Add new command line option -z memtag-stack for aarch64 elf. This
option instructs the linker to generate the necessary dynamic tag
DT_AARCH64_MEMTAG_STACK, which the dynamic loader can then use to
protect the stack memory with PROT_MTE. Linker issues an
'unrecognized option' error when -z memtag-stack is specified for
non-aarch64 based emulations.
readelf displays the dynamic tag when present:
$ readelf -d <exectutable>
Dynamic section at offset 0xfdd8 contains XX entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x400520
0x000000000000000d (FINI) 0x400b64
0x0000000000000019 (INIT_ARRAY) 0x41fdc8
... ... ...
0x000000007000000c (AARCH64_MEMTAG_STACK) 0x1
... ... ...
ChangeLog:
* bfd/elfnn-aarch64.c (elfNN_aarch64_late_size_sections): Emit
DT_AARCH64_MEMTAG_STACK dynamic tag.
* bfd/elfxx-aarch64.h (struct aarch64_memtag_opts): Add new
member for tracking whether stack access uses MTE insns.
* binutils/readelf.c (get_aarch64_dynamic_type): Handle
DT_AARCH64_MEMTAG_STACK.
* ld/emultempl/aarch64elf.em: Add new command line option.
* ld/ld.texi: Add documentation for -z memtag-stack.
* ld/testsuite/ld-aarch64/aarch64-elf.exp: Add new test.
* ld/testsuite/ld-aarch64/dt-memtag-stack.d: New test.
include/ChangeLog:
* elf/aarch64.h (DT_AARCH64_MEMTAG_STACK): New definition.
Add new command line option -z memtag-mode=<mode> to aarch64 elf,
where <mode> can be one of none, sync, or async. For mode of sync or
async, a DT_AARCH64_MEMTAG_MODE dynamic tag with a value of 0 or 1
respectively is emitted.
readelf displays the dynamic tag when present:
$ readelf -d <exectutable>
Dynamic section at offset 0xfdd8 contains XX entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x400520
0x000000000000000d (FINI) 0x400b64
0x0000000000000019 (INIT_ARRAY) 0x41fdc8
... ... ...
0x0000000070000009 (AARCH64_MEMTAG_MODE) 0x1
... ... ...
Note that this patch doesn't add support for the "asymm" MTE mode,
which is an Armv8.7 extension.
ChangeLog:
* bfd/elfnn-aarch64.c (struct elf_aarch64_link_hash_table): Add
new member for memtag properties.
(bfd_elfNN_aarch64_set_options): New argument to pass memtag
properties.
(elfNN_aarch64_late_size_sections): Emit DT_AARCH64_MEMTAG_MODE
dynamic tag.
* bfd/elfxx-aarch64.h: New definition for the various memtag
properties.
* binutils/readelf.c (get_aarch64_dynamic_type): Handle
DT_AARCH64_MEMTAG_MODE.
* ld/emultempl/aarch64elf.em: Likewise.
* ld/ld.texi: Add documentation for the new option
-z memtag-mode.
* ld/testsuite/ld-aarch64/aarch64-elf.exp: New test.
* ld/testsuite/ld-aarch64/dt-memtag.d: New test.
* ld/testsuite/ld-aarch64/dt-memtag-mode.s: New test.
include/ChangeLog:
* elf/aarch64.h (DT_AARCH64_MEMTAG_MODE): New definition.
Texinfo 7.2 began showing warnings like:
ld.texi:1026: warning: do not set .info suffix in reference for manual `gcc.info'
ld.texi:9689: warning: do not set .info suffix in reference for manual `binutils.info'
The Texinfo developers plan to stop removing the '.info' suffix
internally in a future release so without this patch the references will
break in the future.
Signed-off-by: Collin Funk <collin.funk1@gmail.com>
While commit ef6379e16d ("Set the default DLL chracteristics to 0 for
Cygwin based targets") tried to undo the too broad earlier 514b4e191d
("Change the default characteristics of DLLs built by the linker to more
secure settings"), it didn't go quite far enough. Apparently the
assumption was that if it's not MinGW, it must be Cygwin. Whether it
really is okay to default three of the flags to non-zero on MinGW also
remains unclear - sadly neither of the commits came with any description
whatsoever. (Documentation also wasn't updated to indicate the restored
default.)
Setting effectively any of the DLL characteristics flags depends on
properties of the binary being linked. While defaulting to "more secure"
is a fair goal, it's only the programmer who can know whether their code
is actually compatible with the respective settings. On the assumption
that the change of defaults was indeed deliberate (and justifiable) for
MinGW, limit them to just that. In particular, don't default any of the
flags to set also for non-MinGW, non-Cygwin targets, like e.g. UEFI. At
least the mere applicability of the high-entropy-VA bit is pretty
questionable there in the first place - UEFI applications, after all,
run in "physical mode", i.e. either unpaged or (where paging is a
requirement, like for x86-64) direct-mapped.
The situation is particularly problematic with NX-compat: Many UEFI
implementations respect the "physical mode" property, where permissions
can't be enforced anyway. Some, like reportedly OVMF, even have a build
option to behave either way. Hence successfully testing a UEFI binary on
any number of systems does not guarantee it won't crash elsewhere if the
flag is wrongly set.
Get rid of excess semicolons as well.
When generating an ELF output file, if a note section is marked as
NOLOAD, clear the SEC_ALLOC bit so that it won't be treated as an
SHF_ALLOC section, like a .bss style section.
PR ld/32787
* ld.texi: Update NOLOAD for ELF output files.
* ldlang.c (lang_add_section): Clear the SEC_ALLOC bit for NOLOAD
note sections for ELF output files.
* testsuite/ld-elf/pr32787.d: New file.
* testsuite/ld-elf/pr32787.t: Likewise.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Load the object only section when opening the mixed object file, instead
of loading it after all other input files have been loaded. This fixed
.../ld/collect-ld: /tmp/ccZAoUIW.obj-only.o: in function `main':
.../ld/testsuite/ld-plugin/lto-10a.c:4: multiple definition of `main'; /usr/x86_64-w64-mingw32/sys-root/mingw/lib/../lib/libmingw32.a(lib64_libmingw32_a-crtexewin.o):(.text.startup+0x0): first defined here
.../ld/collect-ld: /usr/x86_64-w64-mingw32/sys-root/mingw/lib/../lib/libmingw32.a(lib64_libmingw32_a-crtexewin.o):(.text.startup+0xc5): undefined reference to `WinMain'
collect2: error: ld returned 1 exit status
...
FAIL: LTO 10
for x86_64-w64-mingw32 so that mixing LTO and non-LTO relocatable files
for "ld -r" works for both ELF and non-ELF platforms.
* ld.texi: Remove "On ELF platforms" from documentation of mixing
LTO and non-LTO relocatable files for "ld -r".
* ldlang.c (cmdline_load_object_only_section): New.
(cmdline_check_object_only_section): Call it.
* testsuite/ld-plugin/lto.exp: Enable mixed LTO and non-LTO
relocatable output tests for all.
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
The Guarded Control Stack (GCS) feature requires that two things:
- at static link time, all the input objects of a link unit have to
be compatible with GCS.
- at runtime, the executable and the shared libraries which it
depends on have to be compatible with GCS.
Both of those criteria are checked with the GCS feature stored in
the GNU property note.
The previous patch, adding support for the GCS feature check in GNU
note properties for input objects, ignored the input dynamic objects.
Although this support was better than no check, it was still
delaying the detection of compatibility issues up to the runtime
linker.
In order to help the developer in detecting such an incompatibility
issue as early as possible, this patch adds a check for input dynamic
objects lacking the GCS marking. This check can be controlled via the
linker option '-z gcs-report-dynamic[=none|warning|error]'. By default,
if the option is omitted, it inherits the value from '-z gcs-report'.
However, the inherited value is capped to 'warning' as a user might
want to only report errors in the currently built module, and not the
shared dependencies. If a user also wants to error on GCS issues in
the shared libraries, '-z gcs-report-dynamic=error' will have to be
specified explicitly.
The GNU_PROPERTY_MEMORY_SEAL gnu property is a way to mark binaries
to be memory sealed by the loader, to avoid further changes of
PT_LOAD segments (such as unmapping or change permission flags).
This is done along with Linux kernel (the mseal syscall [1]), and
C runtime supports to instruct the kernel on the correct time during
program startup (for instance, after RELRO handling). This support
is added along the glibc support to handle the new gnu property [2].
This is a opt-in security features, like other security hardening
ones like NX-stack or RELRO.
The new property is ignored if present on ET_REL objects, and only
added on ET_EXEC/ET_DYN if the linker option is used. A gnu property
is used instead of DT_FLAGS_1 flag to allow memory sealing to work
with ET_EXEC without PT_DYNAMIC support (at least on glibc some ports
still do no support static-pie).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8be7258aad44b5e25977a98db136f677fa6f4370
[2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
Change-Id: Id47fadabecd24be0e83cff45653f7ce9a900ecf4
This patch adds support for Guarded Control Stack in AArch64 linker.
This patch implements the following:
1) Defines GNU_PROPERTY_AARCH64_FEATURE_1_GCS bit for GCS in
GNU_PROPERTY_AARCH64_FEATURE_1_AND macro.
2) Adds readelf support to read and print the GCS feature in GNU
properties in AArch64.
Displaying notes found in: .note.gnu.property
[ ]+Owner[ ]+Data size[ ]+Description
GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0
Properties: AArch64 feature: GCS
3) Adds support for the "-z gcs" linker option and document all the values
allowed with this option (-z gcs[=always|never|implicit]) where "-z gcs" is
equivalent to "-z gcs=always". When '-z gcs' option is omitted from the
command line, it defaults to "implicit" and relies on the GCS feature
marking in GNU properties.
4) Adds support for the "-z gcs-report" linker option and document all the
values allowed with this option (-z gcs-report[=none|warning|error]) where
"-z gcs-report" is equivalent to "-z gcs-report=warning". When this option
is omitted from the command line, it defaults to "warning".
The ABI changes adding GNU_PROPERTY_AARCH64_FEATURE_1_GCS to the GNU
property GNU_PROPERTY_AARCH64_FEATURE_1_AND is merged into main and
can be found in [1].
[1] https://github.com/ARM-software/abi-aa/blob/main/sysvabi64/sysvabi64.rst
Co-authored-by: Matthieu Longo <matthieu.longo@arm.com>
Co-authored-by: Yury Khrustalev <yury.khrustalev@arm.com>
The Nios II architecture has been EOL'ed by the vendor. This patch
removes all binutils, bfd, gas, binutils, and opcodes support for this
target with the exception of the readelf utility. (The ELF EM_*
number remains valid and the relocation definitions from the Nios II
ABI will never change in future, so retaining the readelf support
seems consistent with its purpose as a utility that tries to parse the
headers in any ELF file provided as an argument regardless of target.)
Specifying the compiler flag `-Wl,--package-metadata=<JSON>` will not
work in case the JSON contains a comma, because compiler drivers eat
commas. Example:
```
$ echo "void main() { }" > test.c
$ gcc '-Wl,--package-metadata={"type":"deb","os":"ubuntu"}' test.c
/usr/bin/ld: cannot find "os":"ubuntu"}: No such file or directory
collect2: error: ld returned 1 exit status
```
The quotation marks in the JSON value do not work well with shell nor
make. Specifying the `--package-metadata` linker flag in a `LDFLAGS`
environment variable might loose its quotation marks when it hits the
final compiler call.
So support percent-encoded and %[string] encoded JSON data in the
`--package-metadata` linker flag. Percent-encoding is used because it is
a standard, simple to implement, and does take too many additional
characters. %[string] encoding is supported for having a more readable
encoding.
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=32003
Bug-Ubutru: https://bugs.launchpad.net/bugs/2071468
Signed-off-by: Benjamin Drung <benjamin.drung@canonical.com>
LLD has dropped the option -Ttext-segment for specifying image base
addresses, instead forcing the use of the --image-base option for both
ELF and PE targets. As it stands, GNU LD and LLVM LLD are incompatible,
having two different options for the same functionality.
This patch enables the use of --image-base on ELF targets, advancing
consistency and compatibility.
See: https://reviews.llvm.org/D70468https://maskray.me/blog/2020-11-15-explain-gnu-linker-options#address-relatedhttps://sourceware.org/bugzilla/show_bug.cgi?id=25207
Moreover, a new test has been added to ensure -z separate-code behaviour
when used with -Ttext-segment stays the same. When this combination is
used, -Ttext-segment sets the address of the first segment (R), not the
text segment (RX), and like with -z noseparate-code, no segments lesser
than the specified address are created. If this behaviour was to change,
the first (R) segment of the ELF file would begin in a lesser address
than the specified text (RX) segment, breaking traditional use of this
option for specifying image base address.
The is patch adds a new ld build-id computation mode, "xx", using
xxhash in its 128-bit mode. The patch prereqs the xxhash-devel
headers being installed, and uses the "all-inlined" model, so no
run-time or link-time library dependence exists.
The xxhash mode performs well, saving roughly 20% of total userspace
run time from an ld job over a 800MB shared library relative to sha1.
128 bits of good hash should be collision-resistant to a number of
distinct binaries that numbers in the 2**32 - 2**64 range, even if not
"crypto" level hash. Confirmations of this are in progress.
ld/configury: add --with-xxhash mode, different from gdb case
because only using it in inline mode
ld/ldbuildid.c: add "xx" mode, #if WITH_XXHASH
ld/NEWS, ld.texi: mention new option
ld/lexsup.c: add enumeration of --build-id STYLES to --help
ld/testsuite/ld-elf/build-id.exp: add test case for 0xHEX case
and conditional for xx case;
also, simply tcl list syntax
https://inbox.sourceware.org/binutils/20240917201509.GB26396@redhat.com/
Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
Say why we even mention shared libraries here (ET_DYN), and clarify
symbol resolution. There are of course many other ways that PIEs
resemble PDEs more closely than shared libraries.
PR 19871
* ld.texi (-pie): Clarify.
Add -plugin-save-temps to store plugin intermediate files permanently.
It can be used to exam the final input object files generated from IR
inputs.
* NEWS: Mention -plugin-save-temps.
* ld.h (ld_config_type): Add plugin_save_temps.
* ld.texi: Document -plugin-save-temps.
* ldlex.h (option_values): Add OPTION_PLUGIN_SAVE_TEMPS.
* lexsup.c (ld_options): Add -plugin-save-temps.
(parse_args): Handle OPTION_PLUGIN_SAVE_TEMPS.
* plugin.c (plugin_call_cleanup): Don't call plugin
cleanup_handler for -plugin-save-temps.
Adds two new external authors to etc/update-copyright.py to cover
bfd/ax_tls.m4, and adds gprofng to dirs handled automatically, then
updates copyright messages as follows:
1) Update cgen/utils.scm emitted copyrights.
2) Run "etc/update-copyright.py --this-year" with an extra external
author I haven't committed, 'Kalray SA.', to cover gas testsuite
files (which should have their copyright message removed).
3) Build with --enable-maintainer-mode --enable-cgen-maint=yes.
4) Check out */po/*.pot which we don't update frequently.
PR 31067
* linker.c (_bfd_generic_link_add_one_symbol): When issuing a warning message, also display a message about the warning not being affected by garbage colleciton.
* ld.texi (Special Sections): New entry in the linker manual. Describes how the .gnu.warning and .gnu.warning.SYM sections behave.
In a safety context, it could interesting to track the trampolines being
generated, ensuring there are expected or not.
bfd/ChangeLog:
* elf32-ppc.c (ppc_elf_relax_section): Log branch fixups.
ld/ChangeLog:
* ld.texi (--print-map): Add new item about fixups.
PR 30865
* ld.texi: Update description of the FILL command.
* testsuite/ld-scripts/fill2.d: New test.
* testsuite/ld-scripts/fill2.t: New test source.
* testsuite/ld-scripts/data.exp: Run the new test.
PR 27565
* ldlex.l: Add REVERSE.
* ldgram.y: Allow REVERSE to be used wherever a sorting command can be used.
* ld.h (struct wildcard_spec): Add 'reversed' field.
* ldlang.h (lang_wild_statement_struct): Add 'filenames_reversed' field.
* ldlang.c (compare_sections): Add reversed parameter. (wild_sort): Reverse the comparison if requested. (print_wild_statement): Handle the reversed field.
* ld.texi: Document the new feature.
* NEWS: Mention the new feature.
* testsuite/ld-scripts/sort-file-reversed-1.d: New test driver.
* testsuite/ld-scripts/sort-file-reversed-1.t: New test source.
* testsuite/ld-scripts/sort-file-reversed-2.t: New test source.
* testsuite/ld-scripts/sort-file-reversed-2.d: New test driver.
* testsuite/ld-scripts/sort-sections-reversed-1.d: New test driver.
* testsuite/ld-scripts/sort-sections-reversed-1.t: New test source.
* testsuite/ld-scripts/sort-sections-reversed-2.t: New test source.
* testsuite/ld-scripts/sort-sections-reversed-2.d: New test driver.
* testsuite/ld-scripts/sort-sections-reversed-3.d: New test driver.
* testsuite/ld-scripts/sort-sections-reversed-3.t: New test source.
The PLT entry in executables and shared libraries contains an indirect
branch, like
jmp *foo@GOTPCREL(%rip)
push $index_foo
jmp .PLT0
or
endbr64
jmp *foo@GOTPCREL(%rip)
NOP padding
which is used to branch to the function, foo, defined in another object.
Each R_X86_64_JUMP_SLOT relocation has a corresponding PLT entry.
The dynamic tags have been added to the x86-64 psABI to mark such PLT
entries:
6d824a52a4
Add an x86-64 linker option, -z mark-plt, to mark PLT entries with
#define DT_X86_64_PLT (DT_LOPROC + 0)
#define DT_X86_64_PLTSZ (DT_LOPROC + 1)
#define DT_X86_64_PLTENT (DT_LOPROC + 3)
1. DT_X86_64_PLT: The address of the procedure linkage table.
2. DT_X86_64_PLTSZ: The total size, in bytes, of the procedure linkage
table.
3. DT_X86_64_PLTENT: The size, in bytes, of a procedure linkage table
entry.
and set the r_addend field of the R_X86_64_JUMP_SLOT relocation to the
memory offset of the indirect branch instruction. The dynamic linker
can use these tags to update the PLT section to direct branch.
bfd/
* elf-linker-x86.h (elf_linker_x86_params): Add mark_plt.
* elf64-x86-64.c (elf_x86_64_finish_dynamic_symbol): Set the
r_addend of R_X86_64_JUMP_SLOT to the indirect branch offset
in PLT entry for -z mark-plt.
* elfxx-x86.c (_bfd_x86_elf_size_dynamic_sections): Add
DT_X86_64_PLT, DT_X86_64_PLTSZ and DT_X86_64_PLTENT for
-z mark-plt.
(_bfd_x86_elf_finish_dynamic_sections): Set DT_X86_64_PLT,
DT_X86_64_PLTSZ and DT_X86_64_PLTENT.
(_bfd_x86_elf_get_synthetic_symtab): Ignore addend for
JUMP_SLOT relocation.
(_bfd_x86_elf_link_setup_gnu_properties): Set
plt_indirect_branch_offset.
* elfxx-x86.h (elf_x86_plt_layout): Add plt_indirect_branch_offset.
binutils/
* readelf.c (get_x86_64_dynamic_type): New function.
(get_dynamic_type): Call get_x86_64_dynamic_type.
include/
* elf/x86-64.h (DT_X86_64_PLT): New.
(DT_X86_64_PLTSZ): Likewise.
(DT_X86_64_PLTENT): Likewise.
ld/
* ld.texi: Document -z mark-plt and -z nomark-plt.
* emulparams/elf32_x86_64.sh: Source x86-64-plt.sh.
* emulparams/elf_x86_64.sh: Likewise.
* emulparams/x86-64-plt.sh: New file.
* testsuite/ld-x86-64/mark-plt-1.s: Likewise.
* testsuite/ld-x86-64/mark-plt-1a-x32.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1a.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1b-x32.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1b.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1c-x32.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1c.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1d-x32.d: Likewise.
* testsuite/ld-x86-64/mark-plt-1d.d: Likewise.
* testsuite/ld-x86-64/x86-64.exp: Run -z mark-plt tests.
bfd
* peXXigen.c (_bfd_XXi_only_swap_filehdr_out): If inserting a timestamp, use the value held in the SOURCE_DATE_EPOCH environment variable, if it is defined.
binutils
* doc/binutils.texi (objcopy): Document change in behaviour of objcopy's --preserve-dates command line option.
ld
* pe-dll.c (fill_edata): If inserting a timestamp, use the value held in the SOURCE_DATE_EPOCH environment variable, if it is defined.
* ld.texi (--insert-timestamp): Document change in behaviour.
