Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sess: stabilize -Zrelro-level as -Crelro-level #121694

Merged
merged 1 commit into from
Apr 16, 2024
Merged

sess: stabilize -Zrelro-level as -Crelro-level #121694

merged 1 commit into from
Apr 16, 2024

Conversation

davidtwco
Copy link
Member

Stabilise -Zrelro-level as -Crelro-level. There's no tracking issue for this flag to close.

@davidtwco
Copy link
Member Author

Stabilization report

RELRO (Relocation Read-Only) is a binary hardening technique, it makes the Global Offset Table (GOT) read-only (preventing some avenues of exploitation).

Roughly speaking, calls to functions from dynamic libraries are implemented using the Global Offset Table (GOT) and Procedure Linking Table (PLT) in an ELF file. A call to foo from a foreign library is codegen'd to a call into a stub in the PLT, foo@plt, which looks up the GOT for the real address of foo. If this is the first time that foo has been called, then that won't be known, and the fallback stub's address will be in the GOT and that will be jumped to instead. The fallback handler calls into ld.so to resolve the function and then writes its address into the GOT. Subsequent calls to foo@plt will just jump straight to foo.

This scheme necessitates that the GOT is writable, which opens up the possibility for exploitation. Full RELRO resolves all the function addresses when the program is initially loaded and populates the GOT eagerly - this uses more memory and increases process startup time - but it allows the GOT to be made read-only (both .got and .got.plt). Partial RELRO only makes the non-PLT part of the GOT read-only (.got), but .got.plt is still writable. Both partial and full RELRO re-order sections to protect them from being written by buffer overflows.

rustc allows configuration of RELRO levels with -Zrelro-level={off,partial,full} and if this isn't set, then each target can set a default RELRO level. We enable full RELRO on many of our targets by default (e.g. Linux, BSD, etc).

This feature has been implemented since 2017 and has been enabled by default for most platforms on which it is enabled since that initial implementation.

If we don't enable RELRO by default on a target, then users have no way of requesting it on stable toolchains. If RELRO is undesirable, then users have no way of disabling it on stable toolchains.

As per other platform-specific codegen flags, this option is ignored on those targets (e.g. like -Ccontrol-flow-guard on non-Windows targets).

Tests

History

Unresolved questions

  • None!

@rustbot
Copy link
Collaborator

rustbot commented Feb 27, 2024

r? @JohnTitor

rustbot has assigned @JohnTitor.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Feb 27, 2024
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@Mark-Simulacrum
Copy link
Member

Some questions:

  • Is this only relevant for the link step? i.e., would users wanting to disable it need -Zbuild-std?
  • Do we have any targets which support this but don't enable it at full by default at tier 2 ?

@davidtwco
Copy link
Member Author

  • Is this only relevant for the link step? i.e., would users wanting to disable it need -Zbuild-std?

This does just pass flags to the linker. It would be useful with -Zbuild-std but also with no_std.

As far as I can tell, RELRO can be applied to shared objects as well as binaries, so you could have std with RELRO and the rest of your application without, or you could build a shared library to link with a C/C project and have that library use RELRO or not. I'm not completely certain about this, as the documentation about the linker flag is a little sparse, but I can observe that shared objects from libraries have RELRO in their program headers, so I assume it makes sense for libraries to have it.

  • Do we have any targets which support this but don't enable it at full by default at tier 2 ?

From a cursory review of tier 2 targets, it seems like we don't enable Full RELRO by default on Windows, Solaris/Illumos, Apple, Fuchsia, WebAssembly, and *-unknown-none targets. Some of these obviously don't support RELRO, like Windows or WebAssembly, as they don't use ELF. I'm not familiar enough with the others to say, and couldn't work it out with some brief research.

@JohnTitor
Copy link
Member

I don't think I'm a good reviewer here, r? @Mark-Simulacrum

@rustbot rustbot assigned Mark-Simulacrum and unassigned JohnTitor Feb 28, 2024
@Mark-Simulacrum
Copy link
Member

Makes sense.

Some of these obviously don't support RELRO, like Windows or WebAssembly, as they don't use ELF

I'd imagine Windows has some equivalent, but I guess we don't have to expose it all under the same flag, especially if the defaults are mostly on the "secure" side of things rather than not.

@davidtwco do you want to kick off FCP? I don't think I can do that myself.

@Mark-Simulacrum Mark-Simulacrum added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 9, 2024
@davidtwco
Copy link
Member Author

@rfcbot fcp merge

@rfcbot
Copy link

rfcbot commented Mar 11, 2024
edited by jackh726
Loading

Team member @davidtwco has proposed to merge this. The next step is review by the rest of the tagged team members:

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

@rfcbot rfcbot added proposed-final-comment-period Proposed to merge/close by relevant subteam, see T-<team> label. Will enter FCP once signed off. disposition-merge This issue / PR is in PFCP or FCP with a disposition to merge it. labels Mar 11, 2024
@rfcbot rfcbot added final-comment-period In the final comment period and will be merged soon unless new substantive objections are raised. and removed proposed-final-comment-period Proposed to merge/close by relevant subteam, see T-<team> label. Will enter FCP once signed off. labels Apr 4, 2024
@rfcbot
Copy link

rfcbot commented Apr 4, 2024

🔔 This is now entering its final comment period, as per the review above. 🔔

@rfcbot rfcbot added finished-final-comment-period The final comment period is finished for this PR / Issue. and removed final-comment-period In the final comment period and will be merged soon unless new substantive objections are raised. labels Apr 14, 2024
@rfcbot
Copy link

rfcbot commented Apr 14, 2024

The final comment period, with a disposition to merge, as per the review above, is now complete.

As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed.

This will be merged soon.

@rfcbot rfcbot added the to-announce Announce this issue on triage meeting label Apr 14, 2024
@davidtwco
Copy link
Member Author

@Mark-Simulacrum this is ready to be reviewed and approved now that the FCP has finished

@Mark-Simulacrum
Copy link
Member

@bors r rollup

@bors
Copy link
Contributor

bors commented Apr 16, 2024

📌 Commit 420c58f has been approved by Mark-Simulacrum

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Apr 16, 2024
@GuillaumeGomez GuillaumeGomez mentioned this pull request Apr 16, 2024
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Apr 16, 2024
@bors
Auto merge of rust-lang#124015 - GuillaumeGomez:rollup-s46ksxa, r=Gui…
1dea922 
…llaumeGomez

Rollup of 14 pull requests

Successful merges:

 - rust-lang#120781 (Correct usage note on OpenOptions::append())
 - rust-lang#121694 (sess: stabilize `-Zrelro-level` as `-Crelro-level`)
 - rust-lang#122521 (doc(bootstrap): add top-level doc-comment to utils/tarball.rs)
 - rust-lang#123491 (Fix ICE in `eval_body_using_ecx`)
 - rust-lang#123574 (rustdoc: rename `issue-\d .rs` tests to have meaningful names (part 6))
 - rust-lang#123687 (Update ar_archive_writer to 0.2.0)
 - rust-lang#123721 (Various visionOS fixes)
 - rust-lang#123797 (Better graphviz output for SCCs and NLL constraints)
 - rust-lang#123990 (Make `suggest_deref_closure_return` more idiomatic/easier to understand)
 - rust-lang#123995 (Make `thir_tree` and `thir_flat` into hooks)
 - rust-lang#123998 (Opaque types have no namespace)
 - rust-lang#124001 (Fix docs for unstable_features lint.)
 - rust-lang#124006 (Move size assertions for `mir::syntax` types into the same file)
 - rust-lang#124011 (rustdoc: update the module-level docs of `rustdoc::clean`)

r? `@ghost`
`@rustbot` modify labels: rollup
@bors bors merged commit 26b6a23 into rust-lang:master Apr 16, 2024
11 checks passed
@rustbot rustbot added this to the 1.79.0 milestone Apr 16, 2024
rust-timer added a commit to rust-lang-ci/rust that referenced this pull request Apr 16, 2024
@rust-timer
Unrolled build for rust-lang#121694
0aa0644 
Rollup merge of rust-lang#121694 - davidtwco:stabilize-relro-level, r=Mark-Simulacrum

sess: stabilize `-Zrelro-level` as `-Crelro-level`

Stabilise `-Zrelro-level` as `-Crelro-level`. There's no tracking issue for this flag to close.
@davidtwco davidtwco deleted the stabilize-relro-level branch April 23, 2024 09:52
@apiraino apiraino removed the to-announce Announce this issue on triage meeting label Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petrochenkov petrochenkov petrochenkov left review comments

@wesleywiser wesleywiser wesleywiser approved these changes

Assignees

@Mark-Simulacrum Mark-Simulacrum

Labels
disposition-merge This issue / PR is in PFCP or FCP with a disposition to merge it. finished-final-comment-period The final comment period is finished for this PR / Issue. S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
1.79.0
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@davidtwco @rustbot @rust-log-analyzer @Mark-Simulacrum @JohnTitor @rfcbot @bors @wesleywiser @petrochenkov @apiraino