mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-27 03:33:33 +08:00
manual: Do not mention STATIC_TLS in dynamic linker hardening recommendations
The current toolchain does not consistently generate it, and glibc does not use it. Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
This commit is contained in:
parent
765325951a
commit
90842d3980
@ -993,21 +993,21 @@ The dynamic segment should also mention @code{BIND_NOW} on the
|
|||||||
enough).
|
enough).
|
||||||
|
|
||||||
@item
|
@item
|
||||||
For shared objects (not main programs), if the program header has a
|
Ensure that only static TLS relocations (thread-pointer relative offset
|
||||||
@code{PT_TLS} segment, the dynamic segment (as shown by @samp{readelf
|
locations) are used, for example @code{R_AARCH64_TLS_TPREL} and
|
||||||
-dW}) should contain the @code{STATIC_TLS} flag on the @code{FLAGS}
|
@code{X86_64_TPOFF64}. As the second-best option, and only if
|
||||||
line.
|
compatibility with non-hardened applications using @code{dlopen} is
|
||||||
|
needed, GNU2 TLS descriptor relocations can be used (for example,
|
||||||
If @code{STATIC_TLS} is missing in shared objects, ensure that the
|
|
||||||
appropriate relocations for GNU2 TLS descriptors are used (for example,
|
|
||||||
@code{R_AARCH64_TLSDESC} or @code{R_X86_64_TLSDESC}).
|
@code{R_AARCH64_TLSDESC} or @code{R_X86_64_TLSDESC}).
|
||||||
|
|
||||||
@item
|
@item
|
||||||
There should not be a reference to the symbols @code{__tls_get_addr},
|
There should not be references to the traditional TLS function symbols
|
||||||
@code{__tls_get_offset}, @code{__tls_get_addr_opt} in the dynamic symbol
|
@code{__tls_get_addr}, @code{__tls_get_offset},
|
||||||
table (in the @samp{readelf -sDW} output). Thread-local storage must be
|
@code{__tls_get_addr_opt} in the dynamic symbol table (in the
|
||||||
accessed using the initial-exec (static) model, or using GNU2 TLS
|
@samp{readelf -sDW} output). Supporting global dynamic TLS relocations
|
||||||
descriptors.
|
(such as @code{R_AARCH64_TLS_DTPMOD}, @code{R_AARCH64_TLS_DTPREL},
|
||||||
|
@code{R_X86_64_DTPMOD64}, @code{R_X86_64_DTPOFF64}) should not be used,
|
||||||
|
either.
|
||||||
|
|
||||||
@item
|
@item
|
||||||
Likewise, the functions @code{dlopen}, @code{dlmopen}, @code{dlclose}
|
Likewise, the functions @code{dlopen}, @code{dlmopen}, @code{dlclose}
|
||||||
|
Loading…
Reference in New Issue
Block a user