From patchwork Tue Jul 23 13:02:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 1963837 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=bEjHHuGg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WSy5c2Drvz1yYm for ; Tue, 23 Jul 2024 23:04:04 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 928EB385ED4F for ; Tue, 23 Jul 2024 13:04:02 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTP id 249E1385E45B for ; Tue, 23 Jul 2024 13:02:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 249E1385E45B Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 249E1385E45B Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721739769; cv=none; b=ImwmqBJ78A4fxcK0TP38waDTsYBOrh0MRgQxeMgxvV2HBQCo4U9oS4HlvVM+Nrbn0TTbh0XbuCWZCVzCRbC0sPIl8vRPRmWkWyZJNLi+LeUP6zE0EXa1YJZc9LzfIqJjt3gO2FWS3aRmpzSO9hCnZOl2yVvda1TkfaYYazY9rNM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721739769; c=relaxed/simple; bh=0CM8NXC4TsG6pKt3j9MSXkx0n9Mrn5UTDRGyjgN8kBg=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=spfZ2SE/pzPOoQNjYOjDuH8IwfGTORtCBSTKsRUXGvK9oZXKJGNVSQbZXWNU0l+R0azd+JsYgVjMGKqx0XLfW05Lb7ILyzfaezuYWF47yGbVEO7HNb/zbTeqLfEFA6+2JtEC0AyBXHNn3pOob1hWNi0NQXyu9h9VxbLYY2JXqu4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1721739767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=A3dpHKb4j1HxOHqT0EEK7s/HNd+fo/8d9Z+t/25Ejj4=; b=bEjHHuGgv34cdGsWXKXqiwO599HXbvnn4BdgGocGoqq98m73nUXaVy2Mi5f+xvalVVaI8U 5ODNOP1f0wqY3rIqP0g3aB5IQn0BDjxJnxIqX0hAj2y3kEUmvkWtT0aywNeemKQSEkC/yd mBp46xnhjhDaRipHNhO29boA9iY8Hms= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-552-YFnSRvgBOEmIdvGYtZN0Hw-1; Tue, 23 Jul 2024 09:02:46 -0400 X-MC-Unique: YFnSRvgBOEmIdvGYtZN0Hw-1 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7C67A195C240 for ; Tue, 23 Jul 2024 13:02:45 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.45.224.53]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 60A3530001A7 for ; Tue, 23 Jul 2024 13:02:44 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH] manual: Do not mention STATIC_TLS in dynamic linker hardening recommendations Date: Tue, 23 Jul 2024 15:02:41 +0200 Message-ID: <87wmlcz2fi.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org The current toolchain does not consistently generate it, and glibc does not use it. --- manual/dynlink.texi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) base-commit: b0fbcb7d0051a68baf26b2aed51a8a31c34d68e5 diff --git a/manual/dynlink.texi b/manual/dynlink.texi index 03565d4fb0..9556e6b7a1 100644 --- a/manual/dynlink.texi +++ b/manual/dynlink.texi @@ -993,21 +993,21 @@ The dynamic segment should also mention @code{BIND_NOW} on the enough). @item -For shared objects (not main programs), if the program header has a -@code{PT_TLS} segment, the dynamic segment (as shown by @samp{readelf --dW}) should contain the @code{STATIC_TLS} flag on the @code{FLAGS} -line. - -If @code{STATIC_TLS} is missing in shared objects, ensure that the -appropriate relocations for GNU2 TLS descriptors are used (for example, +Ensure that only static TLS relocations (thread-pointer relative offset +locations) are used, for example @code{R_AARCH64_TLS_TPREL} and +@code{X86_64_TPOFF64}. As the second-best option, and only if +compatibility with non-hardened applications using @code{dlopen} is +needed, GNU2 TLS descriptor relocations can be used (for example, @code{R_AARCH64_TLSDESC} or @code{R_X86_64_TLSDESC}). @item -There should not be a reference to the symbols @code{__tls_get_addr}, -@code{__tls_get_offset}, @code{__tls_get_addr_opt} in the dynamic symbol -table (in the @samp{readelf -sDW} output). Thread-local storage must be -accessed using the initial-exec (static) model, or using GNU2 TLS -descriptors. +There should not be references to the GNU TLS descriptor function +symbols @code{__tls_get_addr}, @code{__tls_get_offset}, +@code{__tls_get_addr_opt} in the dynamic symbol table (in the +@samp{readelf -sDW} output). Supporting global dynamic TLS relocations +(such as @code{R_AARCH64_TLS_DTPMOD}, @code{R_AARCH64_TLS_DTPREL}, +@code{R_X86_64_DTPMOD64}, @code{R_X86_64_DTPOFF64}) should not be used, +either. @item Likewise, the functions @code{dlopen}, @code{dlmopen}, @code{dlclose}