* BUGFIX: Fix command line parameter in documents: -Wl,z,relro with -Wl,-z,relro, and -Wl,z,now with -Wl,-z,now.
#736
Conversation
shaopeng-gh
requested review from
michaelcfanning and
marmegh
as code owners
| @@ -156,7 +156,7 @@ The non-executable stack is not enabled for this binary, so '{0}' can have a vul | |||
|
|
|||
| ### Description | |||
|
|
|||
| This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this. | |||
| This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,-z,relro' to enable this. | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
approved --- Thanks!
I think -Wl convention is for both:
https://gcc.gnu.org/onlinedocs/gcc-12.2.0/gcc/Link-Options.html#Link-Options
-Wl,option
Pass option as an option to the linker. If option contains commas, it is split into multiple options at the commas. You can use this syntax to pass an argument to the option. For example, -Wl,-Map,output.map passes -Map output.map to the linker. When using the GNU linker, you can also get the same effect with -Wl,-Map=output.map.
https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-wl-arg-arg2
-Wl,
<arg>,<arg2>...
Pass the comma separated arguments in to the linker
I looked noexecstack rule, it currently use -z noexecstack, it will work, but -Wl,-z,noexecstack is said to the standard way and should be used instead. I think to create a PR to change it, let me know if sounds good @michaelcfanning
Also, the this noexecstack not only can be enabled by linker but also assembler -Wa,--noexecstack, let me know if you like me to test it out and include in the doc, "fix by ... or ..."
More info:
https://wiki.debian.org/Hardening
via gcc with -Wl,-z,nowvia gcc with -Wl,-z,relroThis change is the only change in this pr.