Gold Linker Patch: Introduce the "retpoline" x86 mitigation technique for variant #2 of the speculative execution vulnerabilities disclosed today, specifically identified by CVE-2017-5715 and in some places called "spectre".

Ian Lance Taylor via binutils binutils@sourceware.org
Sat Jan 6 00:46:00 GMT 2018


On Fri, Jan 5, 2018 at 4:03 PM, Sriraman Tallam <tmsriram@google.com> wrote:
>
> On Fri, Jan 5, 2018 at 3:52 PM, Ian Lance Taylor <iant@google.com> wrote:
>> On Fri, Jan 5, 2018 at 3:28 PM, Cary Coutant <ccoutant@gmail.com> wrote:
>>>
>>>> If we think this is a problem that needs to be fixed, we should remove the
>>>> indirect call altogether, and have the dynamic linker generate a direct call
>>>> at load time.  There are few constraints associated with that (4 GiB total
>>>> application + DSO size, some SELinux users will unhappy, lack of lazy
>>>> binding support), but at least it can be turned on in practice.
>>>
>>> That would involve moving the PLT into writable memory, and is a much
>>> bigger change than I'd want to see for what should be a temporary
>>> mitigation strategy.
>>
>> The dynamic linker could mprotect the PLT to be writable, resolve all
>> the references (as with LD_BIND_NOW=1), and then mprotect the PLT to
>> be non-writable again.  That would all happen before  the program
>> actually starts, so it would be safe.
>
> This looks very similar to how text relocations would be handled,
> except that they are restricted to the .plt section here. Wouldn't
> that mean we would suffer from the problems of TEXTREL which is not
> very desired as far as I understand? Maybe I understood this wrong.

Yes, in this scheme we would want to make sure that the PLT was on a
separate page by itself.

Ian



More information about the Binutils mailing list