lld doesn't protect the last RELRO page on Asahi Linux

[rui314]

I installed Asahi Linux on my M1 Mac Mini. Note that Asahi Linux is a 16 KiB page system.

#include <stdio.h>

extern char _GLOBAL_OFFSET_TABLE_;

int main() {
  printf("Hello world\n");
  _GLOBAL_OFFSET_TABLE_ = 3;
}

If I run the above program, it should crash because it writes to .got and .got should be protected by GNU_RELRO. However, it doesn't actually crash.

$ clang -fuse-ld=/home/ruiu/llvm-project/build/bin/ld.lld -o hello hello.c
$ ./hello
Hello world

I believe it is because RELRO does not end at a page boundary and therefore the last page in the RELRO isn't protected. As you can see, the RELRO in the executable ends at 0x21000, not at 0x30000.

$ readelf --segments hello

Elf file type is DYN (Position-Independent Executable file)
Entry point 0x10780
There are 11 program headers, starting at offset 64

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000000040 0x0000000000000040 0x000268 0x000268 R   0x8
  INTERP         0x0002a8 0x00000000000002a8 0x00000000000002a8 0x00001b 0x00001b R   0x1
      [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x000750 0x000750 R   0x10000
  LOAD           0x000780 0x0000000000010780 0x0000000000010780 0x0001d0 0x0001d0 R E 0x10000
  LOAD           0x000950 0x0000000000020950 0x0000000000020950 0x0001f0 0x0001f0 RW  0x10000
  LOAD           0x000b40 0x0000000000030b40 0x0000000000030b40 0x000048 0x000049 RW  0x10000
  DYNAMIC        0x000960 0x0000000000020960 0x0000000000020960 0x0001b0 0x0001b0 RW  0x8
  GNU_RELRO      0x000950 0x0000000000020950 0x0000000000020950 0x0001f0 0x0006b0 R   0x1
  GNU_EH_FRAME   0x000644 0x0000000000000644 0x0000000000000644 0x00003c 0x00003c R   0x4
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0
  NOTE           0x0002c4 0x00000000000002c4 0x00000000000002c4 0x000038 0x000038 R   0x4

[llvmbot]

@llvm/issue-subscribers-lld-elf

[MaskRay]

(Nit: -fuse-ld=/abs/path is deprecated. Use --ld-path= instead)

This was intentional in GNU ld as common-page-size controlled the alignment padding of the PT_GNU_RELRO segment.
When running a system with a larger page size, the last page may not be protected.
https://sourceware.org/binutils/docs/ld/Builtin-Functions.html

Note however that ‘-z relro’ protection will not be effective if the system page size is larger than commonpagesize.

https://sourceware.org/bugzilla/show_bug.cgi?id=28824 GNU ld 2.39 has switch to max-page-size.
(I requested a doc update in January 2023, but the doc seems unchanged.)

In May 2022, I actually tried switching to max-page-size (https://reviews.llvm.org/D125410) but realized that it did not work as I did not align the associated PT_LOAD.

I know mold's .relro_padding (https://maskray.me/blog/2020-11-15-explain-gnu-linker-options#z-relro):

The layout used by mold is similar to that of lld.
In mold's case, the end of PT_GNU_RELRO is padded to max-page-size by appending a SHT_NOBITS .relro_padding section.
This approach ensures that the last page of PT_GNU_RELRO is protected, regardless of the system page size.
However, when the system page size is less than max-page-size, the map from the first RW PT_LOAD is larger than needed.

Personally I feel nervous introducing a new section and having some special code for it.

In my opinion, losing protection for the last page when the system page size is larger than common-page-size is not at all an issue.
Protecting .got.plt is the main purpose of -z now. Protecting a small portion of .data.rel.ro doesn't really make the program more secure, given that .data and .bss are so huge and full of attach targets.
If users are really anxious, they can set common-page-size to match their system page size.

I am unsure whether lld's hidden assumption about common-page-size <= system page-size is an issue.

[rui314]

But it's not guaranteed that .data.rel.ro is large enough to cover the last page? At least in my example, .got is in the last page which may contain function pointers, especially for ifunc functions.