Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Feb 2020 17:02:40 -0500
From: Rich Felker <>
Subject: Re: [PATCH] Add REL_COPY size change detection

On Wed, Feb 26, 2020 at 09:12:02PM +0100, Markus Wichmann wrote:
> On Wed, Feb 26, 2020 at 12:36:21PM -0500, Rich Felker wrote:
> > In theory copy relocations should have been gone for everyone who
> > switched to PIE, but then the gcc/binutils folks brought them back as
> > an "optimization" (allowing pc-rel access to external symbols). :-(
> >
> Several quotes about optimization come to mind. Especially ones with the
> word "premature" in them.
> I just checked and I saw that there are no copy relocs in my libraries,
> but my binaries are indeed PIEs. Therefore I have to conclude that gcc
> compiles PIE and PIC differently. Weren't they meant to be the same,
> except maybe for the selection of object files during the linker phase?

Libraries inherently can't have copy relocations. Only the main
program can.

> > At the very least I think we ought to catch and error on the case
> > where def.sym->st_size>sym->st_size, since we can't honor it and
> > failure to honor it can produce silent memory corruption. I'm less
> > sure about what to do if def.sym->st_size<sym->st-size; this case
> > seems safe and might be desirable not to break (I vaguely recall an
> > intent that it be ok), but if you think there are reasons it's
> > dangerous I'm ok with disallowing it too. I'm having a hard time now
> > thinking of a reason it would really help to support that, anyway.
> >
> If the application did import sym->st_size bytes, it probably wanted to
> do something with them.

Not really. For example:

extern char *strings[];
extern size_t nstrings;

This type of thing was common with historical mistakes like
sys_errlist, the equivalent for signals, etc., where the application
either had an out-of-band way of knowing the runtime-provided size, or
it could just assume all indices it got from the library were
in-bounds to access the array. It went out of fashion entirely because
of copy relocations breaking it.

> > Missing , after name, and the indent is weird (2 extra levels). I'd
> > either align (spaces) with the opening paren or use just one indent
> > level, and fewer lines.
> The missing comma is weird. Must have gone missing as I was cutting that
> line down to size (originally, I had this as one line, but then it was
> around 200 columns long, and I thought that was a bit excessive). So
> then I tried to stay below 80 and you see the result before you.
> The indent was just vim's default setting. Usually this suits me, but
> usually I have shiftwidth=4 and expandtab. For musl, it's sw=8 and noet.
> > Semantically, st_size is size_t not ulong, so I'd probably lean
> > towards a cast to (size_t) here with %zu.
> Isn't on Linux size_t always a ulong? I will admit I only went for ulong
> because it's easier to write the cast.

Yes, but the ldso code doesn't use that assumption, or at least it's
not intended to. It's used to some extent elsewhere in the syscall
glue framework.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.