Re: [PATCH] x86/boot: Refuse to build with data relocations
From: Josh Poimboeuf
Date: Mon May 16 2016 - 11:57:43 EST
On Thu, May 12, 2016 at 01:31:04PM -0700, Kees Cook wrote:
> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
> index cfdd8c3f8af2..25d477fcd5b4 100644
> --- a/arch/x86/boot/compressed/Makefile
> +++ b/arch/x86/boot/compressed/Makefile
> @@ -85,7 +85,25 @@ vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \
> $(objtree)/drivers/firmware/efi/libstub/lib.a
> vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
>
> +# The compressed kernel is built with -fPIC/-fPIE so that a boot loader
> +# can place it anywhere in memory and it will still run. However, since
> +# it is executed as-is without any ELF relocation processing performed
> +# (and has already had all relocation sections stripped from the binary),
> +# none of the code can use data relocations (e.g. static assignments of
> +# pointer values), since they will be meaningless at runtime. This check
> +# will refuse to link the vmlinux if any of these relocations are found.
> +quiet_cmd_check_data_rel = DATAREL $@
> +define cmd_check_data_rel
> + for obj in $(filter %.o,$^); do \
> + readelf -S $$obj | grep -qF .data.rel && { \
> + echo "error: $$obj has data relocations!" >&2; \
> + exit 1; \
> + } || true; \
> + done
> +endef
Why only data relocations? If relocations haven't been applied yet,
wouldn't text relocations also be a problem?
--
Josh