This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Design goals of the dynamic loader.
- From: Rich Felker <dalias at libc dot org>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org, roland at hack dot frob dot com
- Date: Sat, 18 Jul 2015 03:37:51 -0400
- Subject: Re: Design goals of the dynamic loader.
- Authentication-results: sourceware.org; auth=none
- References: <1437033625-13561-1-git-send-email-siddhesh at redhat dot com> <55A7D4D6 dot 9030407 at redhat dot com> <20150717032846 dot GA19592 at spoyarek dot pnq dot redhat dot com> <55A87E63 dot 5030506 at redhat dot com> <20150717043706 dot GC19592 at spoyarek dot pnq dot redhat dot com> <55A931B0 dot 1010208 at redhat dot com>
On Fri, Jul 17, 2015 at 12:47:44PM -0400, Carlos O'Donell wrote:
> > We don't know the cost of verification yet. We fear that it will be
> > too much, but we have no idea how much that 'too much' is. If it is a
> > 5% penalty on load time, IMO it is fine for the hardening it provides.
> > Maybe we could provide a build or runtime flag to bypass those checks,
> > but that is an added complication that is not worth the 5% IMO.
>
> The design goal of the dynamic loader is to consume correctly formed
> ELF files and to assemble an in-memory image of the application for
> execution by the operating system and hardware.
>
> The dynamic loader will not assume the ELF files are corrupt, and
> can proceed directly to use any of the information provided and
> encoded in the format in order to carry out it's operations as
> quickly and efficiently as possible.
Note that any attempt to validate ELF contents at runtime is utterly
useless unless you abandon mmap and read the file contents into memory
instead. Since Linux lacks MAP_COPY and only has MAP_PRIVATE or
MA_SHARED, there is always a risk that the file will be modified after
validation but before use.
Rich