jcgruenhage/void-packages
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
void-packages/srcpkgs/glibc/patches/0004-Document-and-fix-enable-bind-now-BZ-21015.patch
Leah Neukirchen 57c0281eb0 glibc: update for 8 new upstream fixes. 
Patches created by
git format-patch -k -p glibc-2.25..origin/release/2.25/master
2017-06-20 13:46:17 +02:00

188 lines
7.2 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 69e0a87cc4c570e3b7218392fc3e743b5bddcce2 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 2 Mar 2017 20:11:27 +0100
Subject: Document and fix --enable-bind-now [BZ #21015]
(cherry picked from commit 2d6ab5df3b675e96ee587ae6a8c2ce004c6b1ba9)
diff --git a/ChangeLog b/ChangeLog
index 510ca42c2b..8aaf9f825d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2017-03-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #21015]
+ * manual/install.texi (Configuring and compiling): Document
+ --enable-bind-now.
+ * Makeconfig [bind-now] (LDFLAGS-lib.so): Set.
+ (build-shlib-helper): Use $(LDFLAGS-lib.so).
+ (format.lds): Likewise.
+ [bind-now] (LDFLAGS-c.so): Remove.
+ * sysdeps/x86_64/localplt.data (libm.so): matherr relocation can
+ be R_X86_64_GLOB_DAT.
+ * sysdeps/unix/sysv/linux/i386/localplt.data (libm.so): matherr
+ relocation can be R_386_GLOB_DAT.
+ * sysdeps/unix/sysv/linux/alpha/localplt.data (libm.so): matherr
+ relocaiton can be R_ALPHA_GLOB_DAT.
+ * iconvdata/Makefile [bind-now] (LDFLAGS.so): Add -Wl,-z,now.
+
2017-02-28 Florian Weimer <fweimer@redhat.com>
[BZ #20257]
diff --git a/INSTALL b/INSTALL
index 3b3fd121b2..e77cb2d4e2 100644
--- a/INSTALL
+++ b/INSTALL
@@ -146,6 +146,12 @@ will be used, and CFLAGS sets optimization options for the compiler.
of routines called directly from assembler are excluded from this
protection.
+'--enable-bind-now'
+ Disable lazy binding for installed shared objects. This provides
+ additional security hardening because it enables full RELRO and a
+ read-only global offset table (GOT), at the cost of slightly
+ increased program load times.
+
'--enable-pt_chown'
The file 'pt_chown' is a helper binary for 'grantpt' (*note
Pseudo-Terminals: Allocation.) that is installed setuid root to fix
diff --git a/Makeconfig b/Makeconfig
index 97a15b569e..1c815113b9 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -386,6 +386,13 @@ LDFLAGS.so += $(hashstyle-LDFLAGS)
LDFLAGS-rtld += $(hashstyle-LDFLAGS)
endif
+# If lazy relocations are disabled, add the -z now flag. Use
+# LDFLAGS-lib.so instead of LDFLAGS.so, to avoid adding the flag to
+# test modules.
+ifeq ($(bind-now),yes)
+LDFLAGS-lib.so += -Wl,-z,now
+endif
+
# Command to run after every final link (executable or shared object).
# This is invoked with $(call after-link,...), so it should operate on
# the file $1. This can be set to do some sort of post-processing on
diff --git a/Makerules b/Makerules
index e9194e54cf..7f0eef8096 100644
--- a/Makerules
+++ b/Makerules
@@ -588,7 +588,7 @@ $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \
$(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \
$(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \
-Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \
- $(LDFLAGS.so) $(LDFLAGS-$(@F:lib%.so=%).so) \
+ $(LDFLAGS.so) $(LDFLAGS-lib.so) $(LDFLAGS-$(@F:lib%.so=%).so) \
-L$(subst :, -L,$(rpath-link)) -Wl,-rpath-link=$(rpath-link)
endef
@@ -686,10 +686,6 @@ LDFLAGS-c.so = -nostdlib -nostartfiles
LDLIBS-c.so += $(libc.so-gnulib)
# Give libc.so an entry point and make it directly runnable itself.
LDFLAGS-c.so += -e __libc_main
-# If lazy relocation is disabled add the -z now flag.
-ifeq ($(bind-now),yes)
-LDFLAGS-c.so += -Wl,-z,now
-endif
# Pre-link the objects of libc_pic.a so that we can locally resolve
# COMMON symbols before we link against ld.so. This is because ld.so
# contains some of libc_pic.a already, which will prevent the COMMONs
@@ -1104,7 +1100,8 @@ $(common-objpfx)format.lds: $(..)scripts/output-format.sed \
ifneq (unknown,$(output-format))
echo > $@.new 'OUTPUT_FORMAT($(output-format))'
else
- $(LINK.o) -shared $(sysdep-LDFLAGS) $(rtld-LDFLAGS) $(LDFLAGS.so) \
+ $(LINK.o) -shared $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \
+ $(LDFLAGS.so) $(LDFLAGS-lib.so) \
-x c /dev/null -o $@.so -Wl,--verbose -v 2>&1 \
| sed -n -f $< > $@.new
test -s $@.new
diff --git a/NEWS b/NEWS
index e7d6668664..9bf8c10926 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ The following bugs are resolved with this release:
[21109] Tunables broken on big-endian
[21115] sunrpc: Use-after-free in error path in clntudp_call
[20257] sunrpc: clntudp_call does not enforce timeout when receiving data
+ [21015] Document and fix --enable-bind-now
Version 2.25
diff --git a/iconvdata/Makefile b/iconvdata/Makefile
index 04157b25c5..e4845871f5 100644
--- a/iconvdata/Makefile
+++ b/iconvdata/Makefile
@@ -63,6 +63,11 @@ modules := ISO8859-1 ISO8859-2 ISO8859-3 ISO8859-4 ISO8859-5 \
MAC-CENTRALEUROPE KOI8-RU ISO8859-9E \
CP770 CP771 CP772 CP773 CP774
+# If lazy binding is disabled, use BIND_NOW for the gconv modules.
+ifeq ($(bind-now),yes)
+LDFLAGS.so += -Wl,-z,now
+endif
+
modules.so := $(addsuffix .so, $(modules))
ifeq (yes,$(build-shared))
diff --git a/manual/install.texi b/manual/install.texi
index 266add8ba9..3398cfab02 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -175,6 +175,12 @@ options to detect stack overruns. Only the dynamic linker and a small
number of routines called directly from assembler are excluded from this
protection.
+@item --enable-bind-now
+Disable lazy binding for installed shared objects. This provides
+additional security hardening because it enables full RELRO and a
+read-only global offset table (GOT), at the cost of slightly increased
+program load times.
+
@pindex pt_chown
@findex grantpt
@item --enable-pt_chown
diff --git a/sysdeps/unix/sysv/linux/alpha/localplt.data b/sysdeps/unix/sysv/linux/alpha/localplt.data
index cca17f1e34..1f0e3b494e 100644
--- a/sysdeps/unix/sysv/linux/alpha/localplt.data
+++ b/sysdeps/unix/sysv/linux/alpha/localplt.data
@@ -20,7 +20,7 @@ libc.so: free + RELA R_ALPHA_GLOB_DAT
libc.so: malloc + RELA R_ALPHA_GLOB_DAT
libc.so: memalign + RELA R_ALPHA_GLOB_DAT
libc.so: realloc + RELA R_ALPHA_GLOB_DAT
-libm.so: matherr
+libm.so: matherr + RELA R_ALPHA_GLOB_DAT
# We used to offer inline functions that used this, so it must be exported.
# Ought to reorg things such that carg isn't thus forced to use a plt.
libm.so: __atan2
diff --git a/sysdeps/unix/sysv/linux/i386/localplt.data b/sysdeps/unix/sysv/linux/i386/localplt.data
index 2c2584956d..8ea4333846 100644
--- a/sysdeps/unix/sysv/linux/i386/localplt.data
+++ b/sysdeps/unix/sysv/linux/i386/localplt.data
@@ -6,7 +6,7 @@ libc.so: free + REL R_386_GLOB_DAT
libc.so: malloc + REL R_386_GLOB_DAT
libc.so: memalign + REL R_386_GLOB_DAT
libc.so: realloc + REL R_386_GLOB_DAT
-libm.so: matherr
+libm.so: matherr + REL R_386_GLOB_DAT
# The main malloc is interposed into the dynamic linker, for
# allocations after the initial link (when dlopen is used).
ld.so: malloc + REL R_386_GLOB_DAT
diff --git a/sysdeps/x86_64/localplt.data b/sysdeps/x86_64/localplt.data
index 014a9f4554..a1840cff31 100644
--- a/sysdeps/x86_64/localplt.data
+++ b/sysdeps/x86_64/localplt.data
@@ -8,7 +8,7 @@ libc.so: free + RELA R_X86_64_GLOB_DAT
libc.so: malloc + RELA R_X86_64_GLOB_DAT
libc.so: memalign + RELA R_X86_64_GLOB_DAT
libc.so: realloc + RELA R_X86_64_GLOB_DAT
-libm.so: matherr
+libm.so: matherr + RELA R_X86_64_GLOB_DAT
# The main malloc is interposed into the dynamic linker, for
# allocations after the initial link (when dlopen is used).
ld.so: malloc + RELA R_X86_64_GLOB_DAT
--
2.13.1
Reference in a new issue View git blame Copy permalink