Hi! A recent bug was solved for builds linked with ld.lld, and tracking it down took way longer than it needed to (a year). Ultimately, it boiled down to differences between ld.bfd and ld.lld's handling of orphan sections. Similarly, the recent FGKASLR series brough up orphan section handling too[2]. In both cases, it would have been nice if the linker was running with --orphan-handling=warn so that surprise sections wouldn't silently get mapped into the kernel image at locations up to the whim of the linker's orphan handling logic. Instead, all desired sections should be explicitly identified in the linker script (to be either kept or discarded) with any orphans throwing a warning. The powerpc architecture actually already does this, so this series seeks to extend this coverage to x86, arm64, and arm. This series depends on tip/x86/boot (where recent .eh_frame fixes[3] landed), and has a minor conflict[4] with the ARM tree (related to the earlier mentioned bug). As it uses refactorings in the asm-generic linker script, and makes changes to kbuild, I think the cleanest place for this series to land would also be through -tip. Once again (like my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so this can go all together with the least disruption. Splitting it up by architecture seems needlessly difficult. Thanks! -Kees [1] https://github.com/ClangBuiltLinux/linux/issues/282 [2] https://lore.kernel.org/lkml/202002242122.AA4D1B8@keescook/ [3] https://lore.kernel.org/lkml/158264960194.28353.10560165361470246192.tip-bot2@tip-bot2/ [4] https://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=8959/1 H.J. Lu (1): Add RUNTIME_DISCARD_EXIT to generic DISCARDS Kees Cook (8): scripts/link-vmlinux.sh: Delay orphan handling warnings until final link vmlinux.lds.h: Add .gnu.version* to DISCARDS x86/build: Warn on orphan section placement x86/boot: Warn on orphan section placement arm64/build: Use common DISCARDS in linker script arm64/build: Warn on orphan section placement arm/build: Warn on orphan section placement arm/boot: Warn on orphan section placement arch/arm/Makefile | 4 ++++ arch/arm/boot/compressed/Makefile | 2 ++ arch/arm/boot/compressed/vmlinux.lds.S | 17 ++++++-------- .../arm/{kernel => include/asm}/vmlinux.lds.h | 22 ++++++++++++++----- arch/arm/kernel/vmlinux-xip.lds.S | 5 ++--- arch/arm/kernel/vmlinux.lds.S | 5 ++--- arch/arm64/Makefile | 4 ++++ arch/arm64/kernel/vmlinux.lds.S | 13 +++++------ arch/x86/Makefile | 4 ++++ arch/x86/boot/compressed/Makefile | 3 ++- arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++ arch/x86/kernel/vmlinux.lds.S | 7 ++++++ include/asm-generic/vmlinux.lds.h | 11 ++++++++-- scripts/link-vmlinux.sh | 6 +++++ 14 files changed, 85 insertions(+), 31 deletions(-) rename arch/arm/{kernel => include/asm}/vmlinux.lds.h (92%) -- 2.20.1
Right now, powerpc adds "--orphan-handling=warn" to LD_FLAGS_vmlinux to detect when there are unexpected sections getting added to the kernel image. There is no need to report these warnings more than once, so it can be removed until the final link stage. This helps pave the way for other architectures to enable this, with the end goal of enabling this warning by default for vmlinux for all architectures. Signed-off-by: Kees Cook <keescook@chromium.org> --- scripts/link-vmlinux.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 1919c311c149..416968fea685 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -255,6 +255,11 @@ info GEN modules.builtin tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' | tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin + +# Do not warn about orphan sections until the final link stage. +saved_LDFLAGS_vmlinux="${LDFLAGS_vmlinux}" +LDFLAGS_vmlinux="$(echo "${LDFLAGS_vmlinux}" | sed -E 's/ --orphan-handling=warn( |$)/ /g')" + btf_vmlinux_bin_o="" if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then if gen_btf .tmp_vmlinux.btf .btf.vmlinux.bin.o ; then @@ -306,6 +311,7 @@ if [ -n "${CONFIG_KALLSYMS}" ]; then fi fi +LDFLAGS_vmlinux="${saved_LDFLAGS_vmlinux}" vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o} if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then -- 2.20.1
For vmlinux linking, no architecture uses the .gnu.version* section, so remove it via the common DISCARDS macro in preparation for adding --orphan-handling=warn more widely. Signed-off-by: Kees Cook <keescook@chromium.org> --- include/asm-generic/vmlinux.lds.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index e00f41aa8ec4..303597e51396 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -902,6 +902,7 @@ *(.discard) \ *(.discard.*) \ *(.modinfo) \ + *(.gnu.version*) \ } /** -- 2.20.1
We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Discards the unused rela, plt, and got sections that are not needed in the final vmlinux, and enable orphan section warnings. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/Makefile | 4 ++++ arch/x86/kernel/vmlinux.lds.S | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 94df0868804b..b2c8becadce5 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -51,6 +51,10 @@ ifdef CONFIG_X86_NEED_RELOCS LDFLAGS_vmlinux := --emit-relocs --discard-none endif +# We never want expected sections to be placed heuristically by the +# linker. All sections should be explicitly named in the linker script. +LDFLAGS_vmlinux += --orphan-handling=warn + # # Prevent GCC from generating any FP code by mistake. # diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 5cab3a29adcb..1e345f302a46 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -412,6 +412,12 @@ SECTIONS DWARF_DEBUG DISCARDS + /DISCARD/ : { + *(.rela.*) *(.rela_*) + *(.rel.*) *(.rel_*) + *(.got) *(.got.*) + *(.igot.*) *(.iplt) + } } -- 2.20.1
We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Add the common debugging sections. Discard the unused note, rel, plt, dyn, and hash sections that are not needed in the compressed vmlinux. Disable .eh_frame generation in the linker and enable orphan section warnings. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/boot/compressed/Makefile | 3 ++- arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index c33111341325..e0ea6b0924e8 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -46,6 +46,7 @@ GCOV_PROFILE := n UBSAN_SANITIZE :=n KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE) +KBUILD_LDFLAGS += --no-ld-generated-unwind-info # Compressed kernel should be built as PIE since it may be loaded at any # address by the bootloader. ifeq ($(CONFIG_X86_32),y) @@ -57,7 +58,7 @@ else KBUILD_LDFLAGS += $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \ && echo "-z noreloc-overflow -pie --no-dynamic-linker") endif -LDFLAGS_vmlinux := -T +LDFLAGS_vmlinux := --orphan-handling=warn -T hostprogs := mkpiggy HOST_EXTRACFLAGS += -I$(srctree)/tools/include diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S index 508cfa6828c5..b5406a8cebe0 100644 --- a/arch/x86/boot/compressed/vmlinux.lds.S +++ b/arch/x86/boot/compressed/vmlinux.lds.S @@ -73,4 +73,17 @@ SECTIONS #endif . = ALIGN(PAGE_SIZE); /* keep ZO size page aligned */ _end = .; + + STABS_DEBUG + DWARF_DEBUG + + DISCARDS + /DISCARD/ : { + *(.note.*) + *(.rela.*) *(.rela_*) + *(.rel.*) *(.rel_*) + *(.plt) *(.plt.*) + *(.dyn*) + *(.hash) *(.gnu.hash) + } } -- 2.20.1
From: "H.J. Lu" <hjl.tools@gmail.com> In x86 kernel, .exit.text and .exit.data sections are discarded at runtime, not by linker. Add RUNTIME_DISCARD_EXIT to generic DISCARDS and define it in x86 kernel linker script to keep them. Signed-off-by: H.J. Lu <hjl.tools@gmail.com> Link: https://lore.kernel.org/r/20200130224337.4150-1-hjl.tools@gmail.com Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/kernel/vmlinux.lds.S | 1 + include/asm-generic/vmlinux.lds.h | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 1e345f302a46..1e12c097d09b 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -21,6 +21,7 @@ #define LOAD_OFFSET __START_KERNEL_map #endif +#define RUNTIME_DISCARD_EXIT #define EMITS_PT_NOTE #define RO_EXCEPTION_TABLE_ALIGN 16 diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index 303597e51396..1797f2c9bb41 100644 --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -894,10 +894,16 @@ * section definitions so that such archs put those in earlier section * definitions. */ +#ifdef RUNTIME_DISCARD_EXIT +#define EXIT_DISCARDS +#else +#define EXIT_DISCARDS \ + EXIT_TEXT \ + EXIT_DATA +#endif #define DISCARDS \ /DISCARD/ : { \ - EXIT_TEXT \ - EXIT_DATA \ + EXIT_DISCARDS \ EXIT_CALL \ *(.discard) \ *(.discard.*) \ -- 2.20.1
Use the common DISCARDS rule for the linker script in an effort to regularize the linker script to prepare for warning on orphaned sections. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm64/kernel/vmlinux.lds.S | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index 497f9675071d..c61d9ab3211c 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -6,6 +6,7 @@ */ #define RO_EXCEPTION_TABLE_ALIGN 8 +#define RUNTIME_DISCARD_EXIT #include <asm-generic/vmlinux.lds.h> #include <asm/cache.h> @@ -19,7 +20,6 @@ /* .exit.text needed in case of alternative patching */ #define ARM_EXIT_KEEP(x) x -#define ARM_EXIT_DISCARD(x) OUTPUT_ARCH(aarch64) ENTRY(_text) @@ -94,12 +94,8 @@ SECTIONS * matching the same input section name. There is no documented * order of matching. */ + DISCARDS /DISCARD/ : { - ARM_EXIT_DISCARD(EXIT_TEXT) - ARM_EXIT_DISCARD(EXIT_DATA) - EXIT_CALL - *(.discard) - *(.discard.*) *(.interp .dynamic) *(.dynsym .dynstr .hash .gnu.hash) *(.eh_frame) -- 2.20.1
We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Explicitly include debug sections when they're present. Add .eh_frame* to discard as it seems that these are still generated even though -fno-asynchronous-unwind-tables is being specified. Add .plt and .data.rel.ro to discards as they are not actually used. Add .got.plt to the image as it does appear to be mapped near .data. Finally enable orphan section warnings. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm64/Makefile | 4 ++++ arch/arm64/kernel/vmlinux.lds.S | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index dca1a97751ab..c682a65b3ab8 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -30,6 +30,10 @@ LDFLAGS_vmlinux += --fix-cortex-a53-843419 endif endif +# We never want expected sections to be placed heuristically by the +# linker. All sections should be explicitly named in the linker script. +LDFLAGS_vmlinux += --orphan-handling=warn + ifeq ($(CONFIG_ARM64_USE_LSE_ATOMICS), y) ifneq ($(CONFIG_ARM64_LSE_ATOMICS), y) $(warning LSE atomics not supported by binutils) diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S index c61d9ab3211c..6141d5b72f8f 100644 --- a/arch/arm64/kernel/vmlinux.lds.S +++ b/arch/arm64/kernel/vmlinux.lds.S @@ -98,7 +98,8 @@ SECTIONS /DISCARD/ : { *(.interp .dynamic) *(.dynsym .dynstr .hash .gnu.hash) - *(.eh_frame) + *(.plt) *(.data.rel.ro) + *(.eh_frame) *(.init.eh_frame) } . = KIMAGE_VADDR + TEXT_OFFSET; @@ -212,6 +213,7 @@ SECTIONS _data = .; _sdata = .; RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN) + .got.plt : ALIGN(8) { *(.got.plt) } /* * Data written with the MMU off but read with the MMU on requires @@ -246,6 +248,7 @@ SECTIONS _end = .; STABS_DEBUG + DWARF_DEBUG HEAD_SYMBOLS } -- 2.20.1
We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Specifically, this would have made a recently fixed bug very obvious: ld: warning: orphan section `.fixup' from `arch/arm/lib/copy_from_user.o' being placed in section `.fixup' Refactor linker script include file for use in standard and XIP linker scripts, as well as in the coming boot linker script changes. Add debug sections explicitly. Create ARM_COMMON_DISCARD macro with unneeded sections .ARM.attributes, .iplt, .rel.iplt, .igot.plt, and .modinfo. Create ARM_STUBS_TEXT macro with missed text stub sections .vfp11_veneer, and .v4_bx. Finally enable orphan section warning. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/Makefile | 4 ++++ .../arm/{kernel => include/asm}/vmlinux.lds.h | 22 ++++++++++++++----- arch/arm/kernel/vmlinux-xip.lds.S | 5 ++--- arch/arm/kernel/vmlinux.lds.S | 5 ++--- 4 files changed, 25 insertions(+), 11 deletions(-) rename arch/arm/{kernel => include/asm}/vmlinux.lds.h (92%) diff --git a/arch/arm/Makefile b/arch/arm/Makefile index db857d07114f..f1622bea987a 100644 --- a/arch/arm/Makefile +++ b/arch/arm/Makefile @@ -16,6 +16,10 @@ LDFLAGS_vmlinux += --be8 KBUILD_LDFLAGS_MODULE += --be8 endif +# We never want expected sections to be placed heuristically by the +# linker. All sections should be explicitly named in the linker script. +LDFLAGS_vmlinux += --orphan-handling=warn + ifeq ($(CONFIG_ARM_MODULE_PLTS),y) KBUILD_LDS_MODULE += $(srctree)/arch/arm/kernel/module.lds endif diff --git a/arch/arm/kernel/vmlinux.lds.h b/arch/arm/include/asm/vmlinux.lds.h similarity index 92% rename from arch/arm/kernel/vmlinux.lds.h rename to arch/arm/include/asm/vmlinux.lds.h index 8247bc15addc..3ae2cf2e351b 100644 --- a/arch/arm/kernel/vmlinux.lds.h +++ b/arch/arm/include/asm/vmlinux.lds.h @@ -1,4 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#include <asm-generic/vmlinux.lds.h> #ifdef CONFIG_HOTPLUG_CPU #define ARM_CPU_DISCARD(x) @@ -46,6 +47,13 @@ *(.hyp.idmap.text) \ __hyp_idmap_text_end = .; +#define ARM_COMMON_DISCARD \ + *(.ARM.attributes) \ + *(.iplt) *(.rel.iplt) *(.igot.plt) \ + *(.modinfo) \ + *(.discard) \ + *(.discard.*) + #define ARM_DISCARD \ *(.ARM.exidx.exit.text) \ *(.ARM.extab.exit.text) \ @@ -58,8 +66,14 @@ EXIT_CALL \ ARM_MMU_DISCARD(*(.text.fixup)) \ ARM_MMU_DISCARD(*(__ex_table)) \ - *(.discard) \ - *(.discard.*) + ARM_COMMON_DISCARD + +#define ARM_STUBS_TEXT \ + *(.gnu.warning) \ + *(.glue_7t) \ + *(.glue_7) \ + *(.vfp11_veneer) \ + *(.v4_bx) #define ARM_TEXT \ IDMAP_TEXT \ @@ -74,9 +88,7 @@ LOCK_TEXT \ HYPERVISOR_TEXT \ KPROBES_TEXT \ - *(.gnu.warning) \ - *(.glue_7) \ - *(.glue_7t) \ + ARM_STUBS_TEXT \ . = ALIGN(4); \ *(.got) /* Global offset table */ \ ARM_CPU_KEEP(PROC_INFO) diff --git a/arch/arm/kernel/vmlinux-xip.lds.S b/arch/arm/kernel/vmlinux-xip.lds.S index 21b8b271c80d..8e9ac99a4335 100644 --- a/arch/arm/kernel/vmlinux-xip.lds.S +++ b/arch/arm/kernel/vmlinux-xip.lds.S @@ -9,15 +9,13 @@ #include <linux/sizes.h> -#include <asm-generic/vmlinux.lds.h> +#include <asm/vmlinux.lds.h> #include <asm/cache.h> #include <asm/thread_info.h> #include <asm/memory.h> #include <asm/mpu.h> #include <asm/page.h> -#include "vmlinux.lds.h" - OUTPUT_ARCH(arm) ENTRY(stext) @@ -152,6 +150,7 @@ SECTIONS _end = .; STABS_DEBUG + DWARF_DEBUG } /* diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S index 319ccb10846a..f1c6f66e8e6c 100644 --- a/arch/arm/kernel/vmlinux.lds.S +++ b/arch/arm/kernel/vmlinux.lds.S @@ -8,7 +8,7 @@ #include "vmlinux-xip.lds.S" #else -#include <asm-generic/vmlinux.lds.h> +#include <asm/vmlinux.lds.h> #include <asm/cache.h> #include <asm/thread_info.h> #include <asm/memory.h> @@ -16,8 +16,6 @@ #include <asm/page.h> #include <asm/pgtable.h> -#include "vmlinux.lds.h" - OUTPUT_ARCH(arm) ENTRY(stext) @@ -151,6 +149,7 @@ SECTIONS _end = .; STABS_DEBUG + DWARF_DEBUG } #ifdef CONFIG_STRICT_KERNEL_RWX -- 2.20.1
We don't want to depend on the linker's orphan section placement heuristics as these can vary between linkers, and may change between versions. All sections need to be explicitly named in the linker script. Use common macros for debug sections, discards, and text stubs. Add discards for unwanted .note, and .rel sections. Finally, enable orphan section warning. Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/arm/boot/compressed/Makefile | 2 ++ arch/arm/boot/compressed/vmlinux.lds.S | 17 +++++++---------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile index da599c3a1193..7faa2b5e7e16 100644 --- a/arch/arm/boot/compressed/Makefile +++ b/arch/arm/boot/compressed/Makefile @@ -136,6 +136,8 @@ endif LDFLAGS_vmlinux += --no-undefined # Delete all temporary local symbols LDFLAGS_vmlinux += -X +# Report orphan sections +LDFLAGS_vmlinux += --orphan-handling=warn # Next argument is a linker script LDFLAGS_vmlinux += -T diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S index fc7ed03d8b93..a6a51b5d2328 100644 --- a/arch/arm/boot/compressed/vmlinux.lds.S +++ b/arch/arm/boot/compressed/vmlinux.lds.S @@ -2,6 +2,7 @@ /* * Copyright (C) 2000 Russell King */ +#include <asm/vmlinux.lds.h> #ifdef CONFIG_CPU_ENDIAN_BE8 #define ZIMAGE_MAGIC(x) ( (((x) >> 24) & 0x000000ff) | \ @@ -17,8 +18,11 @@ ENTRY(_start) SECTIONS { /DISCARD/ : { + ARM_COMMON_DISCARD *(.ARM.exidx*) *(.ARM.extab*) + *(.note.*) + *(.rel.*) /* * Discard any r/w data - this produces a link error if we have any, * which is required for PIC decompression. Local data generates @@ -37,9 +41,7 @@ SECTIONS *(.text) *(.text.*) *(.fixup) - *(.gnu.warning) - *(.glue_7t) - *(.glue_7) + ARM_STUBS_TEXT } .table : ALIGN(4) { _table_start = .; @@ -124,12 +126,7 @@ SECTIONS PROVIDE(__pecoff_data_size = ALIGN(512) - ADDR(.data)); PROVIDE(__pecoff_end = ALIGN(512)); - .stab 0 : { *(.stab) } - .stabstr 0 : { *(.stabstr) } - .stab.excl 0 : { *(.stab.excl) } - .stab.exclstr 0 : { *(.stab.exclstr) } - .stab.index 0 : { *(.stab.index) } - .stab.indexstr 0 : { *(.stab.indexstr) } - .comment 0 : { *(.comment) } + STABS_DEBUG + DWARF_DEBUG } ASSERT(_edata_real == _edata, "error: zImage file size is incorrect"); -- 2.20.1
On Fri, Feb 28, 2020 at 1:22 AM Kees Cook <keescook@chromium.org> wrote: > > Hi! > > A recent bug was solved for builds linked with ld.lld, and tracking > it down took way longer than it needed to (a year). Ultimately, it > boiled down to differences between ld.bfd and ld.lld's handling of > orphan sections. Similarly, the recent FGKASLR series brough up orphan > section handling too[2]. In both cases, it would have been nice if the > linker was running with --orphan-handling=warn so that surprise sections > wouldn't silently get mapped into the kernel image at locations up to > the whim of the linker's orphan handling logic. Instead, all desired > sections should be explicitly identified in the linker script (to be > either kept or discarded) with any orphans throwing a warning. The > powerpc architecture actually already does this, so this series seeks > to extend this coverage to x86, arm64, and arm. > > This series depends on tip/x86/boot (where recent .eh_frame fixes[3] > landed), and has a minor conflict[4] with the ARM tree (related to > the earlier mentioned bug). As it uses refactorings in the asm-generic > linker script, and makes changes to kbuild, I think the cleanest place > for this series to land would also be through -tip. Once again (like > my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so > this can go all together with the least disruption. Splitting it up by > architecture seems needlessly difficult. > > Thanks! > > -Kees > > [1] https://github.com/ClangBuiltLinux/linux/issues/282 > [2] https://lore.kernel.org/lkml/202002242122.AA4D1B8@keescook/ > [3] https://lore.kernel.org/lkml/158264960194.28353.10560165361470246192.tip-bot2@tip-bot2/ > [4] https://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=8959/1 > Hi Kees, is this an updated version of what you have in your kees/linux.git#linker/orphans/x86-arm Git branch? Especially, I saw a difference in [2] and "[PATCH 4/9] x86/boot: Warn on orphan section placement" [ arch/x86/boot/compressed/Makefile ] +KBUILD_LDFLAGS += --no-ld-generated-unwind-info Can you comment on why this KBUILD_LDFLAGS was added/needed? I like when people offer their work in a Git branch. Do you plan to do that? Thanks. Regards, - Sedat - [1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=linker/orphans/x86-arm [2] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=linker/orphans/x86-arm&id=e43aa77956c40b9b6db0b37b3780423aa2e661ad > H.J. Lu (1): > Add RUNTIME_DISCARD_EXIT to generic DISCARDS > > Kees Cook (8): > scripts/link-vmlinux.sh: Delay orphan handling warnings until final > link > vmlinux.lds.h: Add .gnu.version* to DISCARDS > x86/build: Warn on orphan section placement > x86/boot: Warn on orphan section placement > arm64/build: Use common DISCARDS in linker script > arm64/build: Warn on orphan section placement > arm/build: Warn on orphan section placement > arm/boot: Warn on orphan section placement > > arch/arm/Makefile | 4 ++++ > arch/arm/boot/compressed/Makefile | 2 ++ > arch/arm/boot/compressed/vmlinux.lds.S | 17 ++++++-------- > .../arm/{kernel => include/asm}/vmlinux.lds.h | 22 ++++++++++++++----- > arch/arm/kernel/vmlinux-xip.lds.S | 5 ++--- > arch/arm/kernel/vmlinux.lds.S | 5 ++--- > arch/arm64/Makefile | 4 ++++ > arch/arm64/kernel/vmlinux.lds.S | 13 +++++------ > arch/x86/Makefile | 4 ++++ > arch/x86/boot/compressed/Makefile | 3 ++- > arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++ > arch/x86/kernel/vmlinux.lds.S | 7 ++++++ > include/asm-generic/vmlinux.lds.h | 11 ++++++++-- > scripts/link-vmlinux.sh | 6 +++++ > 14 files changed, 85 insertions(+), 31 deletions(-) > rename arch/arm/{kernel => include/asm}/vmlinux.lds.h (92%) > > -- > 2.20.1 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20200228002244.15240-1-keescook%40chromium.org.
On Fri, Feb 28, 2020 at 07:51:21AM +0100, Sedat Dilek wrote: > On Fri, Feb 28, 2020 at 1:22 AM Kees Cook <keescook@chromium.org> wrote: > > This series depends on tip/x86/boot (where recent .eh_frame fixes[3] > > landed), and has a minor conflict[4] with the ARM tree (related to > > the earlier mentioned bug). As it uses refactorings in the asm-generic > > linker script, and makes changes to kbuild, I think the cleanest place > > for this series to land would also be through -tip. Once again (like > > my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so > > this can go all together with the least disruption. Splitting it up by > > architecture seems needlessly difficult. > > Hi Kees, > > is this an updated version of what you have in your > kees/linux.git#linker/orphans/x86-arm Git branch? Hi; yes indeed. > Especially, I saw a difference in [2] and "[PATCH 4/9] x86/boot: Warn > on orphan section placement" > > [ arch/x86/boot/compressed/Makefile ] > > +KBUILD_LDFLAGS += --no-ld-generated-unwind-info > > Can you comment on why this KBUILD_LDFLAGS was added/needed? It looks like the linker decided to add .eh_frame sections even when all the .o files lacked it. Adding this flag solved it (which I prefer over adding it to DISCARD). > I like when people offer their work in a Git branch. > Do you plan to do that? Since it was based on a -tip sub-branch I didn't push a copy, but since you asked here it is: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=orphans/tip/x86/boot And this email can serve as a "ping" to the arch maintainers too... does this all look okay to you? I think it'd be a nice improvement. :) Thanks! -Kees > Thanks. > > Regards, > - Sedat - > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=linker/orphans/x86-arm > [2] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=linker/orphans/x86-arm&id=e43aa77956c40b9b6db0b37b3780423aa2e661ad > > > > > H.J. Lu (1): > > Add RUNTIME_DISCARD_EXIT to generic DISCARDS > > > > Kees Cook (8): > > scripts/link-vmlinux.sh: Delay orphan handling warnings until final > > link > > vmlinux.lds.h: Add .gnu.version* to DISCARDS > > x86/build: Warn on orphan section placement > > x86/boot: Warn on orphan section placement > > arm64/build: Use common DISCARDS in linker script > > arm64/build: Warn on orphan section placement > > arm/build: Warn on orphan section placement > > arm/boot: Warn on orphan section placement > > > > arch/arm/Makefile | 4 ++++ > > arch/arm/boot/compressed/Makefile | 2 ++ > > arch/arm/boot/compressed/vmlinux.lds.S | 17 ++++++-------- > > .../arm/{kernel => include/asm}/vmlinux.lds.h | 22 ++++++++++++++----- > > arch/arm/kernel/vmlinux-xip.lds.S | 5 ++--- > > arch/arm/kernel/vmlinux.lds.S | 5 ++--- > > arch/arm64/Makefile | 4 ++++ > > arch/arm64/kernel/vmlinux.lds.S | 13 +++++------ > > arch/x86/Makefile | 4 ++++ > > arch/x86/boot/compressed/Makefile | 3 ++- > > arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++ > > arch/x86/kernel/vmlinux.lds.S | 7 ++++++ > > include/asm-generic/vmlinux.lds.h | 11 ++++++++-- > > scripts/link-vmlinux.sh | 6 +++++ > > 14 files changed, 85 insertions(+), 31 deletions(-) > > rename arch/arm/{kernel => include/asm}/vmlinux.lds.h (92%) -- Kees Cook
On Thu, Feb 27, 2020 at 04:22:41PM -0800, Kees Cook wrote:
> Use the common DISCARDS rule for the linker script in an effort to
> regularize the linker script to prepare for warning on orphaned
> sections.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/arm64/kernel/vmlinux.lds.S | 8 ++------
> 1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index 497f9675071d..c61d9ab3211c 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -6,6 +6,7 @@
> */
>
> #define RO_EXCEPTION_TABLE_ALIGN 8
> +#define RUNTIME_DISCARD_EXIT
>
> #include <asm-generic/vmlinux.lds.h>
> #include <asm/cache.h>
> @@ -19,7 +20,6 @@
>
> /* .exit.text needed in case of alternative patching */
> #define ARM_EXIT_KEEP(x) x
> -#define ARM_EXIT_DISCARD(x)
>
> OUTPUT_ARCH(aarch64)
> ENTRY(_text)
> @@ -94,12 +94,8 @@ SECTIONS
> * matching the same input section name. There is no documented
> * order of matching.
> */
> + DISCARDS
> /DISCARD/ : {
> - ARM_EXIT_DISCARD(EXIT_TEXT)
> - ARM_EXIT_DISCARD(EXIT_DATA)
> - EXIT_CALL
> - *(.discard)
> - *(.discard.*)
> *(.interp .dynamic)
> *(.dynsym .dynstr .hash .gnu.hash)
> *(.eh_frame)
Acked-by: Will Deacon <will@kernel.org>
Will
On Thu, Feb 27, 2020 at 04:22:42PM -0800, Kees Cook wrote:
> We don't want to depend on the linker's orphan section placement
> heuristics as these can vary between linkers, and may change between
> versions. All sections need to be explicitly named in the linker
> script.
>
> Explicitly include debug sections when they're present. Add .eh_frame*
> to discard as it seems that these are still generated even though
> -fno-asynchronous-unwind-tables is being specified. Add .plt and
> .data.rel.ro to discards as they are not actually used. Add .got.plt
> to the image as it does appear to be mapped near .data. Finally enable
> orphan section warnings.
Hmm, I don't understand what .got.plt is doing here. Please can you
elaborate?
Will
On Tue, Mar 17, 2020 at 09:56:14PM +0000, Will Deacon wrote:
> On Thu, Feb 27, 2020 at 04:22:42PM -0800, Kees Cook wrote:
> > We don't want to depend on the linker's orphan section placement
> > heuristics as these can vary between linkers, and may change between
> > versions. All sections need to be explicitly named in the linker
> > script.
> >
> > Explicitly include debug sections when they're present. Add .eh_frame*
> > to discard as it seems that these are still generated even though
> > -fno-asynchronous-unwind-tables is being specified. Add .plt and
> > .data.rel.ro to discards as they are not actually used. Add .got.plt
> > to the image as it does appear to be mapped near .data. Finally enable
> > orphan section warnings.
>
> Hmm, I don't understand what .got.plt is doing here. Please can you
> elaborate?
I didn't track it down, but it seems to have been present (and merged
into the kernel .data) for a while now. I can try to track this down if
you want?
--
Kees Cook
On Tue, Mar 17, 2020 at 4:01 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Mar 17, 2020 at 09:56:14PM +0000, Will Deacon wrote:
> > On Thu, Feb 27, 2020 at 04:22:42PM -0800, Kees Cook wrote:
> > > We don't want to depend on the linker's orphan section placement
> > > heuristics as these can vary between linkers, and may change between
> > > versions. All sections need to be explicitly named in the linker
> > > script.
> > >
> > > Explicitly include debug sections when they're present. Add .eh_frame*
> > > to discard as it seems that these are still generated even though
> > > -fno-asynchronous-unwind-tables is being specified. Add .plt and
> > > .data.rel.ro to discards as they are not actually used. Add .got.plt
> > > to the image as it does appear to be mapped near .data. Finally enable
> > > orphan section warnings.
> >
> > Hmm, I don't understand what .got.plt is doing here. Please can you
> > elaborate?
>
> I didn't track it down, but it seems to have been present (and merged
> into the kernel .data) for a while now. I can try to track this down if
> you want?
Yes, the presence of a procedure linkage table makes sense for symbol
interposition and lazy binding in userspace executables with runtime
shared object loading support, but not so much the kernel, I would
think. (Though someone did just recently ask me if loadable kernel
modules could interpose weakly defined symbols in the kernel, and if
so what happens on unload. I have no idea and suspect kernel modules
cannot do that, but I have looked into the kernel's runtime relocation
support.)
--
Thanks,
~Nick Desaulniers
Kees Cook's on February 28, 2020 10:22 am:
> Right now, powerpc adds "--orphan-handling=warn" to LD_FLAGS_vmlinux
> to detect when there are unexpected sections getting added to the kernel
> image. There is no need to report these warnings more than once, so it
> can be removed until the final link stage.
>
> This helps pave the way for other architectures to enable this, with the
> end goal of enabling this warning by default for vmlinux for all
> architectures.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> scripts/link-vmlinux.sh | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
> index 1919c311c149..416968fea685 100755
> --- a/scripts/link-vmlinux.sh
> +++ b/scripts/link-vmlinux.sh
> @@ -255,6 +255,11 @@ info GEN modules.builtin
> tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' |
> tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin
>
> +
> +# Do not warn about orphan sections until the final link stage.
> +saved_LDFLAGS_vmlinux="${LDFLAGS_vmlinux}"
> +LDFLAGS_vmlinux="$(echo "${LDFLAGS_vmlinux}" | sed -E 's/ --orphan-handling=warn( |$)/ /g')"
> +
> btf_vmlinux_bin_o=""
> if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then
> if gen_btf .tmp_vmlinux.btf .btf.vmlinux.bin.o ; then
> @@ -306,6 +311,7 @@ if [ -n "${CONFIG_KALLSYMS}" ]; then
> fi
> fi
>
> +LDFLAGS_vmlinux="${saved_LDFLAGS_vmlinux}"
> vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o}
>
> if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then
That's ugly. Why not just enable it for all archs?
Thanks,
Nick
On Fri, Mar 20, 2020 at 12:47:54PM +1000, Nicholas Piggin wrote:
> Kees Cook's on February 28, 2020 10:22 am:
> > Right now, powerpc adds "--orphan-handling=warn" to LD_FLAGS_vmlinux
> > to detect when there are unexpected sections getting added to the kernel
> > image. There is no need to report these warnings more than once, so it
> > can be removed until the final link stage.
> >
> > This helps pave the way for other architectures to enable this, with the
> > end goal of enabling this warning by default for vmlinux for all
> > architectures.
> >
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > scripts/link-vmlinux.sh | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
> > index 1919c311c149..416968fea685 100755
> > --- a/scripts/link-vmlinux.sh
> > +++ b/scripts/link-vmlinux.sh
> > @@ -255,6 +255,11 @@ info GEN modules.builtin
> > tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' |
> > tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin
> >
> > +
> > +# Do not warn about orphan sections until the final link stage.
> > +saved_LDFLAGS_vmlinux="${LDFLAGS_vmlinux}"
> > +LDFLAGS_vmlinux="$(echo "${LDFLAGS_vmlinux}" | sed -E 's/ --orphan-handling=warn( |$)/ /g')"
> > +
> > btf_vmlinux_bin_o=""
> > if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then
> > if gen_btf .tmp_vmlinux.btf .btf.vmlinux.bin.o ; then
> > @@ -306,6 +311,7 @@ if [ -n "${CONFIG_KALLSYMS}" ]; then
> > fi
> > fi
> >
> > +LDFLAGS_vmlinux="${saved_LDFLAGS_vmlinux}"
> > vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o}
> >
> > if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then
>
> That's ugly. Why not just enable it for all archs?
It is ugly; I agree.
I can try to do this for all architectures, but I worry there are a
bunch I can't test. But I guess it would stand out. ;)
-Kees
--
Kees Cook
Kees Cook's on March 21, 2020 4:24 am:
> On Fri, Mar 20, 2020 at 12:47:54PM +1000, Nicholas Piggin wrote:
>> Kees Cook's on February 28, 2020 10:22 am:
>> > Right now, powerpc adds "--orphan-handling=warn" to LD_FLAGS_vmlinux
>> > to detect when there are unexpected sections getting added to the kernel
>> > image. There is no need to report these warnings more than once, so it
>> > can be removed until the final link stage.
>> >
>> > This helps pave the way for other architectures to enable this, with the
>> > end goal of enabling this warning by default for vmlinux for all
>> > architectures.
>> >
>> > Signed-off-by: Kees Cook <keescook@chromium.org>
>> > ---
>> > scripts/link-vmlinux.sh | 6 ++++++
>> > 1 file changed, 6 insertions(+)
>> >
>> > diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
>> > index 1919c311c149..416968fea685 100755
>> > --- a/scripts/link-vmlinux.sh
>> > +++ b/scripts/link-vmlinux.sh
>> > @@ -255,6 +255,11 @@ info GEN modules.builtin
>> > tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' |
>> > tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin
>> >
>> > +
>> > +# Do not warn about orphan sections until the final link stage.
>> > +saved_LDFLAGS_vmlinux="${LDFLAGS_vmlinux}"
>> > +LDFLAGS_vmlinux="$(echo "${LDFLAGS_vmlinux}" | sed -E 's/ --orphan-handling=warn( |$)/ /g')"
>> > +
>> > btf_vmlinux_bin_o=""
>> > if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then
>> > if gen_btf .tmp_vmlinux.btf .btf.vmlinux.bin.o ; then
>> > @@ -306,6 +311,7 @@ if [ -n "${CONFIG_KALLSYMS}" ]; then
>> > fi
>> > fi
>> >
>> > +LDFLAGS_vmlinux="${saved_LDFLAGS_vmlinux}"
>> > vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o}
>> >
>> > if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then
>>
>> That's ugly. Why not just enable it for all archs?
>
> It is ugly; I agree.
>
> I can try to do this for all architectures, but I worry there are a
> bunch I can't test. But I guess it would stand out. ;)
It's only warn, so it doesn't break their builds (unless there's a
linker error on warn option I don't know about?). We had a powerpc bug
that would have been caught with it as well, so it's not a bad idea to
get everyone using it.
I would just do it. Doesn't take much to fix.
Thanks,
Nick
On Sun, Mar 22, 2020 at 07:16:29PM +1000, Nicholas Piggin wrote: > Kees Cook's on March 21, 2020 4:24 am: > > On Fri, Mar 20, 2020 at 12:47:54PM +1000, Nicholas Piggin wrote: > >> Kees Cook's on February 28, 2020 10:22 am: > >> > Right now, powerpc adds "--orphan-handling=warn" to LD_FLAGS_vmlinux > >> > to detect when there are unexpected sections getting added to the kernel > >> > image. There is no need to report these warnings more than once, so it > >> > can be removed until the final link stage. > >> > > >> > This helps pave the way for other architectures to enable this, with the > >> > end goal of enabling this warning by default for vmlinux for all > >> > architectures. > >> > > >> > Signed-off-by: Kees Cook <keescook@chromium.org> > >> > --- > >> > scripts/link-vmlinux.sh | 6 ++++++ > >> > 1 file changed, 6 insertions(+) > >> > > >> > diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh > >> > index 1919c311c149..416968fea685 100755 > >> > --- a/scripts/link-vmlinux.sh > >> > +++ b/scripts/link-vmlinux.sh > >> > @@ -255,6 +255,11 @@ info GEN modules.builtin > >> > tr '\0' '\n' < modules.builtin.modinfo | sed -n 's/^[[:alnum:]:_]*\.file=//p' | > >> > tr ' ' '\n' | uniq | sed -e 's:^:kernel/:' -e 's/$/.ko/' > modules.builtin > >> > > >> > + > >> > +# Do not warn about orphan sections until the final link stage. > >> > +saved_LDFLAGS_vmlinux="${LDFLAGS_vmlinux}" > >> > +LDFLAGS_vmlinux="$(echo "${LDFLAGS_vmlinux}" | sed -E 's/ --orphan-handling=warn( |$)/ /g')" > >> > + > >> > btf_vmlinux_bin_o="" > >> > if [ -n "${CONFIG_DEBUG_INFO_BTF}" ]; then > >> > if gen_btf .tmp_vmlinux.btf .btf.vmlinux.bin.o ; then > >> > @@ -306,6 +311,7 @@ if [ -n "${CONFIG_KALLSYMS}" ]; then > >> > fi > >> > fi > >> > > >> > +LDFLAGS_vmlinux="${saved_LDFLAGS_vmlinux}" > >> > vmlinux_link vmlinux "${kallsymso}" ${btf_vmlinux_bin_o} > >> > > >> > if [ -n "${CONFIG_BUILDTIME_TABLE_SORT}" ]; then > >> > >> That's ugly. Why not just enable it for all archs? > > > > It is ugly; I agree. > > > > I can try to do this for all architectures, but I worry there are a > > bunch I can't test. But I guess it would stand out. ;) > > It's only warn, so it doesn't break their builds (unless there's a > linker error on warn option I don't know about?). We had a powerpc bug > that would have been caught with it as well, so it's not a bad idea to > get everyone using it. Well, it's bad form to add warnings to a build. I am expected to fix any warnings before I enable a warning flag. > I would just do it. Doesn't take much to fix. I will do my best on the archs I can't test. :) -- Kees Cook
On Fri, Feb 28, 2020 at 1:22 AM Kees Cook <keescook@chromium.org> wrote: > > Hi! > > A recent bug was solved for builds linked with ld.lld, and tracking > it down took way longer than it needed to (a year). Ultimately, it > boiled down to differences between ld.bfd and ld.lld's handling of > orphan sections. Similarly, the recent FGKASLR series brough up orphan > section handling too[2]. In both cases, it would have been nice if the > linker was running with --orphan-handling=warn so that surprise sections > wouldn't silently get mapped into the kernel image at locations up to > the whim of the linker's orphan handling logic. Instead, all desired > sections should be explicitly identified in the linker script (to be > either kept or discarded) with any orphans throwing a warning. The > powerpc architecture actually already does this, so this series seeks > to extend this coverage to x86, arm64, and arm. > > This series depends on tip/x86/boot (where recent .eh_frame fixes[3] > landed), and has a minor conflict[4] with the ARM tree (related to > the earlier mentioned bug). As it uses refactorings in the asm-generic > linker script, and makes changes to kbuild, I think the cleanest place > for this series to land would also be through -tip. Once again (like > my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so > this can go all together with the least disruption. Splitting it up by > architecture seems needlessly difficult. > > Thanks! > Hi Kees, what is the status of this patchset? Looks like it is not in tip or linux-next Git. Thanks. Regards, - Sedat - > -Kees > > [1] https://github.com/ClangBuiltLinux/linux/issues/282 > [2] https://lore.kernel.org/lkml/202002242122.AA4D1B8@keescook/ > [3] https://lore.kernel.org/lkml/158264960194.28353.10560165361470246192.tip-bot2@tip-bot2/ > [4] https://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=8959/1 > > H.J. Lu (1): > Add RUNTIME_DISCARD_EXIT to generic DISCARDS > > Kees Cook (8): > scripts/link-vmlinux.sh: Delay orphan handling warnings until final > link > vmlinux.lds.h: Add .gnu.version* to DISCARDS > x86/build: Warn on orphan section placement > x86/boot: Warn on orphan section placement > arm64/build: Use common DISCARDS in linker script > arm64/build: Warn on orphan section placement > arm/build: Warn on orphan section placement > arm/boot: Warn on orphan section placement > > arch/arm/Makefile | 4 ++++ > arch/arm/boot/compressed/Makefile | 2 ++ > arch/arm/boot/compressed/vmlinux.lds.S | 17 ++++++-------- > .../arm/{kernel => include/asm}/vmlinux.lds.h | 22 ++++++++++++++----- > arch/arm/kernel/vmlinux-xip.lds.S | 5 ++--- > arch/arm/kernel/vmlinux.lds.S | 5 ++--- > arch/arm64/Makefile | 4 ++++ > arch/arm64/kernel/vmlinux.lds.S | 13 +++++------ > arch/x86/Makefile | 4 ++++ > arch/x86/boot/compressed/Makefile | 3 ++- > arch/x86/boot/compressed/vmlinux.lds.S | 13 +++++++++++ > arch/x86/kernel/vmlinux.lds.S | 7 ++++++ > include/asm-generic/vmlinux.lds.h | 11 ++++++++-- > scripts/link-vmlinux.sh | 6 +++++ > 14 files changed, 85 insertions(+), 31 deletions(-) > rename arch/arm/{kernel => include/asm}/vmlinux.lds.h (92%) > > -- > 2.20.1 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20200228002244.15240-1-keescook%40chromium.org.
On Thu, Apr 02, 2020 at 06:20:57PM +0200, Sedat Dilek wrote:
> On Fri, Feb 28, 2020 at 1:22 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Hi!
> >
> > A recent bug was solved for builds linked with ld.lld, and tracking
> > it down took way longer than it needed to (a year). Ultimately, it
> > boiled down to differences between ld.bfd and ld.lld's handling of
> > orphan sections. Similarly, the recent FGKASLR series brough up orphan
> > section handling too[2]. In both cases, it would have been nice if the
> > linker was running with --orphan-handling=warn so that surprise sections
> > wouldn't silently get mapped into the kernel image at locations up to
> > the whim of the linker's orphan handling logic. Instead, all desired
> > sections should be explicitly identified in the linker script (to be
> > either kept or discarded) with any orphans throwing a warning. The
> > powerpc architecture actually already does this, so this series seeks
> > to extend this coverage to x86, arm64, and arm.
> >
> > This series depends on tip/x86/boot (where recent .eh_frame fixes[3]
> > landed), and has a minor conflict[4] with the ARM tree (related to
> > the earlier mentioned bug). As it uses refactorings in the asm-generic
> > linker script, and makes changes to kbuild, I think the cleanest place
> > for this series to land would also be through -tip. Once again (like
> > my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so
> > this can go all together with the least disruption. Splitting it up by
> > architecture seems needlessly difficult.
> >
> > Thanks!
> >
>
> Hi Kees,
>
> what is the status of this patchset?
> Looks like it is not in tip or linux-next Git.
Based on the feedback, I have 3 TODO items:
- track down and eliminate (or explain) the source of the .got.plt on arm64
- enable orphan warnings for _all_ architectures
- refactor final link logic to perform the orphan warning in a clean way
I'm working through these (and other work) still. I'm hoping to have
another version up some time next week.
--
Kees Cook
On Thu, Apr 2, 2020 at 7:26 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Apr 02, 2020 at 06:20:57PM +0200, Sedat Dilek wrote:
> > On Fri, Feb 28, 2020 at 1:22 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > Hi!
> > >
> > > A recent bug was solved for builds linked with ld.lld, and tracking
> > > it down took way longer than it needed to (a year). Ultimately, it
> > > boiled down to differences between ld.bfd and ld.lld's handling of
> > > orphan sections. Similarly, the recent FGKASLR series brough up orphan
> > > section handling too[2]. In both cases, it would have been nice if the
> > > linker was running with --orphan-handling=warn so that surprise sections
> > > wouldn't silently get mapped into the kernel image at locations up to
> > > the whim of the linker's orphan handling logic. Instead, all desired
> > > sections should be explicitly identified in the linker script (to be
> > > either kept or discarded) with any orphans throwing a warning. The
> > > powerpc architecture actually already does this, so this series seeks
> > > to extend this coverage to x86, arm64, and arm.
> > >
> > > This series depends on tip/x86/boot (where recent .eh_frame fixes[3]
> > > landed), and has a minor conflict[4] with the ARM tree (related to
> > > the earlier mentioned bug). As it uses refactorings in the asm-generic
> > > linker script, and makes changes to kbuild, I think the cleanest place
> > > for this series to land would also be through -tip. Once again (like
> > > my READ_IMPLIES_EXEC series), I'm looking to get maintainer Acks so
> > > this can go all together with the least disruption. Splitting it up by
> > > architecture seems needlessly difficult.
> > >
> > > Thanks!
> > >
> >
> > Hi Kees,
> >
> > what is the status of this patchset?
> > Looks like it is not in tip or linux-next Git.
>
> Based on the feedback, I have 3 TODO items:
>
> - track down and eliminate (or explain) the source of the .got.plt on arm64
> - enable orphan warnings for _all_ architectures
> - refactor final link logic to perform the orphan warning in a clean way
>
> I'm working through these (and other work) still. I'm hoping to have
> another version up some time next week.
>
Please CC when possible with a pointer to a git-link.
Thanks.
- sed@ -