += -fsingle-global-definition
+CFLAGS-tst-protected2moda.c += -fsingle-global-definition
+CFLAGS-tst-protected2moda2.c += -fsingle-global-definition
+CFLAGS-tst-protected2modb.c += -fsingle-global-definition
+CFLAGS-tst-protected2modb2.c += -fsingle-global-definition
+else
+# These non-PIE tests fail when GOT entries are not used for undefined
+# function pointers.
+test-xfail-tst-protected2a = yes
+test-xfail-tst-protected2b = yes
+endif
+$(objpfx)tst-protected2moda.so: $(objpfx)tst-protected2moda2.os
+$(objpfx)tst-protected2modb.so: $(objpfx)tst-protected2modb2.os
+$(objpfx)tst-protected2a: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2b: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+$(objpfx)tst-protected2apie: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2bpie: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+endif
modules-names += tst-piemod1
tests += tst-pie1 tst-pie2 tst-dlopen-pie tst-dlopen-tlsmodid-pie \
tst-dlopen-self-pie
@@ -469,6 +513,16 @@ tests += tst-prelink
tests-internal += tst-prelink-cmp
# Don't compile tst-prelink.c with PIE for GLOB_DAT relocation.
CFLAGS-tst-prelink.c += -fno-pie
+ifeq ($(have-fsingle-global-definition),yes)
+# Compile tst-prelink.c with -fno-single-global-definition to keepp COPY
+# relocation.
+CFLAGS-tst-prelink.c += -fno-single-global-definition
+endif
+ifeq ($(have-z-single-global-definition),yes)
+# Link tst-prelink with -z nosingle-global-definition to keepp COPY
+# relocation.
+LDFLAGS-tst-prelink += -Wl,-z,nosingle-global-definition
+endif
tst-prelink-no-pie = yes
endif
diff --git a/elf/tst-protected1moda.c b/elf/tst-protected1moda.c
index eeb18306bb..3d0eb1e877 100644
--- a/elf/tst-protected1moda.c
+++ b/elf/tst-protected1moda.c
@@ -17,17 +17,13 @@
#include "tst-protected1mod.h"
-int protected1 = 3;
+int protected1 __attribute__ ((visibility("protected"))) = 3;
static int expected_protected1 = 3;
-int protected2 = 4;
+int protected2 __attribute__ ((visibility("protected"))) = 4;
static int expected_protected2 = 4;
-int protected3 = 5;
+int protected3 __attribute__ ((visibility("protected"))) = 5;
static int expected_protected3 = 5;
-asm (".protected protected1");
-asm (".protected protected2");
-asm (".protected protected3");
-
void
set_protected1a (int i)
{
diff --git a/elf/tst-protected1modb.c b/elf/tst-protected1modb.c
index 2cb1e61b17..ca82c64689 100644
--- a/elf/tst-protected1modb.c
+++ b/elf/tst-protected1modb.c
@@ -19,11 +19,9 @@
#include "tst-protected1mod.h"
int protected1 = -3;
-int protected3 = -5;
+int protected3 __attribute__ ((visibility("protected"))) = -5;
static int expected_protected3 = -5;
-asm (".protected protected3");
-
void
set_protected1b (int i)
{
diff --git a/elf/tst-protected2a.c b/elf/tst-protected2a.c
new file mode 100644
index 0000000000..21b666e12b
--- /dev/null
+++ b/elf/tst-protected2a.c
@@ -0,0 +1,130 @@
+/* Test the protected visibility when main is linked with moda and modb
+ in that order:
+ 1. Protected function symbols, protected1, protected2 and protected3,
+ defined in moda, are used in moda.
+ 2. Protected function symbol, protected3, defined in modb, are used
+ in modb.
+ 3. Symbol, protected1, defined in moda, is also used in main and modb.
+ 4. Symbol, protected2, defined in main, is used in main.
+ 5. Symbol, protected3, defined in moda, is also used in main.
+
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+ return -1;
+}
+
+int
+__attribute__ ((weak, noclone, noinline))
+call_ptr (protected_func_type ptr)
+{
+ return ptr ();
+}
+
+int
+do_test (void)
+{
+ int res = 0;
+
+ /* Check if we get the same address for the protected function symbol. */
+ protected_func_type ptr = protected1a_p ();
+ if (&protected1 != ptr)
+ {
+ puts ("`protected1' in main and moda doesn't have the same address");
+ res = 1;
+ }
+ ptr = protected1b_p ();
+ if (&protected1 != ptr)
+ {
+ puts ("`protected1' in main and modb doesn't have the same address");
+ res = 1;
+ }
+
+ /* Check if we get the right protected function symbol. */
+ if (call_ptr (ptr) != 3)
+ {
+ puts ("`protected1' in main and moda doesn't return the same value");
+ res = 1;
+ }
+
+ /* Check if we get the right function defined in executable. */
+ if (protected2 () != -1)
+ {
+ puts ("`protected2' in main returns the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected1' in moda. */
+ if (!check_protected1 ())
+ {
+ puts ("`protected1' in moda returns the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected2' in moda. */
+ if (!check_protected2 ())
+ {
+ puts ("`protected2' in moda returns the wrong value");
+ res = 1;
+ }
+
+ /* Check if we get the same address for the protected function symbol. */
+ if (&protected3 != protected3a_p ())
+ {
+ puts ("`protected3' in main and moda doesn't have the same address");
+ res = 1;
+ }
+ if (&protected3 == protected3b_p ())
+ {
+ puts ("`protected3' in main and modb has the same address");
+ res = 1;
+ }
+
+ /* Check if we get the right value for the protected data symbol. */
+ if (protected3 () != 5)
+ {
+ puts ("`protected3' in main and moda doesn't return the same value");
+ res = 1;
+ }
+
+ /* Check `protected3' in moda. */
+ if (!check_protected3a ())
+ {
+ puts ("`protected3' in moda has the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected3' in modb. */
+ if (!check_protected3b ())
+ {
+ puts ("`protected3' in modb has the wrong value");
+ res = 1;
+ }
+
+ return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2apie.c b/elf/tst-protected2apie.c
new file mode 100644
index 0000000000..28a7aa3d1a
--- /dev/null
+++ b/elf/tst-protected2apie.c
@@ -0,0 +1 @@
+#include "tst-protected2a.c"
diff --git a/elf/tst-protected2b.c b/elf/tst-protected2b.c
new file mode 100644
index 0000000000..500323e33f
--- /dev/null
+++ b/elf/tst-protected2b.c
@@ -0,0 +1,121 @@
+/* Test the protected visibility when main is linked with modb and moda
+ in that order:
+ 1. Protected function symbols, protected1, protected2 and protected3,
+ defined in moda, are used in moda.
+ 2. Protected function symbol, protected3, defined in modb, are used
+ in modb.
+ 3. Symbol, protected1, defined in modb, is used in main and modb.
+ 4. Symbol, protected2, defined in main, is used in main.
+ 5. Symbol, protected3, defined in modb, is also used in main.
+
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+ return -1;
+}
+
+int
+do_test (void)
+{
+ int res = 0;
+
+ /* Check if we get the same address for the protected data symbol. */
+ if (&protected1 == protected1a_p ())
+ {
+ puts ("`protected1' in main and moda has the same address");
+ res = 1;
+ }
+ if (&protected1 != protected1b_p ())
+ {
+ puts ("`protected1' in main and modb doesn't have the same address");
+ res = 1;
+ }
+
+ /* Check if we get the right protected function symbol. */
+ if (protected1 () != -3)
+ {
+ puts ("`protected1' in main and modb doesn't return the same value");
+ res = 1;
+ }
+
+ /* Check if we get the right function defined in executable. */
+ if (protected2 () != -1)
+ {
+ puts ("`protected2' in main returns the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected1' in moda. */
+ if (!check_protected1 ())
+ {
+ puts ("`protected1' in moda returns the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected2' in moda. */
+ if (!check_protected2 ())
+ {
+ puts ("`protected2' in moda returns the wrong value");
+ res = 1;
+ }
+
+ /* Check if we get the same address for the protected function symbol. */
+ if (&protected3 == protected3a_p ())
+ {
+ puts ("`protected3' in main and moda has the same address");
+ res = 1;
+ }
+ if (&protected3 != protected3b_p ())
+ {
+ puts ("`protected3' in main and modb doesn't have the same address");
+ res = 1;
+ }
+
+ /* Check if we get the right protected function symbol. */
+ if (protected3 () != -5)
+ {
+ puts ("`protected3' in main and modb doesn't return the same value");
+ res = 1;
+ }
+
+ /* Check `protected3' in moda. */
+ if (!check_protected3a ())
+ {
+ puts ("`protected3' in moda returns the wrong value");
+ res = 1;
+ }
+
+ /* Check `protected3' in modb. */
+ if (!check_protected3b ())
+ {
+ puts ("`protected3' in modb returns the wrong value");
+ res = 1;
+ }
+
+ return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2bpie.c b/elf/tst-protected2bpie.c
new file mode 100644
index 0000000000..8dcfbd04cb
--- /dev/null
+++ b/elf/tst-protected2bpie.c
@@ -0,0 +1 @@
+#include "tst-protected2b.c"
diff --git a/elf/tst-protected2mod.h b/elf/tst-protected2mod.h
new file mode 100644
index 0000000000..feb28ab0d5
--- /dev/null
+++ b/elf/tst-protected2mod.h
@@ -0,0 +1,35 @@
+/* Test protected function symbols.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* Prototypes for the functions in the DSOs. */
+extern int protected1 (void);
+extern int protected2 (void);
+extern int protected3 (void);
+
+typedef int (*protected_func_type) (void);
+
+extern protected_func_type protected1a_p (void);
+extern protected_func_type protected1b_p (void);
+
+extern int check_protected1 (void);
+extern int check_protected2 (void);
+
+extern int check_protected3a (void);
+extern protected_func_type protected3a_p (void);
+extern int check_protected3b (void);
+extern protected_func_type protected3b_p (void);
diff --git a/elf/tst-protected2moda.c b/elf/tst-protected2moda.c
new file mode 100644
index 0000000000..db04e8dfb9
--- /dev/null
+++ b/elf/tst-protected2moda.c
@@ -0,0 +1,52 @@
+/* Test protected function symbols.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include "tst-protected2mod.h"
+
+__attribute__ ((visibility("protected")))
+int
+protected1 (void)
+{
+ return 3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected2 (void)
+{
+ return 4;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+ return 5;
+}
+
+protected_func_type
+protected1a_p (void)
+{
+ return &protected1;
+}
+
+protected_func_type
+protected3a_p (void)
+{
+ return &protected3;
+}
diff --git a/elf/tst-protected2moda2.c b/elf/tst-protected2moda2.c
new file mode 100644
index 0000000000..fae72177f9
--- /dev/null
+++ b/elf/tst-protected2moda2.c
@@ -0,0 +1,41 @@
+/* Test protected function symbols.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include "tst-protected2mod.h"
+
+extern int protected1 (void) __attribute__ ((visibility("protected")));
+extern int protected2 (void) __attribute__ ((visibility("protected")));
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected1 (void)
+{
+ return protected1 () == 3;
+}
+
+int
+check_protected2 (void)
+{
+ return protected2 () == 4;
+}
+
+int
+check_protected3a (void)
+{
+ return protected3 () == 5;
+}
diff --git a/elf/tst-protected2modb.c b/elf/tst-protected2modb.c
new file mode 100644
index 0000000000..3c5063f0c3
--- /dev/null
+++ b/elf/tst-protected2modb.c
@@ -0,0 +1,45 @@
+/* Test protected function symbols.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+int
+protected1 (void)
+{
+ return -3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+ return -5;
+}
+
+protected_func_type
+protected1b_p (void)
+{
+ return &protected1;
+}
+
+protected_func_type
+protected3b_p (void)
+{
+ return &protected3;
+}
diff --git a/elf/tst-protected2modb2.c b/elf/tst-protected2modb2.c
new file mode 100644
index 0000000000..b21b827134
--- /dev/null
+++ b/elf/tst-protected2modb2.c
@@ -0,0 +1,28 @@
+/* Test protected function symbols.
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected3b (void)
+{
+ return protected3 () == -5;
+}
--
2.31.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED
2021-06-20 23:36 ` [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED H.J. Lu
@ 2021-06-21 7:06 ` Florian Weimer
2021-06-21 12:57 ` H.J. Lu
0 siblings, 1 reply; 18+ messages in thread
From: Florian Weimer @ 2021-06-21 7:06 UTC (permalink / raw)
To: H.J. Lu via Libc-alpha
* H. J. Lu via Libc-alpha:
> diff --git a/elf/elf.h b/elf/elf.h
> index 2a62b98d4a..45b107fdcf 100644
> --- a/elf/elf.h
> +++ b/elf/elf.h
> @@ -1310,6 +1310,23 @@ typedef struct
> /* No copy relocation on protected data symbol. */
> #define GNU_PROPERTY_NO_COPY_ON_PROTECTED 2
>
> +/* A 4-byte unsigned integer property: A bit is set if it is set in all
> + relocatable inputs. */
> +#define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> +#define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> +
> +/* A 4-byte unsigned integer property: A bit is set if it is set in any
> + relocatable inputs. */
> +#define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> +#define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> +
> +/* The needed properties by the object file. */
> +#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
> +
> +/* Set if the object file requires canonical function pointers and
> + cannot be used with copy relocation. */
> +#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
> +
> /* Processor-specific semantics, lo */
> #define GNU_PROPERTY_LOPROC 0xc0000000
> /* Processor-specific semantics, hi */
Please add a stable link to the full specification.
I think we need more bits: one bit to indicate the status (in this
patch), and another bit to indicate linker support for this feature.
And perhaps yet another to indicate incompatibility with this feature.
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] Add run-time chesk for single global definition
2021-06-20 23:36 ` [PATCH 3/4] Add run-time chesk for single global definition H.J. Lu
@ 2021-06-21 7:16 ` Florian Weimer
2021-06-21 13:20 ` H.J. Lu
0 siblings, 1 reply; 18+ messages in thread
From: Florian Weimer @ 2021-06-21 7:16 UTC (permalink / raw)
To: H.J. Lu via Libc-alpha
* H. J. Lu via Libc-alpha:
> +static inline void __attribute__ ((always_inline))
> +_dl_check_protected_symbol (const char *undef_name,
> + const struct link_map *undef_map,
> + const ElfW(Sym) *ref,
> + const struct link_map *map,
> + int type_class)
> +{
> + if (undef_map != NULL
> + && !(undef_map->l_1_needed
> + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
> + && (map->l_1_needed
> + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
> + {
> + if ((type_class & ELF_RTYPE_CLASS_COPY))
> + /* Disallow copy relocations against protected data symbols in
> + an object with single global definition. */
> + _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
> + undef_name, DSO_FILENAME (map->l_name));
> + else if (ref->st_value != 0
> + && ref->st_shndx == SHN_UNDEF
> + && (type_class & ELF_RTYPE_CLASS_PLT))
> + /* Disallow non-zero symbol values of undefined symbols, which
> + are used as the function pointer, against protected function
> + symbols in an object with single global definition. */
> + _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
> + undef_name, DSO_FILENAME (map->l_name));
> + }
> +}
Why are those fatal errors?
I have trouble understanding the second comment (for the
ELF_RTYPE_CLASS_PLT).
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 4/4] Update tests for protected data and function symbols
2021-06-20 23:36 ` [PATCH 4/4] Update tests for protected data and function symbols H.J. Lu
@ 2021-06-21 7:19 ` Florian Weimer
2021-06-21 12:54 ` H.J. Lu
0 siblings, 1 reply; 18+ messages in thread
From: Florian Weimer @ 2021-06-21 7:19 UTC (permalink / raw)
To: H.J. Lu via Libc-alpha
* H. J. Lu via Libc-alpha:
> Protected data and function symbols don't work well without
> -fsingle-global-definition:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
>
> 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> -fsingle-global-definition if possible so that GOT entries are used
> for undefined data accesses.
> 2. Add tests for protected function pointers.
> 3. Build tst-prelink.c without single global definition to keepp COPY
> relocation.
I think these tests need to check that the statically linked bits from
GCC have been built with -fsingle-global-definition. I don't think
that's guaranteed even if GCC supports -fsingle-global-definition.
I think this shows the limitation of the single bit of markup: the
statically linked GCC bits are all hidden, so setting
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
marker to *require* a single global definition, but neither is not
setting it because libgcc.a etc. should be *compatible* with
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition
2021-06-20 23:36 ` [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition H.J. Lu
@ 2021-06-21 7:31 ` Andreas Schwab
2021-06-21 7:43 ` Florian Weimer
1 sibling, 0 replies; 18+ messages in thread
From: Andreas Schwab @ 2021-06-21 7:31 UTC (permalink / raw)
To: H.J. Lu via Libc-alpha
On Jun 20 2021, H.J. Lu via Libc-alpha wrote:
> diff --git a/configure b/configure
> index 9619c10991..5844dad68f 100755
> --- a/configure
> +++ b/configure
> @@ -732,6 +732,7 @@ infodir
> docdir
> oldincludedir
> includedir
> +runstatedir
> localstatedir
> sharedstatedir
> sysconfdir
Please use a vanilla autoconf version.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition
2021-06-20 23:36 ` [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition H.J. Lu
2021-06-21 7:31 ` Andreas Schwab
@ 2021-06-21 7:43 ` Florian Weimer
2021-06-21 12:49 ` H.J. Lu
1 sibling, 1 reply; 18+ messages in thread
From: Florian Weimer @ 2021-06-21 7:43 UTC (permalink / raw)
To: H.J. Lu via Libc-alpha
* H. J. Lu via Libc-alpha:
> 1. Check linker support for -z single-global-definition. If
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
> relocatable files:
> a. Don't generate copy relocations.
> b. Turn off extern_protected_data.
> c. Treate reference to protected symbols with single global definition
> as local.
> d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
> e. Add -z [no]single-global-definition to control single global
> definition.
> 2. Check compiler support for -fsingle-global-definition:
> a. Generate a single global definition marker in relocatable objects.
> i. Always use GOT to access undefined data and function symbols,
> including in PIE and non-PIE. These will avoid copy relocations in
> executables.
> ii. This is compatible with existing executables and shared libraries.
> b. In executable and shared library, bind symbols with the STV_PROTECTED
> visibility locally:
> i. The address of data symbol is the address of data body.
> ii. For systems without function descriptor, the function pointer is
> the address of function body.
> iii. The resulting shared libraries may not be incompatible with
> executables which have copy relocations on protected symbols.
>
> Size comparison of non-PIE builds with GCC 12 -O2:
>
> 1. On x86-64:
> text data bss dec hex filename
> 190218 9672 416 200306 30e72 ld.so (original)
> 190258 9336 416 200010 30d4a ld.so (-fsingle-global-definition)
> 1917384 20232 52424 1990040 1e5d98 libc.so (original)
> 1919946 20240 52432 1992618 1e67aa libc.so (-fsingle-global-definition)
> 261734 10339 744 272817 429b1 localedef (original)
> 233084 41734 648 275466 4340a localedef (-fsingle-global-definition)
I must say these numbers do not make sense to me. Why do libc.so and
localedef data sizes increase with -fsingle-global-definition? Fewer
copy relocations should *reduce* data size on both sides. localedef
would have to have nearly 4,000 data relocations to account for the size
increase. And shouldn't the GOT overlap with BSS anyway (so not even
show up in the data column)?
And I don't think we can build glibc with -fsingle-global-definition
anyway because it would be an ABI break.
> ---
> configure | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
> configure.ac | 37 ++++++++++++++++++++++++++
> 2 files changed, 109 insertions(+), 1 deletion(-)
>
> diff --git a/configure b/configure
> index 9619c10991..5844dad68f 100755
> --- a/configure
> +++ b/configure
> @@ -732,6 +732,7 @@ infodir
> docdir
> oldincludedir
> includedir
> +runstatedir
> localstatedir
> sharedstatedir
> sysconfdir
Please regenerate with an unpatched autoconf.
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition
2021-06-21 7:43 ` Florian Weimer
@ 2021-06-21 12:49 ` H.J. Lu
0 siblings, 0 replies; 18+ messages in thread
From: H.J. Lu @ 2021-06-21 12:49 UTC (permalink / raw)
To: Florian Weimer; +Cc: H.J. Lu via Libc-alpha
On Mon, Jun 21, 2021 at 12:43 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > 1. Check linker support for -z single-global-definition. If
> > GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
> > relocatable files:
> > a. Don't generate copy relocations.
> > b. Turn off extern_protected_data.
> > c. Treate reference to protected symbols with single global definition
> > as local.
> > d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
> > e. Add -z [no]single-global-definition to control single global
> > definition.
> > 2. Check compiler support for -fsingle-global-definition:
> > a. Generate a single global definition marker in relocatable objects.
> > i. Always use GOT to access undefined data and function symbols,
> > including in PIE and non-PIE. These will avoid copy relocations in
> > executables.
> > ii. This is compatible with existing executables and shared libraries.
> > b. In executable and shared library, bind symbols with the STV_PROTECTED
> > visibility locally:
> > i. The address of data symbol is the address of data body.
> > ii. For systems without function descriptor, the function pointer is
> > the address of function body.
> > iii. The resulting shared libraries may not be incompatible with
> > executables which have copy relocations on protected symbols.
> >
> > Size comparison of non-PIE builds with GCC 12 -O2:
> >
> > 1. On x86-64:
> > text data bss dec hex filename
> > 190218 9672 416 200306 30e72 ld.so (original)
> > 190258 9336 416 200010 30d4a ld.so (-fsingle-global-definition)
> > 1917384 20232 52424 1990040 1e5d98 libc.so (original)
> > 1919946 20240 52432 1992618 1e67aa libc.so (-fsingle-global-definition)
> > 261734 10339 744 272817 429b1 localedef (original)
> > 233084 41734 648 275466 4340a localedef (-fsingle-global-definition)
>
> I must say these numbers do not make sense to me. Why do libc.so and
> localedef data sizes increase with -fsingle-global-definition? Fewer
I haven't investigated them in detail yet. My main purposes were to
check if anything breaks.
> copy relocations should *reduce* data size on both sides. localedef
> would have to have nearly 4,000 data relocations to account for the size
> increase. And shouldn't the GOT overlap with BSS anyway (so not even
> show up in the data column)?
I will take a closer look.
> And I don't think we can build glibc with -fsingle-global-definition
> anyway because it would be an ABI break.
Correct.
> > ---
> > configure | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
> > configure.ac | 37 ++++++++++++++++++++++++++
> > 2 files changed, 109 insertions(+), 1 deletion(-)
> >
> > diff --git a/configure b/configure
> > index 9619c10991..5844dad68f 100755
> > --- a/configure
> > +++ b/configure
> > @@ -732,6 +732,7 @@ infodir
> > docdir
> > oldincludedir
> > includedir
> > +runstatedir
> > localstatedir
> > sharedstatedir
> > sysconfdir
>
> Please regenerate with an unpatched autoconf.
>
Will do.
Thanks.
--
H.J.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 4/4] Update tests for protected data and function symbols
2021-06-21 7:19 ` Florian Weimer
@ 2021-06-21 12:54 ` H.J. Lu
2021-06-21 12:57 ` Florian Weimer
0 siblings, 1 reply; 18+ messages in thread
From: H.J. Lu @ 2021-06-21 12:54 UTC (permalink / raw)
To: Florian Weimer; +Cc: H.J. Lu via Libc-alpha
On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > Protected data and function symbols don't work well without
> > -fsingle-global-definition:
> >
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
> >
> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> > -fsingle-global-definition if possible so that GOT entries are used
> > for undefined data accesses.
> > 2. Add tests for protected function pointers.
> > 3. Build tst-prelink.c without single global definition to keepp COPY
> > relocation.
>
> I think these tests need to check that the statically linked bits from
> GCC have been built with -fsingle-global-definition. I don't think
> that's guaranteed even if GCC supports -fsingle-global-definition.
>
> I think this shows the limitation of the single bit of markup: the
> statically linked GCC bits are all hidden, so setting
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
> marker to *require* a single global definition, but neither is not
> setting it because libgcc.a etc. should be *compatible* with
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
The output bit is ORed from all inputs. When one input object file doesn't
work with COPY relocation, the final output object is marked incompatible
with COPY relocation even if some inputs do work with COPY relocation.
--
H.J.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED
2021-06-21 7:06 ` Florian Weimer
@ 2021-06-21 12:57 ` H.J. Lu
0 siblings, 0 replies; 18+ messages in thread
From: H.J. Lu @ 2021-06-21 12:57 UTC (permalink / raw)
To: Florian Weimer; +Cc: H.J. Lu via Libc-alpha
On Mon, Jun 21, 2021 at 12:06 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > diff --git a/elf/elf.h b/elf/elf.h
> > index 2a62b98d4a..45b107fdcf 100644
> > --- a/elf/elf.h
> > +++ b/elf/elf.h
> > @@ -1310,6 +1310,23 @@ typedef struct
> > /* No copy relocation on protected data symbol. */
> > #define GNU_PROPERTY_NO_COPY_ON_PROTECTED 2
> >
> > +/* A 4-byte unsigned integer property: A bit is set if it is set in all
> > + relocatable inputs. */
> > +#define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> > +#define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> > +
> > +/* A 4-byte unsigned integer property: A bit is set if it is set in any
> > + relocatable inputs. */
> > +#define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> > +#define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> > +
> > +/* The needed properties by the object file. */
> > +#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
> > +
> > +/* Set if the object file requires canonical function pointers and
> > + cannot be used with copy relocation. */
> > +#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
> > +
> > /* Processor-specific semantics, lo */
> > #define GNU_PROPERTY_LOPROC 0xc0000000
> > /* Processor-specific semantics, hi */
>
> Please add a stable link to the full specification.
I will work on it.
> I think we need more bits: one bit to indicate the status (in this
> patch), and another bit to indicate linker support for this feature.
> And perhaps yet another to indicate incompatibility with this feature.
>
There is
#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
Since the setting on output is ORed from inputs, one bit is
sufficient.
--
H.J.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 4/4] Update tests for protected data and function symbols
2021-06-21 12:54 ` H.J. Lu
@ 2021-06-21 12:57 ` Florian Weimer
2021-06-21 13:05 ` H.J. Lu
0 siblings, 1 reply; 18+ messages in thread
From: Florian Weimer @ 2021-06-21 12:57 UTC (permalink / raw)
To: H.J. Lu; +Cc: H.J. Lu via Libc-alpha
* H. J. Lu:
> On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu via Libc-alpha:
>>
>> > Protected data and function symbols don't work well without
>> > -fsingle-global-definition:
>> >
>> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
>> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
>> >
>> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
>> > -fsingle-global-definition if possible so that GOT entries are used
>> > for undefined data accesses.
>> > 2. Add tests for protected function pointers.
>> > 3. Build tst-prelink.c without single global definition to keepp COPY
>> > relocation.
>>
>> I think these tests need to check that the statically linked bits from
>> GCC have been built with -fsingle-global-definition. I don't think
>> that's guaranteed even if GCC supports -fsingle-global-definition.
>>
>> I think this shows the limitation of the single bit of markup: the
>> statically linked GCC bits are all hidden, so setting
>> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
>> marker to *require* a single global definition, but neither is not
>> setting it because libgcc.a etc. should be *compatible* with
>> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
>
> The output bit is ORed from all inputs. When one input object file doesn't
> work with COPY relocation, the final output object is marked incompatible
> with COPY relocation even if some inputs do work with COPY relocation.
But for the main executable, it has to work the other way round.
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 4/4] Update tests for protected data and function symbols
2021-06-21 12:57 ` Florian Weimer
@ 2021-06-21 13:05 ` H.J. Lu
0 siblings, 0 replies; 18+ messages in thread
From: H.J. Lu @ 2021-06-21 13:05 UTC (permalink / raw)
To: Florian Weimer; +Cc: H.J. Lu via Libc-alpha
On Mon, Jun 21, 2021 at 5:57 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu via Libc-alpha:
> >>
> >> > Protected data and function symbols don't work well without
> >> > -fsingle-global-definition:
> >> >
> >> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> >> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
> >> >
> >> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> >> > -fsingle-global-definition if possible so that GOT entries are used
> >> > for undefined data accesses.
> >> > 2. Add tests for protected function pointers.
> >> > 3. Build tst-prelink.c without single global definition to keepp COPY
> >> > relocation.
> >>
> >> I think these tests need to check that the statically linked bits from
> >> GCC have been built with -fsingle-global-definition. I don't think
> >> that's guaranteed even if GCC supports -fsingle-global-definition.
> >>
> >> I think this shows the limitation of the single bit of markup: the
> >> statically linked GCC bits are all hidden, so setting
> >> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
> >> marker to *require* a single global definition, but neither is not
> >> setting it because libgcc.a etc. should be *compatible* with
> >> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
> >
> > The output bit is ORed from all inputs. When one input object file doesn't
> > work with COPY relocation, the final output object is marked incompatible
> > with COPY relocation even if some inputs do work with COPY relocation.
>
> But for the main executable, it has to work the other way round.
>
We need a new property which is ANDed for executables.
--
H.J.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] Add run-time chesk for single global definition
2021-06-21 7:16 ` Florian Weimer
@ 2021-06-21 13:20 ` H.J. Lu
2021-06-22 7:12 ` Florian Weimer
0 siblings, 1 reply; 18+ messages in thread
From: H.J. Lu @ 2021-06-21 13:20 UTC (permalink / raw)
To: Florian Weimer; +Cc: H.J. Lu via Libc-alpha
On Mon, Jun 21, 2021 at 12:16 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > +static inline void __attribute__ ((always_inline))
> > +_dl_check_protected_symbol (const char *undef_name,
> > + const struct link_map *undef_map,
> > + const ElfW(Sym) *ref,
> > + const struct link_map *map,
> > + int type_class)
> > +{
> > + if (undef_map != NULL
> > + && !(undef_map->l_1_needed
> > + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
> > + && (map->l_1_needed
> > + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
> > + {
> > + if ((type_class & ELF_RTYPE_CLASS_COPY))
> > + /* Disallow copy relocations against protected data symbols in
> > + an object with single global definition. */
> > + _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
> > + undef_name, DSO_FILENAME (map->l_name));
> > + else if (ref->st_value != 0
> > + && ref->st_shndx == SHN_UNDEF
> > + && (type_class & ELF_RTYPE_CLASS_PLT))
> > + /* Disallow non-zero symbol values of undefined symbols, which
> > + are used as the function pointer, against protected function
> > + symbols in an object with single global definition. */
> > + _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
> > + undef_name, DSO_FILENAME (map->l_name));
> > + }
> > +}
>
> Why are those fatal errors?
2 copies of the data symbol can be out of sync between executable and
shared library. We can make them as warnings with tunable to control
it.
> I have trouble understanding the second comment (for the
> ELF_RTYPE_CLASS_PLT).
If st_value is the undefined symbol in executable is not zero, it
is the PLT address in executable and ld.so will use it for function
pointer which is different from the function address in shared
library.
--
H.J.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 0/4] Implement single global definition marker
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
` (3 preceding siblings ...)
2021-06-20 23:36 ` [PATCH 4/4] Update tests for protected data and function symbols H.J. Lu
@ 2021-06-21 20:05 ` Joseph Myers
4 siblings, 0 replies; 18+ messages in thread
From: Joseph Myers @ 2021-06-21 20:05 UTC (permalink / raw)
To: H.J. Lu; +Cc: libc-alpha
My inclination is that this is a user-visible feature so should have a
NEWS entry.
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH 3/4] Add run-time chesk for single global definition
2021-06-21 13:20 ` H.J. Lu
@ 2021-06-22 7:12 ` Florian Weimer
0 siblings, 0 replies; 18+ messages in thread
From: Florian Weimer @ 2021-06-22 7:12 UTC (permalink / raw)
To: H.J. Lu; +Cc: H.J. Lu via Libc-alpha
* H. J. Lu:
> On Mon, Jun 21, 2021 at 12:16 AM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu via Libc-alpha:
>>
>> > +static inline void __attribute__ ((always_inline))
>> > +_dl_check_protected_symbol (const char *undef_name,
>> > + const struct link_map *undef_map,
>> > + const ElfW(Sym) *ref,
>> > + const struct link_map *map,
>> > + int type_class)
>> > +{
>> > + if (undef_map != NULL
>> > + && !(undef_map->l_1_needed
>> > + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
>> > + && (map->l_1_needed
>> > + & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
>> > + {
>> > + if ((type_class & ELF_RTYPE_CLASS_COPY))
>> > + /* Disallow copy relocations against protected data symbols in
>> > + an object with single global definition. */
>> > + _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
>> > + undef_name, DSO_FILENAME (map->l_name));
>> > + else if (ref->st_value != 0
>> > + && ref->st_shndx == SHN_UNDEF
>> > + && (type_class & ELF_RTYPE_CLASS_PLT))
>> > + /* Disallow non-zero symbol values of undefined symbols, which
>> > + are used as the function pointer, against protected function
>> > + symbols in an object with single global definition. */
>> > + _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
>> > + undef_name, DSO_FILENAME (map->l_name));
>> > + }
>> > +}
>>
>> Why are those fatal errors?
>
> 2 copies of the data symbol can be out of sync between executable and
> shared library. We can make them as warnings with tunable to control
> it.
I meant: Why can't you turn them into regular dlopen errors that are
reported to the caller? (Use _dl_signal_error or any of the related
functions.)
>> I have trouble understanding the second comment (for the
>> ELF_RTYPE_CLASS_PLT).
>
> If st_value is the undefined symbol in executable is not zero, it
> is the PLT address in executable and ld.so will use it for function
> pointer which is different from the function address in shared
> library.
Ahh, I wasn't aware of that ELF detail.
Thanks,
Florian
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2021-06-22 7:12 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-20 23:36 [PATCH 0/4] Implement single global definition marker H.J. Lu
2021-06-20 23:36 ` [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED H.J. Lu
2021-06-21 7:06 ` Florian Weimer
2021-06-21 12:57 ` H.J. Lu
2021-06-20 23:36 ` [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition H.J. Lu
2021-06-21 7:31 ` Andreas Schwab
2021-06-21 7:43 ` Florian Weimer
2021-06-21 12:49 ` H.J. Lu
2021-06-20 23:36 ` [PATCH 3/4] Add run-time chesk for single global definition H.J. Lu
2021-06-21 7:16 ` Florian Weimer
2021-06-21 13:20 ` H.J. Lu
2021-06-22 7:12 ` Florian Weimer
2021-06-20 23:36 ` [PATCH 4/4] Update tests for protected data and function symbols H.J. Lu
2021-06-21 7:19 ` Florian Weimer
2021-06-21 12:54 ` H.J. Lu
2021-06-21 12:57 ` Florian Weimer
2021-06-21 13:05 ` H.J. Lu
2021-06-21 20:05 ` [PATCH 0/4] Implement single global definition marker Joseph Myers
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).