From patchwork Wed Jul 24 10:04:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 1964240 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ci7FLyWG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WTV4h1nhZz1yZw for ; Wed, 24 Jul 2024 20:05:08 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 72442385841E for ; Wed, 24 Jul 2024 10:05:06 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTP id 50BED3858C60 for ; Wed, 24 Jul 2024 10:04:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 50BED3858C60 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 50BED3858C60 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721815490; cv=none; b=KbVCbxry+BxoKZ4BpgLVpL3HZ4jOfNWnfkK6n7kokn77pPPcXyTIqxHCCjb59JrpEbAtF8t6leWdkF1IaVWGXzU2cG9Hd0xYSWcC1ogm1zl1MoqVh2aoZZCuSxsVtMfk3FNT3IKTC92lrp6LWvo5sVHRZ0doFBJU7fc3ab867oE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721815490; c=relaxed/simple; bh=/KnkGhGzF7B7UWcVrkpBWUO7Y7C5Pj1yiZDLFehnU10=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=PtbBtdbOae/IRXBx4z2VHRNtdEuyQFdIHr6F9eBbMbfd36aS9z9K6fwb69eKFmt4m/xsBh9uQFc9joFLLaY9KJG/lUdCODaU8R43jT2fz5xeFvZIAKpPkaaf9KMHNw3FkriCkxXo+2h26gaXhjiTGXQTMYGjJirPjNFCteYhyjA= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1721815489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=Kdphs95rZGy1piYzS5bk5FdkpadmakvdXTZ+r5BSbLI=; b=Ci7FLyWGHVURmiGk8RYxEy61nDROCWfD4HgNuVJaymGlOZuOnX07zaqWgS3NAZMDu6JYQQ Lyx7FOHolx8ZL2YXkbGbQt0XIRP7Tx+9vHhkkQu/TE0pDdVjbmb5BIQcA3LQe3mS4P55GO O4sS4SpSYiB0IkFY9fB+EiZcKQ4sfF0= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-618-jQM-s-JfOpuLmFnafVFwfw-1; Wed, 24 Jul 2024 06:04:47 -0400 X-MC-Unique: jQM-s-JfOpuLmFnafVFwfw-1 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9BCAC1955D4A; Wed, 24 Jul 2024 10:04:46 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.45.224.137]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 32EB619560AA; Wed, 24 Jul 2024 10:04:44 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Cc: Szabolcs Nagy Subject: [PATCH] manual: Do not mention STATIC_TLS in dynamic linker hardening recommendations Date: Wed, 24 Jul 2024 12:04:41 +0200 Message-ID: <871q3jksw6.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org The current toolchain does not consistently generate it, and glibc does not use it. Reviewed-by: Szabolcs Nagy --- v2: Call non-GNU2 TLS traditional TLS. manual/dynlink.texi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) base-commit: b0fbcb7d0051a68baf26b2aed51a8a31c34d68e5 diff --git a/manual/dynlink.texi b/manual/dynlink.texi index 03565d4fb0..1500a53de6 100644 --- a/manual/dynlink.texi +++ b/manual/dynlink.texi @@ -993,21 +993,21 @@ The dynamic segment should also mention @code{BIND_NOW} on the enough). @item -For shared objects (not main programs), if the program header has a -@code{PT_TLS} segment, the dynamic segment (as shown by @samp{readelf --dW}) should contain the @code{STATIC_TLS} flag on the @code{FLAGS} -line. - -If @code{STATIC_TLS} is missing in shared objects, ensure that the -appropriate relocations for GNU2 TLS descriptors are used (for example, +Ensure that only static TLS relocations (thread-pointer relative offset +locations) are used, for example @code{R_AARCH64_TLS_TPREL} and +@code{X86_64_TPOFF64}. As the second-best option, and only if +compatibility with non-hardened applications using @code{dlopen} is +needed, GNU2 TLS descriptor relocations can be used (for example, @code{R_AARCH64_TLSDESC} or @code{R_X86_64_TLSDESC}). @item -There should not be a reference to the symbols @code{__tls_get_addr}, -@code{__tls_get_offset}, @code{__tls_get_addr_opt} in the dynamic symbol -table (in the @samp{readelf -sDW} output). Thread-local storage must be -accessed using the initial-exec (static) model, or using GNU2 TLS -descriptors. +There should not be references to the traditional TLS function symbols +@code{__tls_get_addr}, @code{__tls_get_offset}, +@code{__tls_get_addr_opt} in the dynamic symbol table (in the +@samp{readelf -sDW} output). Supporting global dynamic TLS relocations +(such as @code{R_AARCH64_TLS_DTPMOD}, @code{R_AARCH64_TLS_DTPREL}, +@code{R_X86_64_DTPMOD64}, @code{R_X86_64_DTPOFF64}) should not be used, +either. @item Likewise, the functions @code{dlopen}, @code{dlmopen}, @code{dlclose}