Re: [PATCH] [PR libc/18801] PIE binary with STT_GNU_IFUNC symbol and TEXTREL segfaults on x86_64

[Mike Frysinger <vapier at gentoo dot org>]

On 11 Aug 2015 17:02, H.J. Lu wrote:
> On Tue, Aug 11, 2015 at 3:57 PM, Sriraman Tallam <tmsriram@google.com> wrote:
> > On Tue, Aug 11, 2015 at 3:54 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> >> On Tue, Aug 11, 2015 at 3:37 PM, Paul Pluzhnikov <ppluzhnikov@google.com> wrote:
> >>> On Tue, Aug 11, 2015 at 3:31 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> >>>
> >>>> No.  I am proposing that linker issues an error if there is TEXTREL
> >>>> with IFUNC unless "-z now'" is used, assuming that this doesn't
> >>>> require changes to ld.so nor SELinux.
> >>>
> >>> Ah, ok. But that *doesn't* help current crash at all: "-z now" will
> >>> force IFUNC resolver (if any) to be called, and that call will fail
> >>> since we are currently removing execute protections.
> >>> (This is in fact the situation we've discovered the crash in originally.)
> >>
> >> Can you try adding  -Wl,-z,execstack?
> >
> > Yes, making the stack executable will solve the problem.  My test case
> > needed ".note.GNU-stack" specifically for this.
> 
> Given SELinux issue, I don't think we should change ld.so.  Instead,
> we can change ld to issue an error for TEXTREL with IFUNC and
> suggest -fPIE and  -Wl,-z,execstack as workaround.

i don't see why we should make any change.  it isn't ld's problem that the
restrictive runtime prevents things.  ld already issues a warning when you
have textrels in shared segments, so let's leave it at that.

ftr, the issue you describe is not specific to selinux as other security
systems have been doing this for a long time.  e.g. grsec/PaX.
-mike

Attachment: signature.asc
Description: Digital signature