[Bug ld/28824] relro security issues

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/28824] relro security issues

From:	rui314 at gmail dot com
Subject:	[Bug ld/28824] relro security issues
Date:	Sat, 21 Jan 2023 04:20:10 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=28824

--- Comment #12 from Rui Ueyama <rui314 at gmail dot com> ---
In the mold linker, we are dealing with the issue by mapping the page that is
at the boundary of relro and non-relro twice as the last relro page and the
first non-relro page. Here is an example of the mold-generated output for
ARM64.

I believe GNU ld can do the same to not waste disk space for the NULL bytes for
relro. Or am I missing something?

Note that we inserted a dummy section `.relro_padding` at the end of relro so
that there's no bytes in the executable that are not covered by sections. The
runtime doesn't care about that, but without it, the strip command would just
truncate the relro segment, destroying the file.


$ ls -lh out/test/elf/aarch64/hello-dynamic/exe
-rwxrwxr-x 1 ruiu ruiu 8.6K Jan 21 12:10 out/test/elf/aarch64/hello-dynamic/exe

$ readelf -S --segments out/test/elf/aarch64/hello-dynamic/exe
There are 31 section headers, starting at offset 0x1a98:
Section Headers:
  [Nr] Name              Type            Address          Off    Size   ES Flg
Lk Inf Al
  [ 0]                   NULL            0000000000000000 000000 000000 00     
0   0  0
  [ 1] .interp           PROGBITS        00000000002002a8 0002a8 00001b 00   A 
0   0  1
  [ 2] .note.gnu.build-id NOTE            00000000002002c4 0002c4 000024 00   A
 0   0  4
  [ 3] .note.ABI-tag     NOTE            00000000002002e8 0002e8 000020 00   A 
0   0  4
  [ 4] .gnu.hash         GNU_HASH        0000000000200308 000308 00001c 00   A 
5   0  8
  [ 5] .dynsym           DYNSYM          0000000000200328 000328 000060 18   A 
6   1  8
  [ 6] .dynstr           STRTAB          0000000000200388 000388 00003e 00   A 
0   0  1
  [ 7] .gnu.version      VERSYM          00000000002003c6 0003c6 000008 02   A 
5   0  2
  [ 8] .gnu.version_r    VERNEED         00000000002003d0 0003d0 000030 00   A 
6   1  8
  [ 9] .rela.plt         RELA            0000000000200400 000400 000048 18   A 
5  23  8
  [10] .eh_frame         PROGBITS        0000000000200448 000448 0000c8 00   A 
0   0  8
  [11] .eh_frame_hdr     PROGBITS        0000000000200510 000510 000044 00   A 
0   0  4
  [12] .rodata           PROGBITS        0000000000200558 000558 00000c 00   A 
0   0  8
  [13] .rodata.cst       PROGBITS        0000000000200564 000564 000004 00  AM 
0   0  4
  [14] .plt              PROGBITS        0000000000210570 000570 000050 00  AX 
0   0 16
  [15] .fini             PROGBITS        00000000002105c0 0005c0 000014 00  AX 
0   0  4
  [16] .init             PROGBITS        00000000002105d4 0005d4 000024 00  AX 
0   0  4
  [17] .text             PROGBITS        0000000000210600 000600 000154 00  AX 
0   0 64
  [18] .dynamic          DYNAMIC         0000000000220758 000758 0001a0 10  WA 
6   0  8
  [19] .fini_array       FINI_ARRAY      00000000002208f8 0008f8 000008 00  WA 
0   0  8
  [20] .init_array       INIT_ARRAY      0000000000220900 000900 000008 00  WA 
0   0  8
  [21] .got              PROGBITS        0000000000220908 000908 000020 00  WA 
0   0  8
  [22] .relro_padding    NOBITS          0000000000220928 000000 00f6d8 00  WA 
0   0  1
  [23] .got.plt          PROGBITS        0000000000230928 000928 000030 00  WA 
0   0  8
  [24] .data             PROGBITS        0000000000230958 000958 000010 00  WA 
0   0  8
  [25] .tm_clone_table   PROGBITS        0000000000230968 000968 000000 00  WA 
0   0  8
  [26] .bss              NOBITS          0000000000230968 000000 000001 00  WA 
0   0  1
  [27] .strtab           STRTAB          0000000000000000 000968 000447 00     
0   0  1
  [28] .symtab           SYMTAB          0000000000000000 000db0 000b40 18    
27 117  8
  [29] .shstrtab         STRTAB          0000000000000000 0018f0 000129 00     
0   0  1
  [30] .comment          PROGBITS        0000000000000000 001a19 00007b 00  MS 
0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), p (processor specific)

Elf file type is EXEC (Executable file)
Entry point 0x210600
There are 11 program headers, starting at offset 64

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz
  Flg Align
  PHDR           0x000040 0x0000000000200040 0x0000000000200040 0x000268
0x000268 R   0x8
  INTERP         0x0002a8 0x00000000002002a8 0x00000000002002a8 0x00001b
0x00001b R   0x1
      [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
  NOTE           0x0002c4 0x00000000002002c4 0x00000000002002c4 0x000044
0x000044 R   0x4
  LOAD           0x000000 0x0000000000200000 0x0000000000200000 0x000568
0x000568 R   0x10000
  LOAD           0x000570 0x0000000000210570 0x0000000000210570 0x0001e4
0x0001e4 R E 0x10000
  LOAD           0x000758 0x0000000000220758 0x0000000000220758 0x0001d0
0x00f8a8 RW  0x10000
  LOAD           0x000928 0x0000000000230928 0x0000000000230928 0x000040
0x000041 RW  0x10000
  DYNAMIC        0x000758 0x0000000000220758 0x0000000000220758 0x0001a0
0x0001a0 RW  0x8
  GNU_EH_FRAME   0x000510 0x0000000000200510 0x0000000000200510 0x000044
0x000044 R   0x4
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000
0x000000 RW  0x1
  GNU_RELRO      0x000758 0x0000000000220758 0x0000000000220758 0x0001d0
0x00f8a8 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .note.gnu.build-id .note.ABI-tag
   03     .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr
.gnu.version .gnu.version_r .rela.plt .eh_frame .eh_frame_hdr .rodata
.rodata.cst
   04     .plt .fini .init .text
   05     .dynamic .fini_array .init_array .got .relro_padding
   06     .got.plt .data .bss
   07     .dynamic
   08     .eh_frame_hdr
   09
   10     .dynamic .fini_array .init_array .got .relro_padding

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug ld/28824] relro security issues, rfhn.fhbrrjnzeneqpf at noclue dot notk.org, 2023/01/20
- [Bug ld/28824] relro security issues, amodra at gmail dot com, 2023/01/20
- [Bug ld/28824] relro security issues, rui314 at gmail dot com <=
- [Bug ld/28824] relro security issues, rfhn.fhbrrjnzeneqpf at noclue dot notk.org, 2023/01/20
- [Bug ld/28824] relro security issues, rui314 at gmail dot com, 2023/01/20
- [Bug ld/28824] relro security issues, hp at sourceware dot org, 2023/01/21
- [Bug ld/28824] relro security issues, hp at sourceware dot org, 2023/01/21
- [Bug ld/28824] relro security issues, rui314 at gmail dot com, 2023/01/21
- [Bug ld/28824] relro security issues, rui314 at gmail dot com, 2023/01/21
- [Bug ld/28824] relro security issues, amodra at gmail dot com, 2023/01/23
- [Bug ld/28824] relro security issues, amodra at gmail dot com, 2023/01/24
- [Bug ld/28824] relro security issues, rui314 at gmail dot com, 2023/01/24
- [Bug ld/28824] relro security issues, i at maskray dot me, 2023/01/24

Prev by Date: [Bug ld/28824] relro security issues
Next by Date: [Bug ld/28824] relro security issues
Previous by thread: [Bug ld/28824] relro security issues
Next by thread: [Bug ld/28824] relro security issues
Index(es):
- Date
- Thread