Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".

Ian Lance Taylor via binutils
Fri Jan 5 23:52:00 GMT 2018

On Fri, Jan 5, 2018 at 3:28 PM, Cary Coutant <> wrote:
>> If we think this is a problem that needs to be fixed, we should remove the
>> indirect call altogether, and have the dynamic linker generate a direct call
>> at load time.  There are few constraints associated with that (4 GiB total
>> application + DSO size, some SELinux users will unhappy, lack of lazy
>> binding support), but at least it can be turned on in practice.
> That would involve moving the PLT into writable memory, and is a much
> bigger change than I'd want to see for what should be a temporary
> mitigation strategy.

The dynamic linker could mprotect the PLT to be writable, resolve all
the references (as with LD_BIND_NOW=1), and then mprotect the PLT to
be non-writable again.  That would all happen before  the program
actually starts, so it would be safe.

(The objections raised by Sri and Chandler are still valid, of course.)


More information about the Binutils mailing list