Home Original page

Read-only data in ELF libraries may be remapped writable at runtime (upcoming NDSS'17 paper)

Florian Weimer fweimer@redhat.com
Fri Dec 23 19:02:00 GMT 2016 
On 12/23/2016 07:32 PM, Mathias Payer wrote:
>
>
> On December 23, 2016 7:18:29 PM GMT+01:00, Florian Weimer <fweimer@redhat.com> wrote:
>> On 12/23/2016 07:04 PM, Mathias Payer wrote:
>>
>>> At the linker level you likely don't know if the referenced symbol is
>> RO
>>> or not (as it could come from any object) -- only the runtime loader
>> has
>>> this knowledge and at that time it is too late as PIE uses relative
>>> addressing inside the object.
>>
>> The static linker necessarily sees a definition, otherwise it cannot
>> produce a copy relocation because copy relocations must refer to
>> objects
>> of known size.
>
> Agreed. The static linker knows about the symbol and size but not the permission. That information is discarded after compilation.

That's not quite true.  At least in the vtable case, the vtable is 
emitted in the .data.rel.ro section, and this information is definitely 
available to the static linker.

For your class A, the compiler emits the following vtable:

         .weak   _ZTV1A
         .section        .data.rel.ro._ZTV1A,"awG",@progbits,_ZTV1A,comdat
         .align 8
         .type   _ZTV1A, @object
         .size   _ZTV1A, 24
_ZTV1A:
         .quad   0
         .quad   _ZTI1A
         .quad   _ZN1A2a1Ev

And the static linker, when producing a DSO, puts that into the 
.data.rel.ro section.  (Otherwise, using -fPIC wouldn't server as a 
workaround.)

Thanks,
Florian
More information about the Binutils mailing list