Am 05.04.22 um 11:51 schrieb Jan Engelhardt:
On Tuesday 2022-04-05 11:24, Marcus Meissner wrote:
SUSE has built everything with "Partial RELRO" for a long time (via a default in binutils). (-z relro)
We did not yet do "Full RELRO" (-z now) as we feared the amount of integration work.
The way the manpages are written, one would not think of -z now (or ld.so LD_BIND_NOW) having ties to relro, but be more of a debugging aid, so that debugger sessions don't go through the symbol resolution trampolines. There has got to be some speed penalty when a process that received libstdc++.so.6 by "accident" now has to resolve 6000ish symbols even if unused.
Is that what happens? I thought it would only resolve the symbols that are used, and "resolve all symbols" means resolving all symbols that need to be resolved, i.e. are listed in .dynsym of some loaded ELF file. For unused functions there is no GOT/PLT, so where would the dynamic linker write their result? The second part, "or when the shared library is loaded by dlopen, instead of deferring function call resolution to the point when the function is first called", is probably referring to the .dynsym of that library, i.e. we resolve whatever it uses. I don't think it will precache dlsym results, what would be the point of that? The function pointer returned is stored by the user wherever they want, which will likely be writable pages. But I haven't actually debugged or traced this. In any event, the man page does indeed not mention any security benefits, though it's well-known that it makes the relocation section read-only. (I always forget which one but I think it's .rela.plt.) Aaron