Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3117583ybt; Mon, 22 Jun 2020 15:40:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxmGy8/Wkh/JV5bLO2NZ3segi6FR9QELLPEDbtvRQFowrq4LY0IeIUvU6Gjti8tkTT2bk80 X-Received: by 2002:aa7:dcc8:: with SMTP id w8mr43940edu.305.1592865622918; Mon, 22 Jun 2020 15:40:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592865622; cv=none; d=google.com; s=arc-20160816; b=U0WWvsLv1YeTKqDTy24gVnRWbS+E2XIwJf1760+/8Q7b09mJixYjFtetNsEV9LGQBO z/mykapW7G8MOnUlfs7u85Yh/IXGjI7EaMimjC2jffkB718UKdmaQFWqGOMpIeI+rj2i Xl2+YgWrQfD2pI/WK8aj4ApIVwzGAltmQuLGtiQ7fhMpFWblrp/Yxoj+JkXHSUx0WNYs DE3zMA/PrlP/puoi28dACt01EfFgS6IO9jiTy3hTtYtLGQI/yx7+62YL/wEnY5E1uaPd jNxHKcltO+Yu3bOvOqWwN6wsLFu0QDT54s3aFwHXtrU2mNrKnSVzTyotIT2+xF1DrPp0 pewQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=sSqm/4br/2XZ3zIDDWcwJQR4tM1nEgZwvHmLUOL6fDw=; b=Id/Ukuv6hEApvyhWzncYmJpXxFhF5Okqkk6f+1lhB/KWOESbBAj/aVlEskIXE05GqF d/gcuV3OyWYmtFYCmMyO4WM4qetXbdziOr3dKmSj9xx6az74AObLMEuvzDeiiOlUR5w4 QTJi1iDYzEHWSPGvk/+wnfC6jGBUmoApFR4VGEn7ubt7NAyRHnf6lzUx0ULo4n15hkQP n58wuhrCu2hNhViEqUj+E0Hf2uJNkk4joIW9fYG3XRLIyORcqC+NlfVGr0zSUf+v4GDo AFTDzNBq3mJxmc9liB+nvWcQkmxhlVM2lVrdhsQURzlls3fBH3k0o2mlopxjCPCu0bIJ kl1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gkbzBoXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cm13si9926849edb.246.2020.06.22.15.39.59; Mon, 22 Jun 2020 15:40:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gkbzBoXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730826AbgFVWfm (ORCPT + 99 others); Mon, 22 Jun 2020 18:35:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730785AbgFVWfm (ORCPT ); Mon, 22 Jun 2020 18:35:42 -0400 Received: from mail-pj1-x1041.google.com (mail-pj1-x1041.google.com [IPv6:2607:f8b0:4864:20::1041]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 240B5C061573 for ; Mon, 22 Jun 2020 15:35:42 -0700 (PDT) Received: by mail-pj1-x1041.google.com with SMTP id u14so550208pjj.2 for ; Mon, 22 Jun 2020 15:35:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=sSqm/4br/2XZ3zIDDWcwJQR4tM1nEgZwvHmLUOL6fDw=; b=gkbzBoXV4Pk/cNmx+qHZYboipX5IVfDpxc8N0j4sWU9Ludf+OeYYmtJSZCcAGy8rZg aLbU2nyoFvW8UdDGDNRtfLZmmmi4FZwyhj7kombdQ0MHdVzYE8eod+AIGnBwYk9LHuPk iWFxpYVFP2202q93vjwPazU6UlNrjNokyuUxk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=sSqm/4br/2XZ3zIDDWcwJQR4tM1nEgZwvHmLUOL6fDw=; b=bKDz9+GilsLY/fX0ysA9b0TfriMWuO9uQjKKHju3UF5fvhBVECR7mp6X6R1iqAZZ7E nhvITuLUEBRstRufPNInaNbdQiVzh2hF3tYUmUS3Q80zH27Wjihv88CJEgUtumbdgWfR K5VS4i+gk0GC/KYOMgnH97i4x0upqEaRmecBl1bqzxBWt4luBTxqom8RTGwbE1MF62R5 V3vBP7AOkK7bu4NOmDo0YVX0Q0CvroqOeVf19irjwiBWH/PzZiIJ2RN+TFuaZJBaehHW SK1RCpjd7wYdSO1WP3DU1zAzvdwCqE9tgIBjfBDeqaAfV/N9V5iZTSDLLZAhXlXwYZB8 uVpQ== X-Gm-Message-State: AOAM5305Gqy0LF1DDsZpQoJPunYtHX+sbEGxprBF+ORSc6W4lQg6S9xe UeYATN8atJw8exHHDY1EXpTK3g== X-Received: by 2002:a17:902:bb81:: with SMTP id m1mr759742pls.134.1592865341616; Mon, 22 Jun 2020 15:35:41 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id n7sm458148pjq.22.2020.06.22.15.35.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2020 15:35:40 -0700 (PDT) Date: Mon, 22 Jun 2020 15:35:39 -0700 From: Kees Cook To: Fangrui Song Cc: Borislav Petkov , Thomas Gleixner , Ingo Molnar , x86@kernel.org, Arnd Bergmann , Nick Desaulniers , Nathan Chancellor , clang-built-linux@googlegroups.com, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 3/3] x86/boot: Warn on orphan section placement Message-ID: <202006221534.D22F51D37@keescook> References: <20200622205341.2987797-1-keescook@chromium.org> <20200622205341.2987797-4-keescook@chromium.org> <20200622220628.t5fklwmbtqoird5f@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200622220628.t5fklwmbtqoird5f@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 22, 2020 at 03:06:28PM -0700, Fangrui Song wrote: > On 2020-06-22, Kees Cook wrote: > > We don't want to depend on the linker's orphan section placement > > heuristics as these can vary between linkers, and may change between > > versions. All sections need to be explicitly named in the linker > > script. > > > > Add the common debugging sections. Discard the unused note, rel, plt, > > dyn, and hash sections that are not needed in the compressed vmlinux. > > Disable .eh_frame generation in the linker and enable orphan section > > warnings. > > > > Signed-off-by: Kees Cook > > --- > > arch/x86/boot/compressed/Makefile | 3 ++- > > arch/x86/boot/compressed/vmlinux.lds.S | 11 +++++++++++ > > 2 files changed, 13 insertions(+), 1 deletion(-) > > > > diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile > > index 7619742f91c9..646720a05f89 100644 > > --- a/arch/x86/boot/compressed/Makefile > > +++ b/arch/x86/boot/compressed/Makefile > > @@ -48,6 +48,7 @@ GCOV_PROFILE := n > > UBSAN_SANITIZE :=n > > > > KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE) > > +KBUILD_LDFLAGS += $(call ld-option,--no-ld-generated-unwind-info) > > # Compressed kernel should be built as PIE since it may be loaded at any > > # address by the bootloader. > > ifeq ($(CONFIG_X86_32),y) > > @@ -59,7 +60,7 @@ else > > KBUILD_LDFLAGS += $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \ > > && echo "-z noreloc-overflow -pie --no-dynamic-linker") > > endif > > -LDFLAGS_vmlinux := -T > > +LDFLAGS_vmlinux := --orphan-handling=warn -T > > > > hostprogs := mkpiggy > > HOST_EXTRACFLAGS += -I$(srctree)/tools/include > > diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S > > index 8f1025d1f681..6fe3ecdfd685 100644 > > --- a/arch/x86/boot/compressed/vmlinux.lds.S > > +++ b/arch/x86/boot/compressed/vmlinux.lds.S > > @@ -75,5 +75,16 @@ SECTIONS > > . = ALIGN(PAGE_SIZE); /* keep ZO size page aligned */ > > _end = .; > > > > + STABS_DEBUG > > + DWARF_DEBUG > > + > > DISCARDS > > + /DISCARD/ : { > > + *(.note.*) > > + *(.rela.*) *(.rela_*) > > + *(.rel.*) *(.rel_*) > > + *(.plt) *(.plt.*) > > + *(.dyn*) > > + *(.hash) *(.gnu.hash) > > + } > > } > > -- > > 2.25.1 > > LLD may report warnings for 3 synthetic sections if they are orphans: > > ld.lld: warning: :(.symtab) is being placed in '.symtab' > ld.lld: warning: :(.shstrtab) is being placed in '.shstrtab' > ld.lld: warning: :(.strtab) is being placed in '.strtab' > > Are they described? Ah, hm. I see gcc is just silent about these. It looks like both regular and debug kernels end up with those sections for both GCC and Clang. How would you expect them to be described? -- Kees Cook