Message ID | 20230630014248.2819836-4-siddhesh@sourceware.org |
---|---|
State | New |
Headers | show |
Series | Update default build configuration | expand |
* Siddhesh Poyarekar via Libc-alpha: > +‘--disable-bind-now’ > + Enable lazy binding for installed shared objects and programs. > + Lazy binding may improve program load times but it will disable > + security hardening that enables full RELRO and a read-only global > + offset table (GOT). This description is not correct because as far as I can see, --disable-bind-now does not enable lazy binding if the toolchain or the build flags default to it. I think we should remove this flag, rather than making --disable-bind-now work as documented. Thanks, Florian
On 2023-07-13 05:38, Florian Weimer via Libc-alpha wrote: > * Siddhesh Poyarekar via Libc-alpha: > >> +‘--disable-bind-now’ >> + Enable lazy binding for installed shared objects and programs. >> + Lazy binding may improve program load times but it will disable >> + security hardening that enables full RELRO and a read-only global >> + offset table (GOT). > > This description is not correct because as far as I can see, > --disable-bind-now does not enable lazy binding if the toolchain or the > build flags default to it. > > I think we should remove this flag, rather than making > --disable-bind-now work as documented. I feel like this needs more thought either way then, no point blocking 2.38 for it. What's the use case for lazy binding? Are people actually using this in the wild and would we be breaking things for them? Thanks, Sid
* Siddhesh Poyarekar: > On 2023-07-13 05:38, Florian Weimer via Libc-alpha wrote: >> * Siddhesh Poyarekar via Libc-alpha: >> >>> +‘--disable-bind-now’ >>> + Enable lazy binding for installed shared objects and programs. >>> + Lazy binding may improve program load times but it will disable >>> + security hardening that enables full RELRO and a read-only global >>> + offset table (GOT). >> This description is not correct because as far as I can see, >> --disable-bind-now does not enable lazy binding if the toolchain or the >> build flags default to it. >> I think we should remove this flag, rather than making >> --disable-bind-now work as documented. > > I feel like this needs more thought either way then, no point blocking > 2.38 for it. What's the use case for lazy binding? Are people > actually using this in the wild and would we be breaking things for > them? I don't think it matters. We have very few symbols that can be bound lazily. Most symbolic bindings are against data symbols, which cannot be bound lazily, so the performance win for glibc itself is minuscule. I think it may have been beneficial before we had the libc_hidden mechanism. I suppose libpthread integration also helped to decreasing binding overhead. Thanks, Florian
On 2023-07-17 11:30, Florian Weimer via Libc-alpha wrote: > * Siddhesh Poyarekar: > >> On 2023-07-13 05:38, Florian Weimer via Libc-alpha wrote: >>> * Siddhesh Poyarekar via Libc-alpha: >>> >>>> +‘--disable-bind-now’ >>>> + Enable lazy binding for installed shared objects and programs. >>>> + Lazy binding may improve program load times but it will disable >>>> + security hardening that enables full RELRO and a read-only global >>>> + offset table (GOT). >>> This description is not correct because as far as I can see, >>> --disable-bind-now does not enable lazy binding if the toolchain or the >>> build flags default to it. >>> I think we should remove this flag, rather than making >>> --disable-bind-now work as documented. >> >> I feel like this needs more thought either way then, no point blocking >> 2.38 for it. What's the use case for lazy binding? Are people >> actually using this in the wild and would we be breaking things for >> them? > > I don't think it matters. We have very few symbols that can be bound > lazily. Most symbolic bindings are against data symbols, which cannot > be bound lazily, so the performance win for glibc itself is minuscule. > > I think it may have been beneficial before we had the libc_hidden > mechanism. I suppose libpthread integration also helped to decreasing > binding overhead. Fair enough, I'll respin this by dropping the option and let Andreas decide if it's suitable for 2.38. If not, I'll just queue it up for 2.39. Thanks, Sid
Am Montag, 17. Juli 2023, 17:55:35 CEST schrieb Siddhesh Poyarekar via Libc-alpha: > On 2023-07-17 11:30, Florian Weimer via Libc-alpha wrote: > > * Siddhesh Poyarekar: > > > >> On 2023-07-13 05:38, Florian Weimer via Libc-alpha wrote: > >>> * Siddhesh Poyarekar via Libc-alpha: > >>> > >>>> +‘--disable-bind-now’ > >>>> + Enable lazy binding for installed shared objects and programs. > >>>> + Lazy binding may improve program load times but it will disable > >>>> + security hardening that enables full RELRO and a read-only global > >>>> + offset table (GOT). > >>> This description is not correct because as far as I can see, > >>> --disable-bind-now does not enable lazy binding if the toolchain or the > >>> build flags default to it. > >>> I think we should remove this flag, rather than making > >>> --disable-bind-now work as documented. > >> > >> I feel like this needs more thought either way then, no point blocking > >> 2.38 for it. What's the use case for lazy binding? Are people > >> actually using this in the wild and would we be breaking things for > >> them? > > > > I don't think it matters. We have very few symbols that can be bound > > lazily. Most symbolic bindings are against data symbols, which cannot > > be bound lazily, so the performance win for glibc itself is minuscule. > > > > I think it may have been beneficial before we had the libc_hidden > > mechanism. I suppose libpthread integration also helped to decreasing > > binding overhead. > > Fair enough, I'll respin this by dropping the option and let Andreas > decide if it's suitable for 2.38. If not, I'll just queue it up for 2.39. Let's queue it for 2.39 then.
diff --git a/INSTALL b/INSTALL index f02358e933..88ffe7748f 100644 --- a/INSTALL +++ b/INSTALL @@ -205,11 +205,11 @@ if ‘CFLAGS’ is specified it must enable optimization. For example: of routines called directly from assembler are excluded from this protection. This option is enabled by default and set to ‘strong’. -‘--enable-bind-now’ - Disable lazy binding for installed shared objects and programs. - This provides additional security hardening because it enables full - RELRO and a read-only global offset table (GOT), at the cost of - slightly increased program load times. +‘--disable-bind-now’ + Enable lazy binding for installed shared objects and programs. + Lazy binding may improve program load times but it will disable + security hardening that enables full RELRO and a read-only global + offset table (GOT). ‘--enable-pt_chown’ The file ‘pt_chown’ is a helper binary for ‘grantpt’ (*note diff --git a/NEWS b/NEWS index 47ec0b741c..264fad5d86 100644 --- a/NEWS +++ b/NEWS @@ -52,6 +52,9 @@ Major new features: default. This may be overridden by using the --enable-stack-protector configure option. +* Lazy binding is now disabled by default and can be overridden with the + --disable-bind-now configure flag. + Deprecated and removed features, and other changes affecting compatibility: * In the Linux kernel for the hppa/parisc architecture some of the diff --git a/configure b/configure index 863621cabf..6d4b05df18 100755 --- a/configure +++ b/configure @@ -1462,7 +1462,7 @@ Optional Features: hardcode newly built glibc path in tests [default=no] --disable-hidden-plt do not hide internal function calls to avoid PLT - --enable-bind-now disable lazy relocations in DSOs + --disable-bind-now enable lazy relocations in DSOs --enable-stack-protector=[yes|no|all|strong] Use -fstack-protector[-all|-strong] to detect glibc buffer overflows @@ -4448,7 +4448,7 @@ if test ${enable_bind_now+y} then : enableval=$enable_bind_now; bindnow=$enableval else $as_nop - bindnow=no + bindnow=yes fi diff --git a/configure.ac b/configure.ac index d85452b3b3..6fc72df700 100644 --- a/configure.ac +++ b/configure.ac @@ -213,10 +213,10 @@ if test "x$hidden" = xno; then fi AC_ARG_ENABLE([bind-now], - AS_HELP_STRING([--enable-bind-now], - [disable lazy relocations in DSOs]), + AS_HELP_STRING([--disable-bind-now], + [enable lazy relocations in DSOs]), [bindnow=$enableval], - [bindnow=no]) + [bindnow=yes]) AC_SUBST(bindnow) if test "x$bindnow" = xyes; then AC_DEFINE(BIND_NOW) diff --git a/manual/install.texi b/manual/install.texi index b1aa5eb60c..ae43dc51ac 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -231,11 +231,10 @@ options to detect stack overruns. Only the dynamic linker and a small number of routines called directly from assembler are excluded from this protection. This option is enabled by default and set to @option{strong}. -@item --enable-bind-now -Disable lazy binding for installed shared objects and programs. This -provides additional security hardening because it enables full RELRO -and a read-only global offset table (GOT), at the cost of slightly -increased program load times. +@item --disable-bind-now +Enable lazy binding for installed shared objects and programs. Lazy binding +may improve program load times but it will disable security hardening that +enables full RELRO and a read-only global offset table (GOT). @pindex pt_chown @findex grantpt
Lazy binding prevents some key security features and is disabled by all major distributions by default. Default to this more secure option and flip the flag to allow disabling it if needed. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> --- INSTALL | 10 +++++----- NEWS | 3 +++ configure | 4 ++-- configure.ac | 6 +++--- manual/install.texi | 9 ++++----- 5 files changed, 17 insertions(+), 15 deletions(-)