[libmpx,i386,PR,driver/65444] Pass '-z bndplt' when building dynamic objects with MPX

On 05 Apr 19:44, Sandra Loosemore wrote:
> On 04/03/2015 01:34 PM, Joseph Myers wrote:
> >On Tue, 31 Mar 2015, Ilya Enkovich wrote:
> >
> >>+library.  It also passes '-z bndplt' to a linker in case it supports this
> >>+option (which is checked on libmpx configuration).  Note that old versions
> >>+of linker may ignore option.  Gold linker doesn't support '-z bndplt'
> >>+option.  With no '-z bndplt' support in linker all calls to dynamic libraries
> >>+lose passed bounds reducing overall protection level.  It's highly
> >>+recommended to use linker with '-z bndplt' support.  In case such linker
> >>+is not available it is adviced to always use @option{-static-libmpxwrappers}
> >>+for better protection level or use @option{-static} to completely avoid
> >>+external calls to dynamic libraries.  MPX-based instrumentation
> >
> >Use @samp{-z bndplt} rather than '' quoting (but Sandra may have further
> >advice on the substance of this documentation).
> 
> To tell the truth, I can't figure out what this means from a user
> perspective.  How does a user know whether the linker option is
> being ignored, or if they have a new enough linker?  If the linker
> available at configuration time doesn't support the option, does
> that mean the option will never be passed and users will never know
> that there are gaping holes in the pointer bounds checking?
> 
> My suggestion would be to pass the option unconditionally and make
> the documentation say something like

This option was rejected.

> 
> It also passes @option{-z bndplt} to the linker.  LD version xxx or
> later is required to use this feature.  If no linker support for
> @option{-z bndplt} is available, you should link with
> @option{-static-libmpxwrappers} or @option{-static} instead;
> otherwise calls to dynamic libraries lose bounds checking
> protection.
> 
> ... where you need to fill in "version xxx" appropriately.
> 
> -Sandra
> 

Thank you for comments.  Here is a doc update I'm going to install if nobody objects.

Ilya
--
2015-04-06  Ilya Enkovich  <ilya.enkovich@intel.com>

	* doc/invoke.texi (-fcheck-pointer-bounds): Fix
	formatting.

On 04/06/2015 09:17 AM, Ilya Enkovich wrote:
>>
>> To tell the truth, I can't figure out what this means from a user
>> perspective.  How does a user know whether the linker option is
>> being ignored, or if they have a new enough linker?  If the linker
>> available at configuration time doesn't support the option, does
>> that mean the option will never be passed and users will never know
>> that there are gaping holes in the pointer bounds checking?
>>
>> My suggestion would be to pass the option unconditionally and make
>> the documentation say something like
>
> This option was rejected.
Right.  There really isn't a good option here because we don't have the 
infrastructure to query the linker's capabilities at link time.

Though I do wonder if we could issue a warning in the case where the 
configure test indicated -z bndplt was not supported.

It'd obviously mean a link warning every time an end user tried to use 
that toolchain to create a DSO or executable with MPX protection.  But 
that may be better than silently leaving some code unprotected.


Jeff

2015-04-06 18:28 GMT+03:00 Jeff Law <law@redhat.com>:
> On 04/06/2015 09:17 AM, Ilya Enkovich wrote:
>>>
>>>
>>> To tell the truth, I can't figure out what this means from a user
>>> perspective.  How does a user know whether the linker option is
>>> being ignored, or if they have a new enough linker?  If the linker
>>> available at configuration time doesn't support the option, does
>>> that mean the option will never be passed and users will never know
>>> that there are gaping holes in the pointer bounds checking?
>>>
>>> My suggestion would be to pass the option unconditionally and make
>>> the documentation say something like
>>
>>
>> This option was rejected.
>
> Right.  There really isn't a good option here because we don't have the
> infrastructure to query the linker's capabilities at link time.
>
> Though I do wonder if we could issue a warning in the case where the
> configure test indicated -z bndplt was not supported.

I thought about such possibility. Just don't see a good place for
that. Probably introduce some WARNING_SPEC which targets may define to
issue a driver warning?

Ilya

>
> It'd obviously mean a link warning every time an end user tried to use that
> toolchain to create a DSO or executable with MPX protection.  But that may
> be better than silently leaving some code unprotected.
>
>
> Jeff
>

On 04/06/2015 09:17 AM, Ilya Enkovich wrote:
> On 05 Apr 19:44, Sandra Loosemore wrote:
>> On 04/03/2015 01:34 PM, Joseph Myers wrote:
>>> On Tue, 31 Mar 2015, Ilya Enkovich wrote:
>>>
>>>> +library.  It also passes '-z bndplt' to a linker in case it supports this
>>>> +option (which is checked on libmpx configuration).  Note that old versions
>>>> +of linker may ignore option.  Gold linker doesn't support '-z bndplt'
>>>> +option.  With no '-z bndplt' support in linker all calls to dynamic libraries
>>>> +lose passed bounds reducing overall protection level.  It's highly
>>>> +recommended to use linker with '-z bndplt' support.  In case such linker
>>>> +is not available it is adviced to always use @option{-static-libmpxwrappers}
>>>> +for better protection level or use @option{-static} to completely avoid
>>>> +external calls to dynamic libraries.  MPX-based instrumentation
>>>
>>> Use @samp{-z bndplt} rather than '' quoting (but Sandra may have further
>>> advice on the substance of this documentation).
>>
>> To tell the truth, I can't figure out what this means from a user
>> perspective.  How does a user know whether the linker option is
>> being ignored, or if they have a new enough linker?  If the linker
>> available at configuration time doesn't support the option, does
>> that mean the option will never be passed and users will never know
>> that there are gaping holes in the pointer bounds checking?
>>
>> My suggestion would be to pass the option unconditionally and make
>> the documentation say something like
>
> This option was rejected.

Hrmmmm, how about then just *never* passing the magic option to the 
linker, and telling users they either have to pass it manually (and use 
a linker that supports it), use static linking, or do without bounds 
checking on dynamic libraries?

Remember that most GCC users do not configure GCC themselves...  they 
use whatever came with their distro or from their toolchain vendor, or 
was installed by their sysadmin.  So most GCC users have no way to know 
what linker their GCC binary was configured with and it's just confusing 
that this important linker option might or might not be included based 
on factors they don't know about or can't control.

> +++ b/gcc/doc/invoke.texi
> @@ -5858,12 +5858,12 @@ a runtime library to enable MPX in hardware and handle bounds
>   violation signals.  By default when @option{-fcheck-pointer-bounds}
>   and @option{-mmpx} options are used to link a program, the GCC driver
>   links against the @file{libmpx} runtime library and @file{libmpxwrappers}
> -library.  It also passes '-z bndplt' to a linker in case it supports this
> -option (which is checked on libmpx configuration).  Note that old versions
> -of linker may ignore option.  Gold linker doesn't support '-z bndplt'
> -option.  With no '-z bndplt' support in linker all calls to dynamic libraries
> -lose passed bounds reducing overall protection level.  It's highly
> -recommended to use linker with '-z bndplt' support.  In case such linker
> +library.  It also passes @option{-z bndplt} to a linker in case it supports
> +this option (which is checked on libmpx configuration).  LD supports it starting
> +from version 2.25.  Gold linker doesn't support @option{-z bndplt}
> +option.  With no @option{-z bndplt} support in a linker all calls to dynamic
> +libraries lose passed bounds reducing overall protection level.  It's highly
> +recommended to use linker with @option{-z bndplt} support.  In case such linker
>   is not available it is adviced to always use @option{-static-libmpxwrappers}
>   for better protection level or use @option{-static} to completely avoid
>   external calls to dynamic libraries.  MPX-based instrumentation

Besides being confusing, there are typos ("adviced") and grammatical 
errors here.

If we really cannot make the linker option either always used or always 
omitted, how about something like this?

If GCC was configured with a linker that supports @option{-z bndplt}, 
then this option is also passed when linking.  It is supported in LD 
starting with version 2.25, but not in the Gold linker.  You should pass 
@option{-z bndplt} on your link line explicitly if you are not certain 
how your GCC was configured.
Without this option and appropriate linker support, all calls to dynamic 
libraries lose bounds checking information.  If no linker support for 
@option{-z bndplt} is available, you should link with @option{-static} 
instead to avoid external calls to dynamic libraries.

...then add a paragraph break before "MPX-based instrumentation...."

-Sandra

On 04/06/2015 11:14 AM, Sandra Loosemore wrote:
> On 04/06/2015 09:17 AM, Ilya Enkovich wrote:
>> On 05 Apr 19:44, Sandra Loosemore wrote:
>>> On 04/03/2015 01:34 PM, Joseph Myers wrote:
>>>> On Tue, 31 Mar 2015, Ilya Enkovich wrote:
>>>>
>>>>> +library.  It also passes '-z bndplt' to a linker in case it
>>>>> supports this
>>>>> +option (which is checked on libmpx configuration).  Note that old
>>>>> versions
>>>>> +of linker may ignore option.  Gold linker doesn't support '-z bndplt'
>>>>> +option.  With no '-z bndplt' support in linker all calls to
>>>>> dynamic libraries
>>>>> +lose passed bounds reducing overall protection level.  It's highly
>>>>> +recommended to use linker with '-z bndplt' support.  In case such
>>>>> linker
>>>>> +is not available it is adviced to always use
>>>>> @option{-static-libmpxwrappers}
>>>>> +for better protection level or use @option{-static} to completely
>>>>> avoid
>>>>> +external calls to dynamic libraries.  MPX-based instrumentation
>>>>
>>>> Use @samp{-z bndplt} rather than '' quoting (but Sandra may have
>>>> further
>>>> advice on the substance of this documentation).
>>>
>>> To tell the truth, I can't figure out what this means from a user
>>> perspective.  How does a user know whether the linker option is
>>> being ignored, or if they have a new enough linker?  If the linker
>>> available at configuration time doesn't support the option, does
>>> that mean the option will never be passed and users will never know
>>> that there are gaping holes in the pointer bounds checking?
>>>
>>> My suggestion would be to pass the option unconditionally and make
>>> the documentation say something like
>>
>> This option was rejected.
>
> Hrmmmm, how about then just *never* passing the magic option to the
> linker, and telling users they either have to pass it manually (and use
> a linker that supports it), use static linking, or do without bounds
> checking on dynamic libraries?
>
> Remember that most GCC users do not configure GCC themselves...  they
> use whatever came with their distro or from their toolchain vendor, or
> was installed by their sysadmin.  So most GCC users have no way to know
> what linker their GCC binary was configured with and it's just confusing
> that this important linker option might or might not be included based
> on factors they don't know about or can't control.
But the same arguments apply to forcing the user to manually pass the 
argument, select static linking, etc.

If I think about the most common case usage, it's going to be a 
compiler/binutils pair built by a distribution such as Fedora, Ubuntu, 
etc and the configure time test will do the right thing.  It's only 
cases where folks are updating components separately, or building 
themselves that the configure time test falls down.


Jeff

On Tue, Apr 7, 2015 at 12:01 PM, Jeff Law <law@redhat.com> wrote:
> On 04/06/2015 11:14 AM, Sandra Loosemore wrote:
>>
>> On 04/06/2015 09:17 AM, Ilya Enkovich wrote:
>>>
>>> On 05 Apr 19:44, Sandra Loosemore wrote:
>>>>
>>>> On 04/03/2015 01:34 PM, Joseph Myers wrote:
>>>>>
>>>>> On Tue, 31 Mar 2015, Ilya Enkovich wrote:
>>>>>
>>>>>> +library.  It also passes '-z bndplt' to a linker in case it
>>>>>> supports this
>>>>>> +option (which is checked on libmpx configuration).  Note that old
>>>>>> versions
>>>>>> +of linker may ignore option.  Gold linker doesn't support '-z bndplt'
>>>>>> +option.  With no '-z bndplt' support in linker all calls to
>>>>>> dynamic libraries
>>>>>> +lose passed bounds reducing overall protection level.  It's highly
>>>>>> +recommended to use linker with '-z bndplt' support.  In case such
>>>>>> linker
>>>>>> +is not available it is adviced to always use
>>>>>> @option{-static-libmpxwrappers}
>>>>>> +for better protection level or use @option{-static} to completely
>>>>>> avoid
>>>>>> +external calls to dynamic libraries.  MPX-based instrumentation
>>>>>
>>>>>
>>>>> Use @samp{-z bndplt} rather than '' quoting (but Sandra may have
>>>>> further
>>>>> advice on the substance of this documentation).
>>>>
>>>>
>>>> To tell the truth, I can't figure out what this means from a user
>>>> perspective.  How does a user know whether the linker option is
>>>> being ignored, or if they have a new enough linker?  If the linker
>>>> available at configuration time doesn't support the option, does
>>>> that mean the option will never be passed and users will never know
>>>> that there are gaping holes in the pointer bounds checking?
>>>>
>>>> My suggestion would be to pass the option unconditionally and make
>>>> the documentation say something like
>>>
>>>
>>> This option was rejected.
>>
>>
>> Hrmmmm, how about then just *never* passing the magic option to the
>> linker, and telling users they either have to pass it manually (and use
>> a linker that supports it), use static linking, or do without bounds
>> checking on dynamic libraries?
>>
>> Remember that most GCC users do not configure GCC themselves...  they
>> use whatever came with their distro or from their toolchain vendor, or
>> was installed by their sysadmin.  So most GCC users have no way to know
>> what linker their GCC binary was configured with and it's just confusing
>> that this important linker option might or might not be included based
>> on factors they don't know about or can't control.
>
> But the same arguments apply to forcing the user to manually pass the
> argument, select static linking, etc.
>
> If I think about the most common case usage, it's going to be a
> compiler/binutils pair built by a distribution such as Fedora, Ubuntu, etc
> and the configure time test will do the right thing.  It's only cases where
> folks are updating components separately, or building themselves that the
> configure time test falls down.

You can't have it both ways.  If the common usage is targeting
distributions, -z bndplt should always be passed to ld for MPX
since distributions should have the proper linker for MPX.

On 2015.04.07 at 12:28 -0700, H.J. Lu wrote:
> You can't have it both ways.  If the common usage is targeting
> distributions, -z bndplt should always be passed to ld for MPX
> since distributions should have the proper linker for MPX.

Why don't you just implement -z bndplt for gold?