mirror of
https://github.com/golang/go
synced 2024-11-26 12:58:06 -07:00
cmd/link,debug/elf: mark Go binaries with no branch target CFI on openbsd
OpenBSD enables Indirect Branch Tracking (IBT) on amd64 and Branch Target Identification (BTI) on arm64, where hardware permits. Since Go generated binaries do not currently support IBT or BTI, temporarily mark them with PT_OPENBSD_NOBTCFI which prevents branch target CFI from being enforced on execution. This should be removed as soon asn IBT and BTI support are available. Fixes #66040 Updates #66054 Change-Id: I91ac05736e6942c54502bef4b8815eb8740d2d5e Reviewed-on: https://go-review.googlesource.com/c/go/+/568435 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Josh Rickmar <jrick@zettaport.com> Reviewed-by: Keith Randall <khr@golang.org> Run-TryBot: Joel Sing <joel@sing.id.au> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Than McIntosh <thanm@google.com>
This commit is contained in:
parent
47d4295f92
commit
1e433915ce
2
api/next/66054.txt
Normal file
2
api/next/66054.txt
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
pkg debug/elf, const PT_OPENBSD_NOBTCFI = 1705237480 #66054
|
||||||
|
pkg debug/elf, const PT_OPENBSD_NOBTCFI ProgType #66054
|
3
doc/next/6-stdlib/99-minor/debug/elf/66054.md
Normal file
3
doc/next/6-stdlib/99-minor/debug/elf/66054.md
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
The debug/elf package now defines PT_OPENBSD_NOBTCFI. This elf.ProgType is
|
||||||
|
used to disable Branch Tracking Control Flow Integrity (BTCFI) enforcement
|
||||||
|
on OpenBSD binaries.
|
@ -2185,6 +2185,10 @@ func asmbElf(ctxt *Link) {
|
|||||||
ph.Type = elf.PT_GNU_STACK
|
ph.Type = elf.PT_GNU_STACK
|
||||||
ph.Flags = elf.PF_W + elf.PF_R
|
ph.Flags = elf.PF_W + elf.PF_R
|
||||||
ph.Align = uint64(ctxt.Arch.RegSize)
|
ph.Align = uint64(ctxt.Arch.RegSize)
|
||||||
|
} else if ctxt.HeadType == objabi.Hopenbsd {
|
||||||
|
ph := newElfPhdr()
|
||||||
|
ph.Type = elf.PT_OPENBSD_NOBTCFI
|
||||||
|
ph.Flags = elf.PF_X
|
||||||
} else if ctxt.HeadType == objabi.Hsolaris {
|
} else if ctxt.HeadType == objabi.Hsolaris {
|
||||||
ph := newElfPhdr()
|
ph := newElfPhdr()
|
||||||
ph.Type = elf.PT_SUNWSTACK
|
ph.Type = elf.PT_SUNWSTACK
|
||||||
|
@ -1437,6 +1437,11 @@ func (ctxt *Link) hostlink() {
|
|||||||
}
|
}
|
||||||
case objabi.Hopenbsd:
|
case objabi.Hopenbsd:
|
||||||
argv = append(argv, "-Wl,-nopie")
|
argv = append(argv, "-Wl,-nopie")
|
||||||
|
if linkerFlagSupported(ctxt.Arch, argv[0], "", "-Wl,-z,nobtcfi") {
|
||||||
|
// -Wl,-z,nobtcfi is only supported on OpenBSD 7.4+, remove guard
|
||||||
|
// when OpenBSD 7.5 is released and 7.3 is no longer supported.
|
||||||
|
argv = append(argv, "-Wl,-z,nobtcfi")
|
||||||
|
}
|
||||||
argv = append(argv, "-pthread")
|
argv = append(argv, "-pthread")
|
||||||
if ctxt.Arch.InFamily(sys.ARM64) {
|
if ctxt.Arch.InFamily(sys.ARM64) {
|
||||||
// Disable execute-only on openbsd/arm64 - the Go arm64 assembler
|
// Disable execute-only on openbsd/arm64 - the Go arm64 assembler
|
||||||
|
@ -773,6 +773,7 @@ const (
|
|||||||
|
|
||||||
PT_OPENBSD_RANDOMIZE ProgType = 0x65a3dbe6 /* Random data */
|
PT_OPENBSD_RANDOMIZE ProgType = 0x65a3dbe6 /* Random data */
|
||||||
PT_OPENBSD_WXNEEDED ProgType = 0x65a3dbe7 /* W^X violations */
|
PT_OPENBSD_WXNEEDED ProgType = 0x65a3dbe7 /* W^X violations */
|
||||||
|
PT_OPENBSD_NOBTCFI ProgType = 0x65a3dbe8 /* No branch target CFI */
|
||||||
PT_OPENBSD_BOOTDATA ProgType = 0x65a41be6 /* Boot arguments */
|
PT_OPENBSD_BOOTDATA ProgType = 0x65a41be6 /* Boot arguments */
|
||||||
|
|
||||||
PT_SUNW_EH_FRAME ProgType = 0x6474e550 /* Frame unwind information */
|
PT_SUNW_EH_FRAME ProgType = 0x6474e550 /* Frame unwind information */
|
||||||
|
Loading…
Reference in New Issue
Block a user