dynrelro section for read-only dynamic symbols copied into executable
Palmer Dabbelt
palmer@dabbelt.com
Mon Jan 2 02:26:00 GMT 2017
On Thu, 29 Dec 2016 14:24:02 PST (-0800), amodra@gmail.com wrote:
> On Thu, Dec 29, 2016 at 10:20:06AM -0800, Palmer Dabbelt wrote:
>> On Sun, 25 Dec 2016 21:44:48 PST (-0800), amodra@gmail.com wrote:
>> > riscv scripts are hosed for -z relro.
>>
>> Andrew and I can't figure out why relro is broken on RISC-V.
>
> You have this at the start of your scripts.
>
> .interp : { *(.interp) }
> .data : { *(.data) *(.data.*) *(.gnu.linkonce.d.*) }
> .rodata : { *(.rodata) *(.rodata.*) *(.gnu.linkonce.r.*) }
>
> So .data.rel.ro goes into .data since it matches *(.data.*). Also,
> .rodata after .data is a problem. Since you don't give a page gap
> between sections with differing write protection, you will make
> .interp and .rodata writable. As shown below.
>
> [snip]
>> Program Headers:
>> Type Offset VirtAddr PhysAddr
>> FileSiz MemSiz Flags Align
>> PHDR 0x0000000000000040 0x0000000000010040 0x0000000000010040
>> 0x00000000000001f8 0x00000000000001f8 R E 0x8
>> INTERP 0x0000000000000238 0x0000000000010238 0x0000000000010238
>> 0x0000000000000014 0x0000000000000014 R 0x1
>> [Requesting program interpreter: /lib64/lp64/ld.so.1]
>> LOAD 0x0000000000000000 0x0000000000010000 0x0000000000010000
>> 0x00000000000039b4 0x00000000000039f8 RW 0x1000
> [snip]
>> 02 .interp .note.ABI-tag .data .rodata .sdata .sbss .bss
>
> Run-time permission is determined by the PT_LOAD program header flags.
> The section permissions don't matter, nor does the PT_INTERP program
> header flags.
Thankn! I believe we have a fix, it's in a patcheset I'm just mailing out now.
More information about the Binutils
mailing list