| Message ID | 20220414232129.1886210-7-hjl.tools@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | Support DT_RELR relative relocation format | expand |
On 14/04/2022 20:21, H.J. Lu wrote: > Enable DT_RELR in glibc shared libraries and position independent > executables (PIE) automatically if linker supports -z pack-relative-relocs. > > Also add a new configuration option, --disable-default-dt-relr, to > avoid DT_RELR usage in glibc shared libraries and PIEs. Patch looks ok but I am trying to see which would be a usercase for the --disable-default-dt-relr since loader and libc are tied together and we don't really support mixing up build with different configure options (although in practice I think most combination would work). I take that DT_RELR is always an improvement for shared libraries and PIE, specially the ones with a lot o irelative relocations. > --- > INSTALL | 6 ++++++ > Makeconfig | 19 +++++++++++++++++++ > Makerules | 2 ++ > configure | 18 ++++++++++++++++++ > configure.ac | 13 +++++++++++++ > elf/Makefile | 4 +++- > manual/install.texi | 5 +++++ > 7 files changed, 66 insertions(+), 1 deletion(-) > > diff --git a/INSTALL b/INSTALL > index 63c022d6b9..4a6506f11f 100644 > --- a/INSTALL > +++ b/INSTALL > @@ -133,6 +133,12 @@ if 'CFLAGS' is specified it must enable optimization. For example: > used with the GCC option, -static-pie, which is available with GCC > 8 or above, to create static PIE. > > +'--disable-default-dt-relr' > + Don't enable DT_RELR in glibc shared libraries and position > + independent executables (PIE). By default, DT_RELR is enabled in Two space after period. > + glibc shared libraries and position independent executables on > + targets that support it. > + > '--enable-cet' > '--enable-cet=permissive' > Enable Intel Control-flow Enforcement Technology (CET) support. > diff --git a/Makeconfig b/Makeconfig > index 0aa5fb0099..b75f28f837 100644 > --- a/Makeconfig > +++ b/Makeconfig > @@ -358,6 +358,23 @@ else > real-static-start-installed-name = $(static-start-installed-name) > endif > > +# Linker option to enable and disable DT-RELR. > +ifeq ($(have-dt-relr),yes) > +dt-relr-ldflag = -Wl,-z,pack-relative-relocs > +no-dt-relr-ldflag = -Wl,-z,nopack-relative-relocs > +else > +dt-relr-ldflag = > +no-dt-relr-ldflag = > +endif > + > +# Default linker option for DT-RELR. > +ifeq (yes,$(build-dt-relr-default)) > +default-rt-relr-ldflag = $(dt-relr-ldflag) > +else > +default-rt-relr-ldflag = $(no-dt-relr-ldflag) > +endif > +LDFLAGS-rtld += $(default-rt-relr-ldflag) > + > relro-LDFLAGS = -Wl,-z,relro > LDFLAGS.so += $(relro-LDFLAGS) > LDFLAGS-rtld += $(relro-LDFLAGS) > @@ -413,6 +430,7 @@ link-extra-libs-tests = $(libsupport) > # Command for linking PIE programs with the C library. > ifndef +link-pie > +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \ > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > -Wl,-O1 -nostdlib -nostartfiles \ > $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ > $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ > @@ -445,6 +463,7 @@ endif > ifndef +link-static > +link-static-before-inputs = -nostdlib -nostartfiles -static \ > $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \ > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ > $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \ > $(+preinit) $(+prectorT) > diff --git a/Makerules b/Makerules > index 428464f092..7c1da551bf 100644 > --- a/Makerules > +++ b/Makerules > @@ -536,6 +536,7 @@ lib%.so: lib%_pic.a $(+preinit) $(+postinit) $(link-libc-deps) > define build-shlib-helper > $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \ > $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \ > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \ > $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \ > -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \ > @@ -595,6 +596,7 @@ endef > define build-module-helper > $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \ > $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \ > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > -B$(csu-objpfx) $(load-map-file) \ > $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \ > $(link-test-modules-rpath-link) \ > diff --git a/configure b/configure > index c0c2246597..d230c2c673 100755 > --- a/configure > +++ b/configure > @@ -767,6 +767,7 @@ enable_sanity_checks > enable_shared > enable_profile > enable_default_pie > +enable_default_dt_relr > enable_timezone_tools > enable_hardcoded_path_in_tests > enable_hidden_plt > @@ -1424,6 +1425,7 @@ Optional Features: > --enable-profile build profiled library [default=no] > --disable-default-pie Do not build glibc programs and the testsuite as PIE > [default=no] > + --disable-dt-relr Do not enable DT_RELR in glibc[default=no] > --disable-timezone-tools > do not install timezone tools [default=install] > --enable-hardcoded-path-in-tests > @@ -3440,6 +3442,13 @@ else > default_pie=yes > fi > > +# Check whether --enable-default-dt-relr was given. > +if test "${enable_default_dt_relr+set}" = set; then : > + enableval=$enable_default_dt_relr; default_dt_relr=$enableval > +else > + default_dt_relr=yes > +fi > + > # Check whether --enable-timezone-tools was given. > if test "${enable_timezone_tools+set}" = set; then : > enableval=$enable_timezone_tools; enable_timezone_tools=$enableval > @@ -7092,6 +7101,15 @@ fi > config_vars="$config_vars > enable-static-pie = $libc_cv_static_pie" > > +# Disable build-dt-relr-default if linker does not support it or if glibc > +# is configured with --disable-default-dt-relr. > +build_dt_relr_default=$default_dt_relr > +if test "x$build_dt_relr_default" != xno; then > + build_dt_relr_default=$libc_cv_dt_relr > +fi > +config_vars="$config_vars > +build-dt-relr-default = $build_dt_relr_default" > + > # Set the `multidir' variable by grabbing the variable from the compiler. > # We do it once and save the result in a generated makefile. > libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` > diff --git a/configure.ac b/configure.ac > index 66cad71431..1aa152b901 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -197,6 +197,11 @@ AC_ARG_ENABLE([default-pie], > [Do not build glibc programs and the testsuite as PIE @<:@default=no@:>@]), > [default_pie=$enableval], > [default_pie=yes]) > +AC_ARG_ENABLE([default-dt-relr], > + AS_HELP_STRING([--disable-dt-relr], > + [Do not enable DT_RELR in glibc@<:@default=no@:>@]), Missing space after 'glibc'. > + [default_dt_relr=$enableval], > + [default_dt_relr=yes]) > AC_ARG_ENABLE([timezone-tools], > AS_HELP_STRING([--disable-timezone-tools], > [do not install timezone tools @<:@default=install@:>@]), > @@ -1878,6 +1883,14 @@ if test "$libc_cv_static_pie" = "yes"; then > fi > LIBC_CONFIG_VAR([enable-static-pie], [$libc_cv_static_pie]) > > +# Disable build-dt-relr-default if linker does not support it or if glibc > +# is configured with --disable-default-dt-relr. > +build_dt_relr_default=$default_dt_relr > +if test "x$build_dt_relr_default" != xno; then > + build_dt_relr_default=$libc_cv_dt_relr > +fi > +LIBC_CONFIG_VAR([build-dt-relr-default], [$build_dt_relr_default]) > + > # Set the `multidir' variable by grabbing the variable from the compiler. > # We do it once and save the result in a generated makefile. > libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` > diff --git a/elf/Makefile b/elf/Makefile > index 07ac9ec3ef..bf8a61dc30 100644 > --- a/elf/Makefile > +++ b/elf/Makefile > @@ -1603,6 +1603,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so > > $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so > $(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \ > + $(default-rt-relr-ldflag) \ > -L$(subst :, -L,$(rpath-link)) \ > -Wl,-rpath-link=$(rpath-link) \ > $< -Wl,-F,$(objpfx)filtmod2.so > @@ -2402,7 +2403,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so > # artificial, large note in tst-big-note-lib.o and invalidate the > # test. > $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o > - $(LINK.o) -shared -o $@ $(LDFLAGS.so) $< > + $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(default-rt-relr-ldflag) $< > > $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so > > @@ -2711,6 +2712,7 @@ $(objpfx)tst-ro-dynamic: $(objpfx)tst-ro-dynamic-mod.so > $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \ > tst-ro-dynamic-mod.map > $(LINK.o) -nostdlib -nostartfiles -shared -o $@ \ > + $(default-rt-relr-ldflag) \ > -Wl,--script=tst-ro-dynamic-mod.map \ > $(objpfx)tst-ro-dynamic-mod.os > > diff --git a/manual/install.texi b/manual/install.texi > index 29c52f2927..04ea996561 100644 > --- a/manual/install.texi > +++ b/manual/install.texi > @@ -161,6 +161,11 @@ and architecture support it, static executables are built as static PIE and the > resulting glibc can be used with the GCC option, -static-pie, which is > available with GCC 8 or above, to create static PIE. > > +@item --disable-default-dt-relr > +Don't enable DT_RELR in glibc shared libraries and position independent > +executables (PIE). By default, DT_RELR is enabled in glibc shared > +libraries and position independent executables on targets that support it. > + > @item --enable-cet > @itemx --enable-cet=permissive > Enable Intel Control-flow Enforcement Technology (CET) support. When
On Wed, Apr 20, 2022 at 10:49 AM Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote: > > > > On 14/04/2022 20:21, H.J. Lu wrote: > > Enable DT_RELR in glibc shared libraries and position independent > > executables (PIE) automatically if linker supports -z pack-relative-relocs. > > > > Also add a new configuration option, --disable-default-dt-relr, to > > avoid DT_RELR usage in glibc shared libraries and PIEs. > > Patch looks ok but I am trying to see which would be a usercase for the > --disable-default-dt-relr since loader and libc are tied together and > we don't really support mixing up build with different configure > options (although in practice I think most combination would work). > > I take that DT_RELR is always an improvement for shared libraries and > PIE, specially the ones with a lot o irelative relocations. This is an option. I don't mind dropping it. > > --- > > INSTALL | 6 ++++++ > > Makeconfig | 19 +++++++++++++++++++ > > Makerules | 2 ++ > > configure | 18 ++++++++++++++++++ > > configure.ac | 13 +++++++++++++ > > elf/Makefile | 4 +++- > > manual/install.texi | 5 +++++ > > 7 files changed, 66 insertions(+), 1 deletion(-) > > > > diff --git a/INSTALL b/INSTALL > > index 63c022d6b9..4a6506f11f 100644 > > --- a/INSTALL > > +++ b/INSTALL > > @@ -133,6 +133,12 @@ if 'CFLAGS' is specified it must enable optimization. For example: > > used with the GCC option, -static-pie, which is available with GCC > > 8 or above, to create static PIE. > > > > +'--disable-default-dt-relr' > > + Don't enable DT_RELR in glibc shared libraries and position > > + independent executables (PIE). By default, DT_RELR is enabled in > > Two space after period. This is a generated file. The original change in manual/install.texi has 2 spaces. > > + glibc shared libraries and position independent executables on > > + targets that support it. > > + > > '--enable-cet' > > '--enable-cet=permissive' > > Enable Intel Control-flow Enforcement Technology (CET) support. > > diff --git a/Makeconfig b/Makeconfig > > index 0aa5fb0099..b75f28f837 100644 > > --- a/Makeconfig > > +++ b/Makeconfig > > @@ -358,6 +358,23 @@ else > > real-static-start-installed-name = $(static-start-installed-name) > > endif > > > > +# Linker option to enable and disable DT-RELR. > > +ifeq ($(have-dt-relr),yes) > > +dt-relr-ldflag = -Wl,-z,pack-relative-relocs > > +no-dt-relr-ldflag = -Wl,-z,nopack-relative-relocs > > +else > > +dt-relr-ldflag = > > +no-dt-relr-ldflag = > > +endif > > + > > +# Default linker option for DT-RELR. > > +ifeq (yes,$(build-dt-relr-default)) > > +default-rt-relr-ldflag = $(dt-relr-ldflag) > > +else > > +default-rt-relr-ldflag = $(no-dt-relr-ldflag) > > +endif > > +LDFLAGS-rtld += $(default-rt-relr-ldflag) > > + > > relro-LDFLAGS = -Wl,-z,relro > > LDFLAGS.so += $(relro-LDFLAGS) > > LDFLAGS-rtld += $(relro-LDFLAGS) > > @@ -413,6 +430,7 @@ link-extra-libs-tests = $(libsupport) > > # Command for linking PIE programs with the C library. > > ifndef +link-pie > > +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \ > > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > > -Wl,-O1 -nostdlib -nostartfiles \ > > $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ > > $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ > > @@ -445,6 +463,7 @@ endif > > ifndef +link-static > > +link-static-before-inputs = -nostdlib -nostartfiles -static \ > > $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \ > > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > > $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ > > $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \ > > $(+preinit) $(+prectorT) > > diff --git a/Makerules b/Makerules > > index 428464f092..7c1da551bf 100644 > > --- a/Makerules > > +++ b/Makerules > > @@ -536,6 +536,7 @@ lib%.so: lib%_pic.a $(+preinit) $(+postinit) $(link-libc-deps) > > define build-shlib-helper > > $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \ > > $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \ > > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > > $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \ > > $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \ > > -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \ > > @@ -595,6 +596,7 @@ endef > > define build-module-helper > > $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \ > > $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \ > > + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ > > -B$(csu-objpfx) $(load-map-file) \ > > $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \ > > $(link-test-modules-rpath-link) \ > > diff --git a/configure b/configure > > index c0c2246597..d230c2c673 100755 > > --- a/configure > > +++ b/configure > > @@ -767,6 +767,7 @@ enable_sanity_checks > > enable_shared > > enable_profile > > enable_default_pie > > +enable_default_dt_relr > > enable_timezone_tools > > enable_hardcoded_path_in_tests > > enable_hidden_plt > > @@ -1424,6 +1425,7 @@ Optional Features: > > --enable-profile build profiled library [default=no] > > --disable-default-pie Do not build glibc programs and the testsuite as PIE > > [default=no] > > + --disable-dt-relr Do not enable DT_RELR in glibc[default=no] > > --disable-timezone-tools > > do not install timezone tools [default=install] > > --enable-hardcoded-path-in-tests > > @@ -3440,6 +3442,13 @@ else > > default_pie=yes > > fi > > > > +# Check whether --enable-default-dt-relr was given. > > +if test "${enable_default_dt_relr+set}" = set; then : > > + enableval=$enable_default_dt_relr; default_dt_relr=$enableval > > +else > > + default_dt_relr=yes > > +fi > > + > > # Check whether --enable-timezone-tools was given. > > if test "${enable_timezone_tools+set}" = set; then : > > enableval=$enable_timezone_tools; enable_timezone_tools=$enableval > > @@ -7092,6 +7101,15 @@ fi > > config_vars="$config_vars > > enable-static-pie = $libc_cv_static_pie" > > > > +# Disable build-dt-relr-default if linker does not support it or if glibc > > +# is configured with --disable-default-dt-relr. > > +build_dt_relr_default=$default_dt_relr > > +if test "x$build_dt_relr_default" != xno; then > > + build_dt_relr_default=$libc_cv_dt_relr > > +fi > > +config_vars="$config_vars > > +build-dt-relr-default = $build_dt_relr_default" > > + > > # Set the `multidir' variable by grabbing the variable from the compiler. > > # We do it once and save the result in a generated makefile. > > libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` > > diff --git a/configure.ac b/configure.ac > > index 66cad71431..1aa152b901 100644 > > --- a/configure.ac > > +++ b/configure.ac > > @@ -197,6 +197,11 @@ AC_ARG_ENABLE([default-pie], > > [Do not build glibc programs and the testsuite as PIE @<:@default=no@:>@]), > > [default_pie=$enableval], > > [default_pie=yes]) > > +AC_ARG_ENABLE([default-dt-relr], > > + AS_HELP_STRING([--disable-dt-relr], > > + [Do not enable DT_RELR in glibc@<:@default=no@:>@]), > > Missing space after 'glibc'. Fixed in v11. > > > + [default_dt_relr=$enableval], > > + [default_dt_relr=yes]) > > AC_ARG_ENABLE([timezone-tools], > > AS_HELP_STRING([--disable-timezone-tools], > > [do not install timezone tools @<:@default=install@:>@]), > > @@ -1878,6 +1883,14 @@ if test "$libc_cv_static_pie" = "yes"; then > > fi > > LIBC_CONFIG_VAR([enable-static-pie], [$libc_cv_static_pie]) > > > > +# Disable build-dt-relr-default if linker does not support it or if glibc > > +# is configured with --disable-default-dt-relr. > > +build_dt_relr_default=$default_dt_relr > > +if test "x$build_dt_relr_default" != xno; then > > + build_dt_relr_default=$libc_cv_dt_relr > > +fi > > +LIBC_CONFIG_VAR([build-dt-relr-default], [$build_dt_relr_default]) > > + > > # Set the `multidir' variable by grabbing the variable from the compiler. > > # We do it once and save the result in a generated makefile. > > libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` > > diff --git a/elf/Makefile b/elf/Makefile > > index 07ac9ec3ef..bf8a61dc30 100644 > > --- a/elf/Makefile > > +++ b/elf/Makefile > > @@ -1603,6 +1603,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so > > > > $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so > > $(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \ > > + $(default-rt-relr-ldflag) \ > > -L$(subst :, -L,$(rpath-link)) \ > > -Wl,-rpath-link=$(rpath-link) \ > > $< -Wl,-F,$(objpfx)filtmod2.so > > @@ -2402,7 +2403,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so > > # artificial, large note in tst-big-note-lib.o and invalidate the > > # test. > > $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o > > - $(LINK.o) -shared -o $@ $(LDFLAGS.so) $< > > + $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(default-rt-relr-ldflag) $< > > > > $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so > > > > @@ -2711,6 +2712,7 @@ $(objpfx)tst-ro-dynamic: $(objpfx)tst-ro-dynamic-mod.so > > $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \ > > tst-ro-dynamic-mod.map > > $(LINK.o) -nostdlib -nostartfiles -shared -o $@ \ > > + $(default-rt-relr-ldflag) \ > > -Wl,--script=tst-ro-dynamic-mod.map \ > > $(objpfx)tst-ro-dynamic-mod.os > > > > diff --git a/manual/install.texi b/manual/install.texi > > index 29c52f2927..04ea996561 100644 > > --- a/manual/install.texi > > +++ b/manual/install.texi > > @@ -161,6 +161,11 @@ and architecture support it, static executables are built as static PIE and the > > resulting glibc can be used with the GCC option, -static-pie, which is > > available with GCC 8 or above, to create static PIE. > > > > +@item --disable-default-dt-relr > > +Don't enable DT_RELR in glibc shared libraries and position independent > > +executables (PIE). By default, DT_RELR is enabled in glibc shared There are 2 spaces here. > > +libraries and position independent executables on targets that support it. > > + > > @item --enable-cet > > @itemx --enable-cet=permissive > > Enable Intel Control-flow Enforcement Technology (CET) support. When Thanks.
diff --git a/INSTALL b/INSTALL index 63c022d6b9..4a6506f11f 100644 --- a/INSTALL +++ b/INSTALL @@ -133,6 +133,12 @@ if 'CFLAGS' is specified it must enable optimization. For example: used with the GCC option, -static-pie, which is available with GCC 8 or above, to create static PIE. +'--disable-default-dt-relr' + Don't enable DT_RELR in glibc shared libraries and position + independent executables (PIE). By default, DT_RELR is enabled in + glibc shared libraries and position independent executables on + targets that support it. + '--enable-cet' '--enable-cet=permissive' Enable Intel Control-flow Enforcement Technology (CET) support. diff --git a/Makeconfig b/Makeconfig index 0aa5fb0099..b75f28f837 100644 --- a/Makeconfig +++ b/Makeconfig @@ -358,6 +358,23 @@ else real-static-start-installed-name = $(static-start-installed-name) endif +# Linker option to enable and disable DT-RELR. +ifeq ($(have-dt-relr),yes) +dt-relr-ldflag = -Wl,-z,pack-relative-relocs +no-dt-relr-ldflag = -Wl,-z,nopack-relative-relocs +else +dt-relr-ldflag = +no-dt-relr-ldflag = +endif + +# Default linker option for DT-RELR. +ifeq (yes,$(build-dt-relr-default)) +default-rt-relr-ldflag = $(dt-relr-ldflag) +else +default-rt-relr-ldflag = $(no-dt-relr-ldflag) +endif +LDFLAGS-rtld += $(default-rt-relr-ldflag) + relro-LDFLAGS = -Wl,-z,relro LDFLAGS.so += $(relro-LDFLAGS) LDFLAGS-rtld += $(relro-LDFLAGS) @@ -413,6 +430,7 @@ link-extra-libs-tests = $(libsupport) # Command for linking PIE programs with the C library. ifndef +link-pie +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ -Wl,-O1 -nostdlib -nostartfiles \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ @@ -445,6 +463,7 @@ endif ifndef +link-static +link-static-before-inputs = -nostdlib -nostartfiles -static \ $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \ $(+preinit) $(+prectorT) diff --git a/Makerules b/Makerules index 428464f092..7c1da551bf 100644 --- a/Makerules +++ b/Makerules @@ -536,6 +536,7 @@ lib%.so: lib%_pic.a $(+preinit) $(+postinit) $(link-libc-deps) define build-shlib-helper $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \ $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \ -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \ @@ -595,6 +596,7 @@ endef define build-module-helper $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \ + $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(default-rt-relr-ldflag)) \ -B$(csu-objpfx) $(load-map-file) \ $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \ $(link-test-modules-rpath-link) \ diff --git a/configure b/configure index c0c2246597..d230c2c673 100755 --- a/configure +++ b/configure @@ -767,6 +767,7 @@ enable_sanity_checks enable_shared enable_profile enable_default_pie +enable_default_dt_relr enable_timezone_tools enable_hardcoded_path_in_tests enable_hidden_plt @@ -1424,6 +1425,7 @@ Optional Features: --enable-profile build profiled library [default=no] --disable-default-pie Do not build glibc programs and the testsuite as PIE [default=no] + --disable-dt-relr Do not enable DT_RELR in glibc[default=no] --disable-timezone-tools do not install timezone tools [default=install] --enable-hardcoded-path-in-tests @@ -3440,6 +3442,13 @@ else default_pie=yes fi +# Check whether --enable-default-dt-relr was given. +if test "${enable_default_dt_relr+set}" = set; then : + enableval=$enable_default_dt_relr; default_dt_relr=$enableval +else + default_dt_relr=yes +fi + # Check whether --enable-timezone-tools was given. if test "${enable_timezone_tools+set}" = set; then : enableval=$enable_timezone_tools; enable_timezone_tools=$enableval @@ -7092,6 +7101,15 @@ fi config_vars="$config_vars enable-static-pie = $libc_cv_static_pie" +# Disable build-dt-relr-default if linker does not support it or if glibc +# is configured with --disable-default-dt-relr. +build_dt_relr_default=$default_dt_relr +if test "x$build_dt_relr_default" != xno; then + build_dt_relr_default=$libc_cv_dt_relr +fi +config_vars="$config_vars +build-dt-relr-default = $build_dt_relr_default" + # Set the `multidir' variable by grabbing the variable from the compiler. # We do it once and save the result in a generated makefile. libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` diff --git a/configure.ac b/configure.ac index 66cad71431..1aa152b901 100644 --- a/configure.ac +++ b/configure.ac @@ -197,6 +197,11 @@ AC_ARG_ENABLE([default-pie], [Do not build glibc programs and the testsuite as PIE @<:@default=no@:>@]), [default_pie=$enableval], [default_pie=yes]) +AC_ARG_ENABLE([default-dt-relr], + AS_HELP_STRING([--disable-dt-relr], + [Do not enable DT_RELR in glibc@<:@default=no@:>@]), + [default_dt_relr=$enableval], + [default_dt_relr=yes]) AC_ARG_ENABLE([timezone-tools], AS_HELP_STRING([--disable-timezone-tools], [do not install timezone tools @<:@default=install@:>@]), @@ -1878,6 +1883,14 @@ if test "$libc_cv_static_pie" = "yes"; then fi LIBC_CONFIG_VAR([enable-static-pie], [$libc_cv_static_pie]) +# Disable build-dt-relr-default if linker does not support it or if glibc +# is configured with --disable-default-dt-relr. +build_dt_relr_default=$default_dt_relr +if test "x$build_dt_relr_default" != xno; then + build_dt_relr_default=$libc_cv_dt_relr +fi +LIBC_CONFIG_VAR([build-dt-relr-default], [$build_dt_relr_default]) + # Set the `multidir' variable by grabbing the variable from the compiler. # We do it once and save the result in a generated makefile. libc_cv_multidir=`${CC-cc} $CFLAGS $CPPFLAGS -print-multi-directory` diff --git a/elf/Makefile b/elf/Makefile index 07ac9ec3ef..bf8a61dc30 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -1603,6 +1603,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so $(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \ + $(default-rt-relr-ldflag) \ -L$(subst :, -L,$(rpath-link)) \ -Wl,-rpath-link=$(rpath-link) \ $< -Wl,-F,$(objpfx)filtmod2.so @@ -2402,7 +2403,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so # artificial, large note in tst-big-note-lib.o and invalidate the # test. $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o - $(LINK.o) -shared -o $@ $(LDFLAGS.so) $< + $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(default-rt-relr-ldflag) $< $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so @@ -2711,6 +2712,7 @@ $(objpfx)tst-ro-dynamic: $(objpfx)tst-ro-dynamic-mod.so $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \ tst-ro-dynamic-mod.map $(LINK.o) -nostdlib -nostartfiles -shared -o $@ \ + $(default-rt-relr-ldflag) \ -Wl,--script=tst-ro-dynamic-mod.map \ $(objpfx)tst-ro-dynamic-mod.os diff --git a/manual/install.texi b/manual/install.texi index 29c52f2927..04ea996561 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -161,6 +161,11 @@ and architecture support it, static executables are built as static PIE and the resulting glibc can be used with the GCC option, -static-pie, which is available with GCC 8 or above, to create static PIE. +@item --disable-default-dt-relr +Don't enable DT_RELR in glibc shared libraries and position independent +executables (PIE). By default, DT_RELR is enabled in glibc shared +libraries and position independent executables on targets that support it. + @item --enable-cet @itemx --enable-cet=permissive Enable Intel Control-flow Enforcement Technology (CET) support. When