Expanding the list of "Hardened Packages"
Florian Weimer
fweimer at redhat.com
Tue Jul 22 10:20:12 UTC 2014
On 04/04/2013 11:16 AM, Jakub Jelinek wrote:
> On Thu, Apr 04, 2013 at 10:59:41AM +0200, Florian Weimer wrote:
>> On 04/04/2013 10:42 AM, Jakub Jelinek wrote:
>>>> I think a similar optimization would be possible for access to
>>>> global variables because ld could compute the final layout of all
>>>> global variables in the binary itself, just as in the non-PIE case.
>>>
>>> Nope. The thing is, depending on if the variable is known to bind locally
>>> (for PIC that is essentially static or hidden visibility, for PIE you can
>>> add to that global vars defined in the current CU), you either emit code
>>> that avoids the indirection (say %rip addressing, GOTOFF etc.),
>>
>> Even in PIE mode, it is possible to bind all global variables
>> locally. Even if the variable is defined in a DSO, we can allocate
>> space for it in the main program and arrange for the GOT indirection
>> in the DSO to point there. The DSO would use the indirection, but
>> the main program wouldn't.
>>
>> It's slightly backwards, but isn't this how variables in DSOs are
>> referenced from position-dependent code?
>
> That requires copy relocations being used even for PIEs, so you'd need to
> change the whole toolchain for that, and somehow deal with the new
> dependencies (as in, PIE code with modified GCC would have to be linked
> with a new linker, otherwise it wouldn't work).
Sriraman Tallam has written a GCC patch which does this:
<https://gcc.gnu.org/ml/gcc-patches/2014-05/msg01215.html>
Related patches to binutils have already been committed.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list