Gentoo Archives: gentoo-hardened

From: Alessandro Di Federico <ale+gentoo@×××××××××.me>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Proposal: ld.gold --rosegment
Date: Wed, 27 Jan 2016 23:30:01
Message-Id: E1aOZg3-0005Dr-Fd@clearmind.me
1 Hi, as you might know, global read-only data (e.g. the .rodata section)
2 usually end up in the same segment as .text. This means that .rodata
3 contains potentially executable data, which is always useful for an
4 attacker looking for ROP gadgets.
5
6 However, the gold linker has a nice option (--rosegment) to split in
7 distinct segments .rodata and .text, so that read-only data is not
8 executable.
9
10 So: why don't we enable it in Gentoo hardened? I know for sure that
11 certain packages fail to link with ld.gold (see [1]).
12
13 A couple of questions:
14
15 * Can we blacklist some packages from being linked using gold? Maybe we
16 can provide a package.env file in an overlay/profile listing all
17 those that have to use bfd (CFLAGS="-fuse-ld=bfd").
18 * Does Gentoo have an infrastructure to rapidly test a new option on a
19 large set of packages? If not, I might set up something. Scripts to
20 orchestrate everything would be useful too.
21
22 --
23 Alessandro Di Federico
24
25 [1] https://bugs.gentoo.org/show_bug.cgi?id=269315

Replies

Subject Author
Re: [gentoo-hardened] Proposal: ld.gold --rosegment PaX Team <pageexec@××××××××.hu>