Is your feature request related to a problem? Please describe.
When analyzing binaries generated on Fedora 29, compiled with
-fcf-protection (Intel CET + MPX), it becomes much more confusing
looking at calls to imported functions.
Describe the solution you'd like
Calls to .plt.sec entries should be identified as the ones to the usual .plt.
0x00004e98 31c0 xor eax, eax
0x00004e9a e8a1e60000 call 0x13540
0x00004e9f 488d351e4a01. lea rsi, [0x000198c4]
0x00004ea6 bf06000000 mov edi, 6
0x00004eab e8b0fdffff call sym.imp.setlocale
0x00004eb0 488d35584b01. lea rsi, str.usr_share_locale ; 0x19a0f ; "/usr/share/locale"
0x00004eb7 488d3d374b01. lea rdi, [0x000199f5] ; "coreutils"
0x00004ebe e81dfaffff call sym.imp.bindtextdomain
Describe alternatives you've considered
None
Additional context
0x00004e98 31c0 xor eax, eax
0x00004e9a e8a1e60000 call 0x13540
0x00004e9f 488d351e4a01. lea rsi, [0x000198c4]
0x00004ea6 bf06000000 mov edi, 6
0x00004eab e8b0fdffff call 0x4c60
0x00004eb0 488d35584b01. lea rsi, str.usr_share_locale ; 0x19a0f ; "/usr/share/locale"
0x00004eb7 488d3d374b01. lea rdi, [0x000199f5] ; "coreutils"
0x00004ebe e81dfaffff call 0x48e0
This is a snippet of the
main
function of /bin/ls on Fedora 29. The calls at
0x00004eab
and
0x00004ebe
are, respectively, calls to
setlocale
and
bindtextdomain
.
Binaries compiled with Intel CET/MPX support generates two .plt sections (.plt and .plt.sec).
.plt.sec entries are like:
0x00004c60 f30f1efa endbr64
0x00004c64 f2ff252de201. bnd jmp qword reloc.setlocale ; [0x22e98:8]=0x4560 ; "`E"
0x00004c6b 0f1f440000 nop dword [rax + rax]
.plt entries are like:
0x00004040 f30f1efa endbr64
0x00004044 6801000000 push 1
0x00004049 f2e9d1ffffff bnd jmp 0x4020 ;[1]
The binary calls the entry in .plt.sec. When the binary starts (unless it uses BIND_NOW) reloc.XXXXX points to the related entry in .plt, which calls the dynamic linker that resolve the symbol and put the resolved address in reloc.XXXXX. Next times the .plt.sec entry is called, it goes directly to the imported function.
Note that it's enough to compile with MPX support to get .plt and .plt.sec
Reproducer
#include <stdio.h>
int main(int argc, char **argv) {
printf("Good morning %s!\n", argv[0]);
printf("Good night %s!\n", argv[0]);
return 0;
}
Compile with:
gcc -O2 -ggdb -z bndplt test.c -o test-nocet-bndplt
- MIPS: Drop .dynsym symbol ordering requirement and nullify DT_MIPS_XHASH
- Hexagon: 希望實作TLSDESC
- x86: Intel Control-flow Enhancement Technology (D59780)。對Intel堅持弄.plt.sec有點失望。 他們的說辭僅僅是早年弄MPX(已經被Linux移除,正在被Linux移除)也設計了這樣的方案,并且在沒有基準測試的情況下說這樣或許對cache locality更友好。 對ppc了解更深後發現.plt.sec倒是和ppc32/ppc64 .glink有相似之處。ppc引入.glink是缺乏ADDPCIS時的無奈之舉。x86這樣設計則算明顯缺陷,亦不利于未來增加新的PLT格式, 爲了避免未來再發生這種binutils行爲挾持LLVM/Clang/lld實作的例子,隻能多關注binutils的變化了。另外值得一提,AArch64 8.3a 8.5a也有相似的特性Pointer Authentication、Branch Target Identification。 Linker選項的語義AArch64比x86有優雅。我試圖在D59780挽救。