Re: [PATCH v5 29/36] x86/build: Enforce an empty .got.plt section
From: Arvind Sankar
Date: Fri Jul 31 2020 - 22:13:02 EST
On Fri, Jul 31, 2020 at 04:08:13PM -0700, Kees Cook wrote:
> The .got.plt section should always be zero (or filled only with the
> linker-generated lazy dispatch entry). Enforce this with an assert and
> mark the section as NOLOAD. This is more sensitive than just blindly
> discarding the section.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> arch/x86/kernel/vmlinux.lds.S | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
> index 0cc035cb15f1..7faffe7414d6 100644
> --- a/arch/x86/kernel/vmlinux.lds.S
> +++ b/arch/x86/kernel/vmlinux.lds.S
> @@ -414,8 +414,20 @@ SECTIONS
> ELF_DETAILS
>
> DISCARDS
> -}
>
> + /*
> + * Make sure that the .got.plt is either completely empty or it
> + * contains only the lazy dispatch entries.
> + */
> + .got.plt (NOLOAD) : { *(.got.plt) }
> + ASSERT(SIZEOF(.got.plt) == 0 ||
> +#ifdef CONFIG_X86_64
> + SIZEOF(.got.plt) == 0x18,
> +#else
> + SIZEOF(.got.plt) == 0xc,
> +#endif
> + "Unexpected GOT/PLT entries detected!")
> +}
>
> #ifdef CONFIG_X86_32
> /*
> --
> 2.25.1
>
Is this actually needed? vmlinux is a position-dependent executable, and
it doesn't get linked with any shared libraries, so it should never have
a .got or .got.plt at all I think? Does it show up as an orphan without
this?