20283 – Make -z relro the default if possible

Bug 20283 - Make -z relro the default if possible

Summary: Make -z relro the default if possible

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	ld (show other bugs)
Version:	2.27

Importance:	P2 normal
Target Milestone:	2.27
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-21 13:27 UTC by H.J. Lu
Modified:	2016-06-22 12:54 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description H.J. Lu 2016-06-21 13:27:09 UTC

Since "-z relro" makes more pages read-only after relocation, I'd
like to make it the default if possible. The following ELF targets
don't support "-z relro":

check.arc-linux-uclibc:FAIL: strip -z relro -shared (relro1)
check.arc-linux-uclibc:FAIL: objcopy -z relro -shared (relro1)
check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata1)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata1)
check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata2)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata2)
check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata3)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata3)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss1)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss2)
check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss3)
check.frv-linux:FAIL: strip -z relro (relro1)
check.frv-linux:FAIL: strip -z relro -shared (relro1)
check.frv-linux:FAIL: objcopy -z relro (relro1)
check.frv-linux:FAIL: objcopy -z relro -shared (relro1)
check.frv-linux:FAIL: objcopy -z relro (tdata1)
check.frv-linux:FAIL: objcopy -shared -z relro (tdata1)
check.frv-linux:FAIL: objcopy -z relro (tdata2)
check.frv-linux:FAIL: objcopy -shared -z relro (tdata2)
check.frv-linux:FAIL: objcopy -z relro (tdata3)
check.frv-linux:FAIL: objcopy -shared -z relro (tdata3)
check.frv-linux:FAIL: objcopy -shared -z relro (tbss1)
check.frv-linux:FAIL: objcopy -shared -z relro (tbss2)
check.frv-linux:FAIL: objcopy -shared -z relro (tbss3)
check.hppa64-linux:FAIL: strip -z relro (relro1)
check.hppa64-linux:FAIL: strip -z relro -shared (relro1)
check.hppa64-linux:FAIL: objcopy -z relro (relro1)
check.hppa64-linux:FAIL: objcopy -z relro -shared (relro1)
check.hppa64-linux:FAIL: objcopy -z relro (tdata1)
check.hppa64-linux:FAIL: objcopy -shared -z relro (tdata1)
check.hppa64-linux:FAIL: objcopy -z relro (tdata2)
check.hppa64-linux:FAIL: objcopy -shared -z relro (tdata2)
check.hppa-linux:FAIL: strip -z relro (relro1)
check.hppa-linux:FAIL: strip -z relro -shared (relro1)
check.hppa-linux:FAIL: objcopy -z relro (relro1)
check.hppa-linux:FAIL: objcopy -z relro -shared (relro1)
check.hppa-linux:FAIL: objcopy -z relro (tdata1)
check.hppa-linux:FAIL: objcopy -shared -z relro (tdata1)
check.hppa-linux:FAIL: objcopy -z relro (tdata2)
check.hppa-linux:FAIL: objcopy -shared -z relro (tdata2)
check.hppa-linux:FAIL: objcopy -z relro (tdata3)
check.hppa-linux:FAIL: objcopy -shared -z relro (tdata3)
check.hppa-linux:FAIL: objcopy -shared -z relro (tbss1)
check.hppa-linux:FAIL: objcopy -shared -z relro (tbss2)
check.hppa-linux:FAIL: objcopy -shared -z relro (tbss3)
check.ia64-linux:FAIL: strip -z relro (relro1)
check.ia64-linux:FAIL: strip -z relro -shared (relro1)
check.ia64-linux:FAIL: objcopy -z relro (relro1)
check.ia64-linux:FAIL: objcopy -z relro -shared (relro1)
check.ia64-linux:FAIL: objcopy -z relro (tdata1)
check.ia64-linux:FAIL: objcopy -shared -z relro (tdata1)
check.ia64-linux:FAIL: objcopy -z relro (tdata2)
check.ia64-linux:FAIL: objcopy -shared -z relro (tdata2)
check.ia64-linux:FAIL: objcopy -z relro (tdata3)
check.ia64-linux:FAIL: objcopy -shared -z relro (tdata3)
check.ia64-linux:FAIL: objcopy -shared -z relro (tbss1)
check.ia64-linux:FAIL: objcopy -shared -z relro (tbss2)
check.ia64-linux:FAIL: objcopy -shared -z relro (tbss3)
check.mips64-linux:FAIL: objcopy -shared -z relro (tbss1)
check.mips64-linux:FAIL: objcopy -shared -z relro (tbss2)
check.mips64-linux:FAIL: objcopy -shared -z relro (tbss3)
check.mipsel-linux-gnu:FAIL: objcopy -shared -z relro (tbss1)
check.mipsel-linux-gnu:FAIL: objcopy -shared -z relro (tbss2)
check.mipsel-linux-gnu:FAIL: objcopy -shared -z relro (tbss3)
check.mipsisa32el-linux:FAIL: objcopy -shared -z relro (tbss1)
check.mipsisa32el-linux:FAIL: objcopy -shared -z relro (tbss2)
check.mipsisa32el-linux:FAIL: objcopy -shared -z relro (tbss3)
check.mips-linux:FAIL: objcopy -shared -z relro (tbss1)
check.mips-linux:FAIL: objcopy -shared -z relro (tbss2)
check.mips-linux:FAIL: objcopy -shared -z relro (tbss3)

We can make "-z relro" opt-in or opt-out.  Since most of ELF targets
support relro, we can opt-out it for the above targets.

Comment 1 H.J. Lu 2016-06-21 16:41:36 UTC

arc-linux-uclibc has only one failure:

FAIL: Common symbol override test

Comment 2 H.J. Lu 2016-06-21 16:55:44 UTC

(In reply to H.J. Lu from comment #1)
> arc-linux-uclibc has only one failure:
> 
> FAIL: Common symbol override test

It is triggered by

commit fc3eec7ebd155d31c1a58e6446cc231ddb6e361b
Author: Claudiu Zissulescu <claziss@synopsys.com>
Date:   Thu May 19 14:51:53 2016 +0200

    [ARC] Fixed-linker-related-testsuite-for-ARC
    
    ld/
    2016-05-19  Cupertino Miranda  <cmiranda@synopsys.com>
    
    	* testsuite/ld-elf/compressed1d.d: Removed from notarget.
    	* testsuite/ld-elf/group8a.d: Likewise.
    	* testsuite/ld-elf/group8b.d: Likewise.
    	* testsuite/ld-elf/group9a.d: Likewise.
    	* testsuite/ld-elf/group9b.d: Likewise.
    	* testsuite/ld-elf/pr12851.d: Likewise.
    	* testsuite/ld-elf/pr12975.d: Likewise.
    	* testsuite/ld-elf/pr13177.d: Likewise.
    	* testsuite/ld-elf/pr13195.d: Likewise.
    	* testsuite/ld-elf/pr17615.d: Likewise.
    	* testsuite/ld-elf/eh-frame-hdr.d: Removed from xfail.
    	* testsuite/ld-elf/group3b.d: Likewise.
    	* testsuite/ld-srec/srec.exp: Likewise.
    	* testsuite/lib/ld-lib.exp (check_gc_sections_available): Mark ARC
    	as supporting gc.
    	(check_shared_lib_support): Mark ARC as supporting.

It

Comment 3 H.J. Lu 2016-06-21 17:00:18 UTC

(In reply to H.J. Lu from comment #0)
> Since "-z relro" makes more pages read-only after relocation, I'd
> like to make it the default if possible. The following ELF targets
> don't support "-z relro":
> 
> check.arc-linux-uclibc:FAIL: strip -z relro -shared (relro1)
> check.arc-linux-uclibc:FAIL: objcopy -z relro -shared (relro1)
> check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata1)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata1)
> check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata2)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata2)
> check.arc-linux-uclibc:FAIL: objcopy -z relro (tdata3)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tdata3)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss1)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss2)
> check.arc-linux-uclibc:FAIL: objcopy -shared -z relro (tbss3)

arc-linux-uclibc is fixed by

commit c0913ebfafa2c3b94e08856c3304037fa9f0906e
Author: Claudiu Zissulescu <claziss@synopsys.com>
Date:   Thu May 19 14:44:01 2016 +0200

    [ARC] Emulation and default script template changes.
    
    2016-05-19  Cupertino Miranda  <cmiranda@synopsys.com>
    
    	* emulparams/arcelf.sh: Changed.
    	* emulparams/arclinux.sh: Likewise.
    	* scripttempl/arclinux.sc: Moved to a more standard implementation
    	similar to elf.sc.

Comment 4 Sourceware Commits 2016-06-22 12:38:42 UTC

The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=647e4d46495f2bfb0950fd1066c8a660173cca40

commit 647e4d46495f2bfb0950fd1066c8a660173cca40
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Jun 22 05:37:24 2016 -0700

    ld: Add a linker configure option --enable-relro
    
    Add a configure option --enable-relro to decide whether -z relro should
    be enabled in ELF linker by default.  Default to yes for all Linux
    targets, except FRV, HPPA, IA64 and MIPS, since many relro tests fail
    on these targets.
    
    	PR ld/20283
    	* NEWS: Mention --enable-relro.
    	* configure.ac: Add --enable-relro.
    	(DEFAULT_LD_Z_RELRO): New.  Set by --enable-relro.
    	* configure.tgt (ac_default_ld_z_relro): Default it to 1 for
    	some Linux targets.
    	* config.in: Regenerated.
    	* configure: Likewise.
    	* emultempl/elf32.em (gld${EMULATION_NAME}_before_parse): Set
    	link_info.relro to DEFAULT_LD_Z_RELRO.
    	* testsuite/config/default.exp (ld_elf_shared_opt): New.
    	* testsuite/lib/ld-lib.exp (run_dump_test): Pass
    	$ld_elf_shared_opt to ld for ELF targets with shared object
    	support.
    	(run_ld_link_tests): Likewise.

Comment 5 Sourceware Commits 2016-06-22 12:40:34 UTC

The master branch has been updated by H.J. Lu <hjl@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b1edb94fedc7103b4929354d27304d0bd756f49

commit 6b1edb94fedc7103b4929354d27304d0bd756f49
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Jun 22 05:39:22 2016 -0700

    gold: Add a linker configure option --enable-relro
    
    Add a configure option --enable-relro to decide whether -z relro should
    be enabled by default.  Default to yes.
    
    	PR ld/20283
    	* NEWS: Mention --enable-relro.
    	* configure.ac: Add --enable-relro.
    	(DEFAULT_LD_Z_RELRO): New.  Set by --enable-relro and default
    	to 1.
    	* config.in: Regenerated.
    	* configure: Likewise.
    	* options.h (General_options::relro): Default to
    	DEFAULT_LD_Z_RELRO.

Comment 6 H.J. Lu 2016-06-22 12:54:48 UTC

Fixed.