[PATCH] D33251: [lld][ELF]Add option to make .dynamic read only
Rui Ueyama via llvm-commits
llvm-commits at lists.llvm.org
Wed May 24 10:29:47 PDT 2017
On Wed, May 24, 2017 at 9:21 AM, Rafael Avila de Espindola <
rafael.espindola at gmail.com> wrote:
> Roland McGrath <mcgrathr at google.com> writes:
>
> > Rafael mentioned "something with aux vectors", but I don't know what he
> > had in mind. The ElfNN_auxv_t kind of auxiliary vector in many Unix-like
> > systems' ELF ABIs is a one-way channel of information at program loading
> > time, not a way that the dynamic linker can record something to be seen
> > later. (For example, on Linux, /proc/$pid/auxv and NT_AUXV notes in core
> > files are a snapshot of the bits given the program on startup, not a dump
> > gleaned from the program's memory where it could have modified them.)
>
> The suggestion is from Joerg actually:
>
> ---------------------------------------------------------
> Systems that want to support this new mechanism reserve an AUX vector
> similar to AT_BASE and let the dynamic linker fill it in. No space
> required in the executable that way.
> ---------------------------------------------------------
>
> It sound similar, no? Both are a way of passing a pointer to the
> process. Once the process has a pointer to what now is pointed by
> DT_DEBUG it can walk it as it does now.
>
> > For Fuchsia, we're set on having read-only .dynamic in our ABI. We'd be
> > happy to have DT_DEBUG_INDIRECT and would make our runtime support it if
> > it got added to the tools. But we don't actually care about it enough to
> > make the effort to get consensus on a generic ELF ABI number assignment
> > and formalization of the ABI for our own sake.
>
> This is something I don't understand. With a read only .dynamic *and* a
> AT_BASE like mechanism you end up with a DSO whose rw section is only
> what the user requested. But DT_DEBUG_INDIRECT you still have a linker
> created rw section. Is there anything about .dynamic that makes it
> particularly harmful as rw?
Yeah, I think that is my question too. As Roland said, if we would start
over, we would make .dynamic read-only, and I totally agree with that. But
writable .dynamic sections don't seem that bad that we want to create a new
switch to make it read-only. At least it is not very clear to me that what
we can get by doing that.
Potential security improvement seems very small given that we have the
relro mechanism. Saving one page per an ELF module seems small, and it is
probably zero cost on Fuchsia as you guys don't write anything to a page
containing .dynamic regardless of presence of DT_DEBUG. The only clear
benefit I can think of is, since Fuchsia doesn't write anything to
.dynamic, it is semantically more clean if we actually mark it read-only.
But it doesn't seem like a practical benefit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170524/9ef6ef16/attachment.html>
More information about the llvm-commits
mailing list