[PATCH v2 0/4] Implement indirect external access marker

[PATCH v2 0/4] Implement indirect external access marker

[H.J. Lu]

Changes in the v2 patch.

1. Rename GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION to
GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS.
2. Rename the option to -z [no]indirect-extern-access and move it to
ld/emulparams/extern_protected_data.sh.
3. Clear the indirect external access bit in executable when there are
non-GOT or non-PLT relocations in relocatable input files without this
bit set.

---
On systems with copy relocation:
* A copy in executable is created for the definition in a shared library
at run-time by ld.so.
* The copy is referenced by executable and shared libraries.
* Executable can access the copy directly.

Issues are:
* Overhead of a copy, time and space, may be visible at run-time.
* Read-only data in the shared library becomes read-write copy in
executable at run-time.
* Local access to data with the STV_PROTECTED visibility in the shared
library must use GOT.

On systems without function descriptor, function pointers vary depending
on where and how the functions are defined.
* If the function is defined in executable, it can be the address of
function body.
* If the function, including the function with STV_PROTECTED visibility,
is defined in the shared library, it can be the address of the PLT entry
in executable or shared library.

Issues are:
* The address of function body may not be used as its function pointer.
* ld.so needs to search loaded shared libraries for the function pointer
of the function with STV_PROTECTED visibility.

Here is a proposal to remove copy relocation and use canonical function
pointer:

1. Accesses, including in PIE and non-PIE, to undefined symbols must
use GOT.
  a. Linker may optimize out GOT access if the data is defined in PIE or
  non-PIE.
2. Read-only data in the shared library remain read-only at run-time
3. Address of global data with the STV_PROTECTED visibility in the shared
library is the address of data body.
  a. Can use IP-relative access.
  b. May need GOT without IP-relative access.
4. For systems without function descriptor,
  a. All global function pointers of undefined functions in PIE and
  non-PIE must use GOT.  Linker may optimize out GOT access if the
  function is defined in PIE or non-PIE.
  b. Function pointer of functions with the STV_PROTECTED visibility in
  executable and shared library is the address of function body.
   i. Can use IP-relative access.
   ii. May need GOT without IP-relative access.
   iii. Branches to undefined functions may use PLT.
5. Single global definition marker:

Add GNU_PROPERTY_1_NEEDED:

#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.

Add GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS:

#define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.  This bit should be cleared in
executable when there are non-GOT or non-PLT relocations in relocatable
input files without this bit set.

  a. Protected symbol access within the shared library can be treated as
  local.
  b. Copy relocation should be disallowed at link-time and run-time.
  c. GOT function pointer reference is required at link-time and run-time.

The indirect external access marker can be used in the following ways:

1. Linker can decide the best way to resolve a relocation against a
protected symbol before seeing all relocations against the symbol.
2. Dynamic linker can decide if it is an error to have a copy relocation
in executable against the protected symbol in a shared library by checking
if the shared library is built with -fno-direct-extern-access.

Dynamic linker changes:

* Scan the indirect external access marker on all components, including
the executable and its dependency shared libraries.
* When performing symbol lookup for references in executable without
indirect external access:

  1. Disallow copy relocations in executable against protected data
     symbols in a shared object with indirect external access.
  2. Disallow non-zero symbol values of undefined function symbols in
     executable, which are used as the function pointer, against protected
     function symbols in a shared object with indirect external access.

The corresponding binutils patches are posted at

https://sourceware.org/pipermail/binutils/2021-June/117153.html

and GCC patches are posted at

https://gcc.gnu.org/pipermail/gcc-patches/2021-June/573633.html

We can replace hidden function symbols with protected symbols and build
glibc with -fno-direct-extern-access.

H.J. Lu (4):
  Initial support for GNU_PROPERTY_1_NEEDED
  Check -z indirect-extern-access and -fno-direct-extern-access
  Add run-time chesk for indirect external access
  Update tests for protected data and function symbols

 configure                      |  59 +++++++++++++++
 configure.ac                   |  37 ++++++++++
 elf/Makefile                   |  54 ++++++++++++++
 elf/dl-lookup.c                |   5 ++
 elf/elf.h                      |  17 +++++
 elf/tst-protected1moda.c       |  10 +--
 elf/tst-protected1modb.c       |   4 +-
 elf/tst-protected2a.c          | 130 +++++++++++++++++++++++++++++++++
 elf/tst-protected2apie.c       |   1 +
 elf/tst-protected2b.c          | 121 ++++++++++++++++++++++++++++++
 elf/tst-protected2bpie.c       |   1 +
 elf/tst-protected2mod.h        |  35 +++++++++
 elf/tst-protected2moda.c       |  52 +++++++++++++
 elf/tst-protected2moda2.c      |  41 +++++++++++
 elf/tst-protected2modb.c       |  45 ++++++++++++
 elf/tst-protected2modb2.c      |  28 +++++++
 sysdeps/generic/dl-prop.h      |   9 ++-
 sysdeps/generic/dl-protected.h |  54 ++++++++++++++
 sysdeps/generic/link_map.h     |   3 +-
 sysdeps/x86/dl-prop.h          |  19 +++--
 sysdeps/x86/link_map.h         |   2 +
 21 files changed, 710 insertions(+), 17 deletions(-)
 create mode 100644 elf/tst-protected2a.c
 create mode 100644 elf/tst-protected2apie.c
 create mode 100644 elf/tst-protected2b.c
 create mode 100644 elf/tst-protected2bpie.c
 create mode 100644 elf/tst-protected2mod.h
 create mode 100644 elf/tst-protected2moda.c
 create mode 100644 elf/tst-protected2moda2.c
 create mode 100644 elf/tst-protected2modb.c
 create mode 100644 elf/tst-protected2modb2.c
 create mode 100644 sysdeps/generic/dl-protected.h

-- 
2.31.1

[PATCH v2 1/4] Initial support for GNU_PROPERTY_1_NEEDED

[H.J. Lu]

1. Add GNU_PROPERTY_1_NEEDED:

 #define GNU_PROPERTY_1_NEEDED      GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.
2. Add GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS:

 #define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.
3. Scan GNU_PROPERTY_1_NEEDED property and store it in l_1_needed.
---
 elf/elf.h                  | 17 +++++++++++++++++
 sysdeps/generic/dl-prop.h  |  9 ++++++++-
 sysdeps/generic/link_map.h |  3 ++-
 sysdeps/x86/dl-prop.h      | 19 ++++++++++++++-----
 sysdeps/x86/link_map.h     |  2 ++
 5 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/elf/elf.h b/elf/elf.h
index 2a62b98d4a..dd661a6a64 100644
--- a/elf/elf.h
+++ b/elf/elf.h
@@ -1310,6 +1310,23 @@ typedef struct
 /* No copy relocation on protected data symbol.  */
 #define GNU_PROPERTY_NO_COPY_ON_PROTECTED	2
 
+/* A 4-byte unsigned integer property: A bit is set if it is set in all
+   relocatable inputs.  */
+#define GNU_PROPERTY_UINT32_AND_LO	0xb0000000
+#define GNU_PROPERTY_UINT32_AND_HI	0xb0007fff
+
+/* A 4-byte unsigned integer property: A bit is set if it is set in any
+   relocatable inputs.  */
+#define GNU_PROPERTY_UINT32_OR_LO	0xb0008000
+#define GNU_PROPERTY_UINT32_OR_HI	0xb000ffff
+
+/* The needed properties by the object file.  */
+#define GNU_PROPERTY_1_NEEDED		GNU_PROPERTY_UINT32_OR_LO
+
+/* Set if the object file requires canonical function pointers and
+   cannot be used with copy relocation.  */
+#define GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS (1U << 0)
+
 /* Processor-specific semantics, lo */
 #define GNU_PROPERTY_LOPROC			0xc0000000
 /* Processor-specific semantics, hi */
diff --git a/sysdeps/generic/dl-prop.h b/sysdeps/generic/dl-prop.h
index eaee8052b6..207aadb35d 100644
--- a/sysdeps/generic/dl-prop.h
+++ b/sysdeps/generic/dl-prop.h
@@ -47,7 +47,14 @@ static inline int __attribute__ ((always_inline))
 _dl_process_gnu_property (struct link_map *l, int fd, uint32_t type,
 			  uint32_t datasz, void *data)
 {
-  return 0;
+  /* Continue until GNU_PROPERTY_1_NEEDED is found.  */
+  if (type == GNU_PROPERTY_1_NEEDED)
+    {
+      if (datasz == 4)
+	l->l_1_needed = *(unsigned int *) data;
+      return 0;
+    }
+  return 1;
 }
 
 #endif /* _DL_PROP_H */
diff --git a/sysdeps/generic/link_map.h b/sysdeps/generic/link_map.h
index a056184690..9f482b8c20 100644
--- a/sysdeps/generic/link_map.h
+++ b/sysdeps/generic/link_map.h
@@ -1 +1,2 @@
-/* No architecture specific definitions.  */
+/* GNU_PROPERTY_1_NEEDED of this object.  */
+unsigned int l_1_needed;
diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
index 56bd020b3c..385548fad3 100644
--- a/sysdeps/x86/dl-prop.h
+++ b/sysdeps/x86/dl-prop.h
@@ -97,6 +97,7 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 
   const ElfW(Addr) start = (ElfW(Addr)) note;
 
+  unsigned int needed_1 = 0;
   unsigned int feature_1_and = 0;
   unsigned int isa_1_needed = 0;
   unsigned int last_type = 0;
@@ -141,7 +142,8 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 	      last_type = type;
 
 	      if (type == GNU_PROPERTY_X86_FEATURE_1_AND
-		  || type == GNU_PROPERTY_X86_ISA_1_NEEDED)
+		  || type == GNU_PROPERTY_X86_ISA_1_NEEDED
+		  || type == GNU_PROPERTY_1_NEEDED)
 		{
 		  /* The sizes of types which we are searching for are
 		     4 bytes.  There is no point to continue if this
@@ -151,12 +153,18 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 
 		  /* NB: Stop the scan only after seeing all types which
 		     we are searching for.  */
-		  _Static_assert ((GNU_PROPERTY_X86_ISA_1_NEEDED >
-				   GNU_PROPERTY_X86_FEATURE_1_AND),
+		  _Static_assert (((GNU_PROPERTY_X86_ISA_1_NEEDED
+				    > GNU_PROPERTY_X86_FEATURE_1_AND)
+				   && (GNU_PROPERTY_X86_FEATURE_1_AND
+				       > GNU_PROPERTY_1_NEEDED)),
 				  "GNU_PROPERTY_X86_ISA_1_NEEDED > "
-				  "GNU_PROPERTY_X86_FEATURE_1_AND");
+				  "GNU_PROPERTY_X86_FEATURE_1_AND && "
+				  "GNU_PROPERTY_X86_FEATURE_1_AND > "
+				  "GNU_PROPERTY_1_NEEDED");
 		  if (type == GNU_PROPERTY_X86_FEATURE_1_AND)
 		    feature_1_and = *(unsigned int *) ptr;
+		  else if (type == GNU_PROPERTY_1_NEEDED)
+		    needed_1 = *(unsigned int *) ptr;
 		  else
 		    {
 		      isa_1_needed = *(unsigned int *) ptr;
@@ -187,9 +195,10 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
     }
 
   /* We get here only if there is one or no GNU property note.  */
-  if (isa_1_needed != 0 || feature_1_and != 0)
+  if (needed_1 != 0 || isa_1_needed != 0 || feature_1_and != 0)
     {
       l->l_property = lc_property_valid;
+      l->l_1_needed = needed_1;
       l->l_x86_isa_1_needed = isa_1_needed;
       l->l_x86_feature_1_and = feature_1_and;
     }
diff --git a/sysdeps/x86/link_map.h b/sysdeps/x86/link_map.h
index 4c46a25f83..0c7e25dc96 100644
--- a/sysdeps/x86/link_map.h
+++ b/sysdeps/x86/link_map.h
@@ -29,3 +29,5 @@ unsigned int l_x86_feature_1_and;
 
 /* GNU_PROPERTY_X86_ISA_1_NEEDED of this object.  */
 unsigned int l_x86_isa_1_needed;
+
+#include <sysdeps/generic/link_map.h>
-- 
2.31.1

[PATCH v2 2/4] Check -z indirect-extern-access and -fno-direct-extern-access

[H.J. Lu]

1. Check linker support for -z indirect-extern-access.  If
GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS is set on any input
relocatable files:
  a. Don't generate copy relocations.
  b. Turn off extern_protected_data since it implies
     GNU_PROPERTY_NO_COPY_ON_PROTECTED.
  c. Treate reference to protected symbols with indirect external access
     as local.
  d. Set GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS on output.
  e. When generating executable, clear this bit when there are non-GOT
     or non-PLT relocations in input relocatable files without the bit set.
  f. Add -z [no]indirect-extern-access to control indirect external access.
2. Check compiler support for -fno-direct-extern-access:
  a. Generate an indirect external access marker in relocatable objects.
    i. Always use GOT to access undefined data and function symbols,
    including in PIE and non-PIE.  These will avoid copy relocations in
    executables.
    ii. This is compatible with existing executables and shared libraries.
  b. In executable and shared library, bind symbols with the STV_PROTECTED
     visibility locally:
    i. The address of data symbol is the address of data body.
    ii. For systems without function descriptor, the function pointer is
    the address of function body.
    iii. The resulting shared libraries may not be incompatible with
    executables which have copy relocations on protected symbols.

Size comparison of non-PIE builds with GCC 12 -O2:

1. On x86-64:
   text	   data	    bss	    dec	    hex	filename
 189958	   9304	    416	 199678	  30bfe	ld.so (original)
 189974	   9304	    416	 199694	  30c0e ld.so (-fno-direct-extern-access)
1922458	  20240	  52432	1995130	 1e717a	libc.so (original)
1922474	  20240	  52432	1995146	 1e718a	libc.so (-fno-direct-extern-access)
  49321	   1363	    192	  50876	   c6bc iconv_prog (original)
  47053	   3638	    120	  50811	   c67b	iconv_prog (-fno-direct-extern-access)
 261978	  10339	    744	 273061	  42aa5	localedef (original)
 233344	  41734	    648	 275726	  4350e	localedef (-fno-direct-extern-access)

The size difference in localedef mainly comes from .data.rel.ro
 .data.rel.ro  0x000005	 (original)
 .data.rel.ro  0x007a88  (-fno-direct-extern-access)

For example, with -fno-direct-extern-access, localedef.o has 172
relocation entries against section '.rela.data.rel.ro.local' vs none
without -fno-direct-extern-access.
---
 configure    | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 configure.ac | 37 ++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/configure b/configure
index 9619c10991..093c59e25e 100755
--- a/configure
+++ b/configure
@@ -5746,6 +5746,65 @@ fi
 $as_echo "$libc_cv_insert" >&6; }
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking -z indirect-extern-access" >&5
+$as_echo_n "checking -z indirect-extern-access... " >&6; }
+if ${libc_cv_z_indirect_extern_access+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat > conftest.c <<EOF
+		__attribute__ ((visibility ("protected")))
+		void bar (void) {}
+		void *bar_p (void) { return &bar; }
+EOF
+		libc_cv_z_indirect_extern_access=no
+		if { ac_try='${CC-cc} -Wl,-z,indirect-extern-access
+			-nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
+			1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+		  libc_cv_z_indirect_extern_access=yes
+		else
+		  libc_cv_z_indirect_extern_access=no
+		fi
+		rm -f conftest.*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_z_indirect_extern_access" >&5
+$as_echo "$libc_cv_z_indirect_extern_access" >&6; }
+config_vars="$config_vars
+have-z-indirect-extern-access = $libc_cv_z_indirect_extern_access"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fno-direct-extern-access" >&5
+$as_echo_n "checking for -fno-direct-extern-access... " >&6; }
+if ${libc_cv_fno_direct_extern_access+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat > conftest.c <<EOF
+int foo;
+EOF
+		if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -S
+			-fno-direct-extern-access
+			conftest.c 1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+		  libc_cv_fno_direct_extern_access=yes
+		else
+		  libc_cv_fno_direct_extern_access=no
+		fi
+		rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_fno_direct_extern_access" >&5
+$as_echo "$libc_cv_fno_direct_extern_access" >&6; }
+config_vars="$config_vars
+have-fno-direct-extern-access = $libc_cv_fno_direct_extern_access"
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for broken __attribute__((alias()))" >&5
 $as_echo_n "checking for broken __attribute__((alias()))... " >&6; }
 if ${libc_cv_broken_alias_attribute+:} false; then :
diff --git a/configure.ac b/configure.ac
index 34ecbba540..195abe0827 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1222,6 +1222,43 @@ EOF
 	       ])
 AC_SUBST(libc_cv_insert)
 
+AC_CACHE_CHECK(-z indirect-extern-access,
+	       libc_cv_z_indirect_extern_access,
+	       [cat > conftest.c <<EOF
+		__attribute__ ((visibility ("protected")))
+		void bar (void) {}
+		void *bar_p (void) { return &bar; }
+EOF
+		libc_cv_z_indirect_extern_access=no
+		if AC_TRY_COMMAND([${CC-cc} -Wl,-z,indirect-extern-access
+			-nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
+			1>&AS_MESSAGE_LOG_FD]); then
+		  libc_cv_z_indirect_extern_access=yes
+		else
+		  libc_cv_z_indirect_extern_access=no
+		fi
+		rm -f conftest.*
+	       ])
+LIBC_CONFIG_VAR([have-z-indirect-extern-access],
+		[$libc_cv_z_indirect_extern_access])
+
+AC_CACHE_CHECK(for -fno-direct-extern-access,
+	       libc_cv_fno_direct_extern_access,
+	       [cat > conftest.c <<EOF
+int foo;
+EOF
+		if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS -S
+			-fno-direct-extern-access
+			conftest.c 1>&AS_MESSAGE_LOG_FD]); then
+		  libc_cv_fno_direct_extern_access=yes
+		else
+		  libc_cv_fno_direct_extern_access=no
+		fi
+		rm -f conftest*])
+LIBC_CONFIG_VAR([have-fno-direct-extern-access],
+		[$libc_cv_fno_direct_extern_access])
+
 AC_CACHE_CHECK(for broken __attribute__((alias())),
 	       libc_cv_broken_alias_attribute,
 	       [cat > conftest.c <<EOF
-- 
2.31.1

[PATCH v2 3/4] Add run-time chesk for indirect external access

[H.J. Lu]

When performing symbol lookup for references in executable without
indirect external access:

1. Disallow copy relocations in executable against protected data symbols
in a shared object with indirect external access.
2. Disallow non-zero symbol values of undefined function symbols in
executable, which are used as the function pointer, against protected
function symbols in a shared object with indirect external access.
---
 elf/dl-lookup.c                |  5 ++++
 sysdeps/generic/dl-protected.h | 54 ++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 sysdeps/generic/dl-protected.h

diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
index eea217eb28..430359af39 100644
--- a/elf/dl-lookup.c
+++ b/elf/dl-lookup.c
@@ -24,6 +24,7 @@
 #include <ldsodefs.h>
 #include <dl-hash.h>
 #include <dl-machine.h>
+#include <dl-protected.h>
 #include <sysdep-cancel.h>
 #include <libc-lock.h>
 #include <tls.h>
@@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
 	  if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym)))
 	    goto skip;
 
+	  if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED)
+	    _dl_check_protected_symbol (undef_name, undef_map, ref, map,
+					type_class);
+
 	  switch (ELFW(ST_BIND) (sym->st_info))
 	    {
 	    case STB_WEAK:
diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h
new file mode 100644
index 0000000000..244d020dc4
--- /dev/null
+++ b/sysdeps/generic/dl-protected.h
@@ -0,0 +1,54 @@
+/* Support for STV_PROTECTED visibility.  Generic version.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _DL_PROTECTED_H
+#define _DL_PROTECTED_H
+
+static inline void __attribute__ ((always_inline))
+_dl_check_protected_symbol (const char *undef_name,
+			    const struct link_map *undef_map,
+			    const ElfW(Sym) *ref,
+			    const struct link_map *map,
+			    int type_class)
+{
+  if (undef_map != NULL
+      && undef_map->l_type == lt_executable
+      && !(undef_map->l_1_needed
+	   & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS)
+      && (map->l_1_needed
+	  & GNU_PROPERTY_1_NEEDED_INDIRECT_EXTERN_ACCESS))
+    {
+      if ((type_class & ELF_RTYPE_CLASS_COPY))
+	/* Disallow copy relocations in executable against protected
+	   data symbols in a shared object which needs indirect external
+	   access.  */
+	_dl_signal_error (0, map->l_name, undef_name,
+			  N_("copy relocation against non-copyable protected symbol"));
+      else if (ref->st_value != 0
+	       && ref->st_shndx == SHN_UNDEF
+	       && (type_class & ELF_RTYPE_CLASS_PLT))
+	/* Disallow non-zero symbol values of undefined symbols in
+	   executable, which are used as the function pointer, against
+	   protected function symbols in a shared object with indirect
+	   external access.  */
+	_dl_signal_error (0, map->l_name, undef_name,
+			  N_("non-canonical reference to canonical protected function"));
+    }
+}
+
+#endif /* _DL_PROTECTED_H */
-- 
2.31.1

[PATCH v2 4/4] Update tests for protected data and function symbols

[H.J. Lu]

Protected data and function symbols don't work well without
-fno-direct-extern-access:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166

1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
-fno-direct-extern-access if possible so that GOT entries are used
for undefined data accesses.
2. Add tests for protected function pointers.
3. Build tst-prelink.c with direct external access to keep COPY
relocation.
---
 elf/Makefile              |  54 ++++++++++++++++
 elf/tst-protected1moda.c  |  10 +--
 elf/tst-protected1modb.c  |   4 +-
 elf/tst-protected2a.c     | 130 ++++++++++++++++++++++++++++++++++++++
 elf/tst-protected2apie.c  |   1 +
 elf/tst-protected2b.c     | 121 +++++++++++++++++++++++++++++++++++
 elf/tst-protected2bpie.c  |   1 +
 elf/tst-protected2mod.h   |  35 ++++++++++
 elf/tst-protected2moda.c  |  52 +++++++++++++++
 elf/tst-protected2moda2.c |  41 ++++++++++++
 elf/tst-protected2modb.c  |  45 +++++++++++++
 elf/tst-protected2modb2.c |  28 ++++++++
 12 files changed, 512 insertions(+), 10 deletions(-)
 create mode 100644 elf/tst-protected2a.c
 create mode 100644 elf/tst-protected2apie.c
 create mode 100644 elf/tst-protected2b.c
 create mode 100644 elf/tst-protected2bpie.c
 create mode 100644 elf/tst-protected2mod.h
 create mode 100644 elf/tst-protected2moda.c
 create mode 100644 elf/tst-protected2moda2.c
 create mode 100644 elf/tst-protected2modb.c
 create mode 100644 elf/tst-protected2modb2.c

diff --git a/elf/Makefile b/elf/Makefile
index 38d08e03b8..dc1a073db8 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -367,15 +367,59 @@ tests += tst-protected1a tst-protected1b
 $(objpfx)tst-protected1a: $(addprefix $(objpfx),tst-protected1moda.so tst-protected1modb.so)
 $(objpfx)tst-protected1b: $(addprefix $(objpfx),tst-protected1modb.so tst-protected1moda.so)
 tst-protected1modb.so-no-z-defs = yes
+ifeq (yes,$(have-fno-direct-extern-access))
+CFLAGS-tst-protected1a.c += -fno-direct-extern-access
+CFLAGS-tst-protected1b.c += -fno-direct-extern-access
+CFLAGS-tst-protected1moda.c += -fno-direct-extern-access
+CFLAGS-tst-protected1modb.c += -fno-direct-extern-access
+else
 # These tests fail with GCC versions prior to 5.1 and with some versions
 # of binutils.  See https://sourceware.org/bugzilla/show_bug.cgi?id=17709
 # and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65248 for details.
 # Perhaps in future we can make these XFAILs conditional on some detection
 # of compiler/linker behavior/version.
+# NB: These tests pass with -fno-direct-extern-access when GOT entries
+# are used for undefined data accesses.
 test-xfail-tst-protected1a = yes
 test-xfail-tst-protected1b = yes
 endif
+ifeq (yes,$(have-z-indirect-extern-access))
+LDFLAGS-tst-protected1moda.so += -Wl,-z,indirect-extern-access
+LDFLAGS-tst-protected1modb.so += -Wl,-z,indirect-extern-access
+endif
+endif
 ifeq (yesyes,$(have-fpie)$(build-shared))
+ifeq (yes,$(have-z-indirect-extern-access))
+modules-names += tst-protected2moda tst-protected2modb
+tests += tst-protected2a tst-protected2b
+tests += tst-protected2apie tst-protected2bpie
+tests-pie += tst-protected2apie tst-protected2bpie
+test-extras += tst-protected2moda2 tst-protected2modb2
+extra-test-objs += tst-protected2moda2.os tst-protected2modb2.os
+LDFLAGS-tst-protected2moda.so += -Wl,-z,indirect-extern-access
+LDFLAGS-tst-protected2modb.so += -Wl,-z,indirect-extern-access
+CFLAGS-tst-protected2apie.c += $(PIE-ccflag)
+CFLAGS-tst-protected2bpie.c += $(PIE-ccflag)
+ifeq (yes,$(have-fno-direct-extern-access))
+CFLAGS-tst-protected2a.c += -fno-direct-extern-access
+CFLAGS-tst-protected2b.c += -fno-direct-extern-access
+CFLAGS-tst-protected2moda.c += -fno-direct-extern-access
+CFLAGS-tst-protected2moda2.c += -fno-direct-extern-access
+CFLAGS-tst-protected2modb.c += -fno-direct-extern-access
+CFLAGS-tst-protected2modb2.c += -fno-direct-extern-access
+else
+# These non-PIE tests fail when GOT entries are not used for undefined
+# function pointers.
+test-xfail-tst-protected2a = yes
+test-xfail-tst-protected2b = yes
+endif
+$(objpfx)tst-protected2moda.so: $(objpfx)tst-protected2moda2.os
+$(objpfx)tst-protected2modb.so: $(objpfx)tst-protected2modb2.os
+$(objpfx)tst-protected2a: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2b: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+$(objpfx)tst-protected2apie: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2bpie: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+endif
 modules-names += tst-piemod1
 tests += tst-pie1 tst-pie2 tst-dlopen-pie tst-dlopen-tlsmodid-pie \
   tst-dlopen-self-pie
@@ -469,6 +513,16 @@ tests += tst-prelink
 tests-internal += tst-prelink-cmp
 # Don't compile tst-prelink.c with PIE for GLOB_DAT relocation.
 CFLAGS-tst-prelink.c += -fno-pie
+ifeq ($(have-fno-direct-extern-access),yes)
+# Compile tst-prelink.c with -fdirect-extern-acces to keepp COPY
+# relocation.
+CFLAGS-tst-prelink.c += -fdirect-extern-access
+endif
+ifeq ($(have-z-indirect-extern-access),yes)
+# Link tst-prelink with -z noindirect-extern-access to keepp COPY
+# relocation.
+LDFLAGS-tst-prelink += -Wl,-z,noindirect-extern-access
+endif
 tst-prelink-no-pie = yes
 endif
 
diff --git a/elf/tst-protected1moda.c b/elf/tst-protected1moda.c
index eeb18306bb..3d0eb1e877 100644
--- a/elf/tst-protected1moda.c
+++ b/elf/tst-protected1moda.c
@@ -17,17 +17,13 @@
 
 #include "tst-protected1mod.h"
 
-int protected1 = 3;
+int protected1 __attribute__ ((visibility("protected"))) = 3;
 static int expected_protected1 = 3;
-int protected2 = 4;
+int protected2 __attribute__ ((visibility("protected"))) = 4;
 static int expected_protected2 = 4;
-int protected3 = 5;
+int protected3 __attribute__ ((visibility("protected"))) = 5;
 static int expected_protected3 = 5;
 
-asm (".protected protected1");
-asm (".protected protected2");
-asm (".protected protected3");
-
 void
 set_protected1a (int i)
 {
diff --git a/elf/tst-protected1modb.c b/elf/tst-protected1modb.c
index 2cb1e61b17..ca82c64689 100644
--- a/elf/tst-protected1modb.c
+++ b/elf/tst-protected1modb.c
@@ -19,11 +19,9 @@
 #include "tst-protected1mod.h"
 
 int protected1 = -3;
-int protected3 = -5;
+int protected3 __attribute__ ((visibility("protected"))) = -5;
 static int expected_protected3 = -5;
 
-asm (".protected protected3");
-
 void
 set_protected1b (int i)
 {
diff --git a/elf/tst-protected2a.c b/elf/tst-protected2a.c
new file mode 100644
index 0000000000..21b666e12b
--- /dev/null
+++ b/elf/tst-protected2a.c
@@ -0,0 +1,130 @@
+/* Test the protected visibility when main is linked with moda and modb
+   in that order:
+   1. Protected function symbols, protected1, protected2 and protected3,
+      defined in moda, are used in moda.
+   2. Protected function symbol, protected3, defined in modb, are used
+      in modb.
+   3. Symbol, protected1, defined in moda, is also used in main and modb.
+   4. Symbol, protected2, defined in main, is used in main.
+   5. Symbol, protected3, defined in moda, is also used in main.
+
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+  return -1;
+}
+
+int
+__attribute__ ((weak, noclone, noinline))
+call_ptr (protected_func_type ptr)
+{
+  return ptr ();
+}
+
+int
+do_test (void)
+{
+  int res = 0;
+
+  /* Check if we get the same address for the protected function symbol.  */
+  protected_func_type ptr = protected1a_p ();
+  if (&protected1 != ptr)
+    {
+      puts ("`protected1' in main and moda doesn't have the same address");
+      res = 1;
+    }
+  ptr = protected1b_p ();
+  if (&protected1 != ptr)
+    {
+      puts ("`protected1' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (call_ptr (ptr) != 3)
+    {
+      puts ("`protected1' in main and moda doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check if we get the right function defined in executable.  */
+  if (protected2 () != -1)
+    {
+      puts ("`protected2' in main returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected1' in moda.  */
+  if (!check_protected1 ())
+    {
+      puts ("`protected1' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected2' in moda.  */
+  if (!check_protected2 ())
+    {
+      puts ("`protected2' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check if we get the same address for the protected function symbol.  */
+  if (&protected3 != protected3a_p ())
+    {
+      puts ("`protected3' in main and moda doesn't have the same address");
+      res = 1;
+    }
+  if (&protected3 == protected3b_p ())
+    {
+      puts ("`protected3' in main and modb has the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right value for the protected data symbol.  */
+  if (protected3 () != 5)
+    {
+      puts ("`protected3' in main and moda doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check `protected3' in moda.  */
+  if (!check_protected3a ())
+    {
+      puts ("`protected3' in moda has the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected3' in modb.  */
+  if (!check_protected3b ())
+    {
+      puts ("`protected3' in modb has the wrong value");
+      res = 1;
+    }
+
+  return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2apie.c b/elf/tst-protected2apie.c
new file mode 100644
index 0000000000..28a7aa3d1a
--- /dev/null
+++ b/elf/tst-protected2apie.c
@@ -0,0 +1 @@
+#include "tst-protected2a.c"
diff --git a/elf/tst-protected2b.c b/elf/tst-protected2b.c
new file mode 100644
index 0000000000..500323e33f
--- /dev/null
+++ b/elf/tst-protected2b.c
@@ -0,0 +1,121 @@
+/* Test the protected visibility when main is linked with modb and moda
+   in that order:
+   1. Protected function symbols, protected1, protected2 and protected3,
+      defined in moda, are used in moda.
+   2. Protected function symbol, protected3, defined in modb, are used
+      in modb.
+   3. Symbol, protected1, defined in modb, is used in main and modb.
+   4. Symbol, protected2, defined in main, is used in main.
+   5. Symbol, protected3, defined in modb, is also used in main.
+
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+  return -1;
+}
+
+int
+do_test (void)
+{
+  int res = 0;
+
+  /* Check if we get the same address for the protected data symbol.  */
+  if (&protected1 == protected1a_p ())
+    {
+      puts ("`protected1' in main and moda has the same address");
+      res = 1;
+    }
+  if (&protected1 != protected1b_p ())
+    {
+      puts ("`protected1' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (protected1 () != -3)
+    {
+      puts ("`protected1' in main and modb doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check if we get the right function defined in executable.  */
+  if (protected2 () != -1)
+    {
+      puts ("`protected2' in main returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected1' in moda.  */
+  if (!check_protected1 ())
+    {
+      puts ("`protected1' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected2' in moda.  */
+  if (!check_protected2 ())
+    {
+      puts ("`protected2' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check if we get the same address for the protected function symbol.  */
+  if (&protected3 == protected3a_p ())
+    {
+      puts ("`protected3' in main and moda has the same address");
+      res = 1;
+    }
+  if (&protected3 != protected3b_p ())
+    {
+      puts ("`protected3' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (protected3 () != -5)
+    {
+      puts ("`protected3' in main and modb doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check `protected3' in moda.  */
+  if (!check_protected3a ())
+    {
+      puts ("`protected3' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected3' in modb.  */
+  if (!check_protected3b ())
+    {
+      puts ("`protected3' in modb returns the wrong value");
+      res = 1;
+    }
+
+  return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2bpie.c b/elf/tst-protected2bpie.c
new file mode 100644
index 0000000000..8dcfbd04cb
--- /dev/null
+++ b/elf/tst-protected2bpie.c
@@ -0,0 +1 @@
+#include "tst-protected2b.c"
diff --git a/elf/tst-protected2mod.h b/elf/tst-protected2mod.h
new file mode 100644
index 0000000000..feb28ab0d5
--- /dev/null
+++ b/elf/tst-protected2mod.h
@@ -0,0 +1,35 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Prototypes for the functions in the DSOs.  */
+extern int protected1 (void);
+extern int protected2 (void);
+extern int protected3 (void);
+
+typedef int (*protected_func_type) (void);
+
+extern protected_func_type protected1a_p (void);
+extern protected_func_type protected1b_p (void);
+
+extern int check_protected1 (void);
+extern int check_protected2 (void);
+
+extern int check_protected3a (void);
+extern protected_func_type protected3a_p (void);
+extern int check_protected3b (void);
+extern protected_func_type protected3b_p (void);
diff --git a/elf/tst-protected2moda.c b/elf/tst-protected2moda.c
new file mode 100644
index 0000000000..db04e8dfb9
--- /dev/null
+++ b/elf/tst-protected2moda.c
@@ -0,0 +1,52 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include "tst-protected2mod.h"
+
+__attribute__ ((visibility("protected")))
+int
+protected1 (void)
+{
+  return 3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected2 (void)
+{
+  return 4;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+  return 5;
+}
+
+protected_func_type
+protected1a_p (void)
+{
+  return &protected1;
+}
+
+protected_func_type
+protected3a_p (void)
+{
+  return &protected3;
+}
diff --git a/elf/tst-protected2moda2.c b/elf/tst-protected2moda2.c
new file mode 100644
index 0000000000..fae72177f9
--- /dev/null
+++ b/elf/tst-protected2moda2.c
@@ -0,0 +1,41 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include "tst-protected2mod.h"
+
+extern int protected1 (void) __attribute__ ((visibility("protected")));
+extern int protected2 (void) __attribute__ ((visibility("protected")));
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected1 (void)
+{
+  return protected1 () == 3;
+}
+
+int
+check_protected2 (void)
+{
+  return protected2 () == 4;
+}
+
+int
+check_protected3a (void)
+{
+  return protected3 () == 5;
+}
diff --git a/elf/tst-protected2modb.c b/elf/tst-protected2modb.c
new file mode 100644
index 0000000000..3c5063f0c3
--- /dev/null
+++ b/elf/tst-protected2modb.c
@@ -0,0 +1,45 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+int
+protected1 (void)
+{
+  return -3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+  return -5;
+}
+
+protected_func_type
+protected1b_p (void)
+{
+  return &protected1;
+}
+
+protected_func_type
+protected3b_p (void)
+{
+  return &protected3;
+}
diff --git a/elf/tst-protected2modb2.c b/elf/tst-protected2modb2.c
new file mode 100644
index 0000000000..b21b827134
--- /dev/null
+++ b/elf/tst-protected2modb2.c
@@ -0,0 +1,28 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected3b (void)
+{
+  return protected3 () == -5;
+}
-- 
2.31.1