You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
172 lines
8.3 KiB
172 lines
8.3 KiB
4 years ago
|
Description: Add disable opposites to the security-related flags
|
||
|
Author: Stephen Kitt <skitt@debian.org>
|
||
|
|
||
|
This patch adds "no-" variants to disable the various security flags:
|
||
|
"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
|
||
|
|
||
|
--- a/ld/emultempl/pe.em
|
||
|
+++ b/ld/emultempl/pe.em
|
||
|
@@ -259,9 +261,11 @@
|
||
|
(OPTION_ENABLE_LONG_SECTION_NAMES + 1)
|
||
|
/* DLLCharacteristics flags. */
|
||
|
#define OPTION_DYNAMIC_BASE (OPTION_DISABLE_LONG_SECTION_NAMES + 1)
|
||
|
-#define OPTION_FORCE_INTEGRITY (OPTION_DYNAMIC_BASE + 1)
|
||
|
+#define OPTION_NO_DYNAMIC_BASE (OPTION_DYNAMIC_BASE + 1)
|
||
|
+#define OPTION_FORCE_INTEGRITY (OPTION_NO_DYNAMIC_BASE + 1)
|
||
|
#define OPTION_NX_COMPAT (OPTION_FORCE_INTEGRITY + 1)
|
||
|
-#define OPTION_NO_ISOLATION (OPTION_NX_COMPAT + 1)
|
||
|
+#define OPTION_NO_NX_COMPAT (OPTION_NX_COMPAT + 1)
|
||
|
+#define OPTION_NO_ISOLATION (OPTION_NO_NX_COMPAT + 1)
|
||
|
#define OPTION_NO_SEH (OPTION_NO_ISOLATION + 1)
|
||
|
#define OPTION_NO_BIND (OPTION_NO_SEH + 1)
|
||
|
#define OPTION_WDM_DRIVER (OPTION_NO_BIND + 1)
|
||
|
@@ -271,6 +275,7 @@
|
||
|
#define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1)
|
||
|
#define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1)
|
||
|
#define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1)
|
||
|
+#define OPTION_DISABLE_RELOC_SECTION (OPTION_ENABLE_RELOC_SECTION + 1)
|
||
|
|
||
|
static void
|
||
|
gld${EMULATION_NAME}_add_options
|
||
|
@@ -342,8 +347,10 @@
|
||
|
{"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
|
||
|
{"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
|
||
|
{"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
|
||
|
+ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
|
||
|
{"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
|
||
|
{"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
|
||
|
+ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
|
||
|
{"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
|
||
|
{"no-seh", no_argument, NULL, OPTION_NO_SEH},
|
||
|
{"no-bind", no_argument, NULL, OPTION_NO_BIND},
|
||
|
@@ -351,6 +358,7 @@
|
||
|
{"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE},
|
||
|
{"build-id", optional_argument, NULL, OPTION_BUILD_ID},
|
||
|
{"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
|
||
|
+ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
|
||
|
{NULL, no_argument, NULL, 0}
|
||
|
};
|
||
|
|
||
|
@@ -485,9 +494,12 @@
|
||
|
in object files\n"));
|
||
|
fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
|
||
|
address space layout randomization (ASLR)\n"));
|
||
|
+ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
|
||
|
fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
|
||
|
+ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
|
||
|
fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
|
||
|
fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
|
||
|
+ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
|
||
|
fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
|
||
|
fprintf (file, _(" --no-seh Image does not use SEH. No SE handler may\n\
|
||
|
be called in this image\n"));
|
||
|
@@ -862,12 +874,21 @@
|
||
|
case OPTION_ENABLE_RELOC_SECTION:
|
||
|
pe_dll_enable_reloc_section = 1;
|
||
|
break;
|
||
|
+ case OPTION_DISABLE_RELOC_SECTION:
|
||
|
+ pe_dll_enable_reloc_section = 0;
|
||
|
+ /* fall through */
|
||
|
+ case OPTION_NO_DYNAMIC_BASE:
|
||
|
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
|
||
|
+ break;
|
||
|
case OPTION_FORCE_INTEGRITY:
|
||
|
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
|
||
|
break;
|
||
|
case OPTION_NX_COMPAT:
|
||
|
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
|
||
|
break;
|
||
|
+ case OPTION_NO_NX_COMPAT:
|
||
|
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
|
||
|
+ break;
|
||
|
case OPTION_NO_ISOLATION:
|
||
|
pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
|
||
|
break;
|
||
|
--- a/ld/emultempl/pep.em
|
||
|
+++ b/ld/emultempl/pep.em
|
||
|
@@ -237,9 +240,12 @@
|
||
|
OPTION_ENABLE_LONG_SECTION_NAMES,
|
||
|
OPTION_DISABLE_LONG_SECTION_NAMES,
|
||
|
OPTION_HIGH_ENTROPY_VA,
|
||
|
+ OPTION_NO_HIGH_ENTROPY_VA,
|
||
|
OPTION_DYNAMIC_BASE,
|
||
|
+ OPTION_NO_DYNAMIC_BASE,
|
||
|
OPTION_FORCE_INTEGRITY,
|
||
|
OPTION_NX_COMPAT,
|
||
|
+ OPTION_NO_NX_COMPAT,
|
||
|
OPTION_NO_ISOLATION,
|
||
|
OPTION_NO_SEH,
|
||
|
OPTION_NO_BIND,
|
||
|
@@ -248,7 +254,8 @@
|
||
|
OPTION_NO_INSERT_TIMESTAMP,
|
||
|
OPTION_TERMINAL_SERVER_AWARE,
|
||
|
OPTION_BUILD_ID,
|
||
|
- OPTION_ENABLE_RELOC_SECTION
|
||
|
+ OPTION_ENABLE_RELOC_SECTION,
|
||
|
+ OPTION_DISABLE_RELOC_SECTION
|
||
|
};
|
||
|
|
||
|
static void
|
||
|
@@ -315,9 +322,12 @@
|
||
|
{"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
|
||
|
{"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
|
||
|
{"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA},
|
||
|
+ {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA},
|
||
|
{"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
|
||
|
+ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
|
||
|
{"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
|
||
|
{"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
|
||
|
+ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
|
||
|
{"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
|
||
|
{"no-seh", no_argument, NULL, OPTION_NO_SEH},
|
||
|
{"no-bind", no_argument, NULL, OPTION_NO_BIND},
|
||
|
@@ -327,6 +337,7 @@
|
||
|
{"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP},
|
||
|
{"build-id", optional_argument, NULL, OPTION_BUILD_ID},
|
||
|
{"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
|
||
|
+ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
|
||
|
{NULL, no_argument, NULL, 0}
|
||
|
};
|
||
|
|
||
|
@@ -448,11 +461,15 @@
|
||
|
in object files\n"));
|
||
|
fprintf (file, _(" --high-entropy-va Image is compatible with 64-bit address space\n\
|
||
|
layout randomization (ASLR)\n"));
|
||
|
+ fprintf (file, _(" --no-high-entropy-va Image is not compatible with 64-bit ASLR\n"));
|
||
|
fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
|
||
|
address space layout randomization (ASLR)\n"));
|
||
|
+ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
|
||
|
fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
|
||
|
+ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
|
||
|
fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
|
||
|
fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
|
||
|
+ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
|
||
|
fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
|
||
|
fprintf (file, _(" --no-seh Image does not use SEH; no SE handler may\n\
|
||
|
be called in this image\n"));
|
||
|
@@ -809,12 +826,24 @@
|
||
|
case OPTION_ENABLE_RELOC_SECTION:
|
||
|
pep_dll_enable_reloc_section = 1;
|
||
|
break;
|
||
|
+ case OPTION_DISABLE_RELOC_SECTION:
|
||
|
+ pep_dll_enable_reloc_section = 0;
|
||
|
+ /* fall through */
|
||
|
+ case OPTION_NO_DYNAMIC_BASE:
|
||
|
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
|
||
|
+ /* fall through */
|
||
|
+ case OPTION_NO_HIGH_ENTROPY_VA:
|
||
|
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA;
|
||
|
+ break;
|
||
|
case OPTION_FORCE_INTEGRITY:
|
||
|
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
|
||
|
break;
|
||
|
case OPTION_NX_COMPAT:
|
||
|
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
|
||
|
break;
|
||
|
+ case OPTION_NO_NX_COMPAT:
|
||
|
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
|
||
|
+ break;
|
||
|
case OPTION_NO_ISOLATION:
|
||
|
pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
|
||
|
break;
|