add support for .plt.sec in ELF binaries

Is your feature request related to a problem? Please describe.

When analyzing binaries generated on Fedora 29, compiled with

-fcf-protection (Intel CET + MPX), it becomes much more confusing

looking at calls to imported functions.

Describe the solution you'd like

Calls to .plt.sec entries should be identified as the ones to the usual .plt.

0x00004e98      31c0           xor eax, eax
            0x00004e9a      e8a1e60000     call 0x13540
            0x00004e9f      488d351e4a01.  lea rsi, [0x000198c4]
            0x00004ea6      bf06000000     mov edi, 6
            0x00004eab      e8b0fdffff     call sym.imp.setlocale
            0x00004eb0      488d35584b01.  lea rsi, str.usr_share_locale ; 0x19a0f ; "/usr/share/locale"
            0x00004eb7      488d3d374b01.  lea rdi, [0x000199f5]       ; "coreutils"
            0x00004ebe      e81dfaffff     call sym.imp.bindtextdomain      

Describe alternatives you've considered

None

Additional context

0x00004e98      31c0           xor eax, eax
            0x00004e9a      e8a1e60000     call 0x13540
            0x00004e9f      488d351e4a01.  lea rsi, [0x000198c4]
            0x00004ea6      bf06000000     mov edi, 6
            0x00004eab      e8b0fdffff     call 0x4c60
            0x00004eb0      488d35584b01.  lea rsi, str.usr_share_locale ; 0x19a0f ; "/usr/share/locale"
            0x00004eb7      488d3d374b01.  lea rdi, [0x000199f5]       ; "coreutils"
            0x00004ebe      e81dfaffff     call 0x48e0      

This is a snippet of the ​

​main​

​​ function of /bin/ls on Fedora 29. The calls at ​

​0x00004eab​

​​ and ​

​0x00004ebe​

​​ are, respectively, calls to ​

​setlocale​

​​ and ​

​bindtextdomain​

​.

Binaries compiled with Intel CET/MPX support generates two .plt sections (.plt and .plt.sec).

.plt.sec entries are like:

0x00004c60      f30f1efa       endbr64                                                                                                                                                                 
            0x00004c64      f2ff252de201.  bnd jmp qword reloc.setlocale    ; [0x22e98:8]=0x4560 ; "`E"                                                                                                            
            0x00004c6b      0f1f440000     nop dword [rax + rax]      

.plt entries are like:

0x00004040      f30f1efa       endbr64                                                                                                                                                                             
            0x00004044      6801000000     push 1                                                                                                                                                                              
            0x00004049      f2e9d1ffffff   bnd jmp 0x4020                          ;[1]      

The binary calls the entry in .plt.sec. When the binary starts (unless it uses BIND_NOW) reloc.XXXXX points to the related entry in .plt, which calls the dynamic linker that resolve the symbol and put the resolved address in reloc.XXXXX. Next times the .plt.sec entry is called, it goes directly to the imported function.

Note that it's enough to compile with MPX support to get .plt and .plt.sec

Reproducer

#include <stdio.h>

int main(int argc, char **argv) {
  printf("Good morning %s!\n", argv[0]);
  printf("Good night %s!\n", argv[0]);
  return 0;
}      

Compile with: ​

​gcc -O2 -ggdb -z bndplt test.c -o test-nocet-bndplt​

​

• MIPS: ​​Drop .dynsym symbol ordering requirement and nullify DT_MIPS_XHASH​​
• Hexagon: ​​希望實作TLSDESC​​
• x86: Intel Control-flow Enhancement Technology (​​D59780​​)。對Intel堅持弄.plt.sec有點失望。 他們的說辭僅僅是早年弄MPX(已經被Linux移除，正在被Linux移除)也設計了這樣的方案，并且在沒有基準測試的情況下說這樣或許對cache locality更友好。 對ppc了解更深後發現.plt.sec倒是和ppc32/ppc64 .glink有相似之處。ppc引入.glink是缺乏ADDPCIS時的無奈之舉。x86這樣設計則算明顯缺陷，亦不利于未來增加新的PLT格式， 爲了避免未來再發生這種binutils行爲挾持LLVM/Clang/lld實作的例子，隻能多關注binutils的變化了。另外值得一提，AArch64 8.3a 8.5a也有相似的特性Pointer Authentication、Branch Target Identification。 Linker選項的語義AArch64比x86有優雅。我試圖在D59780挽救。