1 |
Hi, as you might know, global read-only data (e.g. the .rodata section) |
2 |
usually end up in the same segment as .text. This means that .rodata |
3 |
contains potentially executable data, which is always useful for an |
4 |
attacker looking for ROP gadgets. |
5 |
|
6 |
However, the gold linker has a nice option (--rosegment) to split in |
7 |
distinct segments .rodata and .text, so that read-only data is not |
8 |
executable. |
9 |
|
10 |
So: why don't we enable it in Gentoo hardened? I know for sure that |
11 |
certain packages fail to link with ld.gold (see [1]). |
12 |
|
13 |
A couple of questions: |
14 |
|
15 |
* Can we blacklist some packages from being linked using gold? Maybe we |
16 |
can provide a package.env file in an overlay/profile listing all |
17 |
those that have to use bfd (CFLAGS="-fuse-ld=bfd"). |
18 |
* Does Gentoo have an infrastructure to rapidly test a new option on a |
19 |
large set of packages? If not, I might set up something. Scripts to |
20 |
orchestrate everything would be useful too. |
21 |
|
22 |
-- |
23 |
Alessandro Di Federico |
24 |
|
25 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=269315 |