diff mbox series

[v6,27/29] x86/boot/compressed: Remove, discard, or assert for unwanted sections

Message ID 20200821194310.3089815-28-keescook@chromium.org (mailing list archive)
State New, archived
Headers show
Series Warn on orphan section placement | expand

Commit Message

Kees Cook Aug. 21, 2020, 7:43 p.m. UTC 
In preparation for warning on orphan sections, stop the linker from
generating the .eh_frame* sections, discard unwanted non-zero-sized
generated sections, and enforce other expected-to-be-zero-sized sections
(since discarding them might hide problems with them suddenly gaining
unexpected entries).

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/boot/compressed/Makefile      |  1 +
 arch/x86/boot/compressed/vmlinux.lds.S | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

Comments

Arvind Sankar Aug. 21, 2020, 8:01 p.m. UTC | #1 
On Fri, Aug 21, 2020 at 12:43:08PM -0700, Kees Cook wrote:
> In preparation for warning on orphan sections, stop the linker from
> generating the .eh_frame* sections, discard unwanted non-zero-sized
> generated sections, and enforce other expected-to-be-zero-sized sections
> (since discarding them might hide problems with them suddenly gaining
> unexpected entries).
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
>  	.rel.dyn : {
> -		*(.rel.*)
> +		*(.rel.*) *(.rel_*)
>  	}
>  	ASSERT(SIZEOF(.rel.dyn) == 0, "Unexpected run-time relocations (.rel) detected!")
>  
>  	.rela.dyn : {
> -		*(.rela.*)
> +		*(.rela.*) *(.rela_*)
>  	}
>  	ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
>  }
> -- 
> 2.25.1
> 

When do you get .rela_?
Kees Cook Aug. 21, 2020, 9:21 p.m. UTC | #2 
On Fri, Aug 21, 2020 at 04:01:59PM -0400, Arvind Sankar wrote:
> On Fri, Aug 21, 2020 at 12:43:08PM -0700, Kees Cook wrote:
> > In preparation for warning on orphan sections, stop the linker from
> > generating the .eh_frame* sections, discard unwanted non-zero-sized
> > generated sections, and enforce other expected-to-be-zero-sized sections
> > (since discarding them might hide problems with them suddenly gaining
> > unexpected entries).
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> >  	.rel.dyn : {
> > -		*(.rel.*)
> > +		*(.rel.*) *(.rel_*)
> >  	}
> >  	ASSERT(SIZEOF(.rel.dyn) == 0, "Unexpected run-time relocations (.rel) detected!")
> >  
> >  	.rela.dyn : {
> > -		*(.rela.*)
> > +		*(.rela.*) *(.rela_*)
> >  	}
> >  	ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
> >  }
> > -- 
> > 2.25.1
> > 
> 
> When do you get .rela_?

i386 builds, IIRC. I can try to hunt that down if you want?
Arvind Sankar Aug. 21, 2020, 9:28 p.m. UTC | #3 
On Fri, Aug 21, 2020 at 02:21:34PM -0700, Kees Cook wrote:
> On Fri, Aug 21, 2020 at 04:01:59PM -0400, Arvind Sankar wrote:
> > On Fri, Aug 21, 2020 at 12:43:08PM -0700, Kees Cook wrote:
> > > In preparation for warning on orphan sections, stop the linker from
> > > generating the .eh_frame* sections, discard unwanted non-zero-sized
> > > generated sections, and enforce other expected-to-be-zero-sized sections
> > > (since discarding them might hide problems with them suddenly gaining
> > > unexpected entries).
> > > 
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > >  	.rel.dyn : {
> > > -		*(.rel.*)
> > > +		*(.rel.*) *(.rel_*)
> > >  	}
> > >  	ASSERT(SIZEOF(.rel.dyn) == 0, "Unexpected run-time relocations (.rel) detected!")
> > >  
> > >  	.rela.dyn : {
> > > -		*(.rela.*)
> > > +		*(.rela.*) *(.rela_*)
> > >  	}
> > >  	ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
> > >  }
> > > -- 
> > > 2.25.1
> > > 
> > 
> > When do you get .rela_?
> 
> i386 builds, IIRC. I can try to hunt that down if you want?
> 
> -- 
> Kees Cook

Nah, just curious.

Thanks.
diff mbox series

Patch

diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 753d57266757..5b7f6e175b03 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -50,6 +50,7 @@  GCOV_PROFILE := n
 UBSAN_SANITIZE :=n
 
 KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE)
+KBUILD_LDFLAGS += $(call ld-option,--no-ld-generated-unwind-info)
 # Compressed kernel should be built as PIE since it may be loaded at any
 # address by the bootloader.
 LDFLAGS_vmlinux := -pie $(call ld-option, --no-dynamic-linker)
diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
index ca544a16724b..02f6feb0e55b 100644
--- a/arch/x86/boot/compressed/vmlinux.lds.S
+++ b/arch/x86/boot/compressed/vmlinux.lds.S
@@ -72,6 +72,11 @@  SECTIONS
 	ELF_DETAILS
 
 	DISCARDS
+	/DISCARD/ : {
+		*(.dynamic) *(.dynsym) *(.dynstr) *(.dynbss)
+		*(.hash) *(.gnu.hash)
+		*(.note.*)
+	}
 
 	.got.plt (INFO) : {
 		*(.got.plt)
@@ -93,13 +98,18 @@  SECTIONS
 	}
 	ASSERT(SIZEOF(.got) == 0, "Unexpected GOT entries detected!")
 
+	.plt : {
+		*(.plt) *(.plt.*)
+	}
+	ASSERT(SIZEOF(.plt) == 0, "Unexpected run-time procedure linkages detected!")
+
 	.rel.dyn : {
-		*(.rel.*)
+		*(.rel.*) *(.rel_*)
 	}
 	ASSERT(SIZEOF(.rel.dyn) == 0, "Unexpected run-time relocations (.rel) detected!")
 
 	.rela.dyn : {
-		*(.rela.*)
+		*(.rela.*) *(.rela_*)
 	}
 	ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!")
 }