1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
Description: Add disable opposites to the security-related flags
Author: Stephen Kitt <skitt@debian.org>
This patch adds "no-" variants to disable the various security flags:
"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
--- a/ld/emultempl/pe.em
+++ b/ld/emultempl/pe.em
@@ -259,9 +261,11 @@
(OPTION_ENABLE_LONG_SECTION_NAMES + 1)
/* DLLCharacteristics flags. */
#define OPTION_DYNAMIC_BASE (OPTION_DISABLE_LONG_SECTION_NAMES + 1)
-#define OPTION_FORCE_INTEGRITY (OPTION_DYNAMIC_BASE + 1)
+#define OPTION_NO_DYNAMIC_BASE (OPTION_DYNAMIC_BASE + 1)
+#define OPTION_FORCE_INTEGRITY (OPTION_NO_DYNAMIC_BASE + 1)
#define OPTION_NX_COMPAT (OPTION_FORCE_INTEGRITY + 1)
-#define OPTION_NO_ISOLATION (OPTION_NX_COMPAT + 1)
+#define OPTION_NO_NX_COMPAT (OPTION_NX_COMPAT + 1)
+#define OPTION_NO_ISOLATION (OPTION_NO_NX_COMPAT + 1)
#define OPTION_NO_SEH (OPTION_NO_ISOLATION + 1)
#define OPTION_NO_BIND (OPTION_NO_SEH + 1)
#define OPTION_WDM_DRIVER (OPTION_NO_BIND + 1)
@@ -271,6 +275,7 @@
#define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1)
#define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1)
#define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1)
+#define OPTION_DISABLE_RELOC_SECTION (OPTION_ENABLE_RELOC_SECTION + 1)
static void
gld${EMULATION_NAME}_add_options
@@ -342,8 +347,10 @@
{"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
{"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
{"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
+ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
{"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
{"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
+ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
{"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
{"no-seh", no_argument, NULL, OPTION_NO_SEH},
{"no-bind", no_argument, NULL, OPTION_NO_BIND},
@@ -351,6 +358,7 @@
{"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE},
{"build-id", optional_argument, NULL, OPTION_BUILD_ID},
{"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
+ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
{NULL, no_argument, NULL, 0}
};
@@ -485,9 +494,12 @@
in object files\n"));
fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
address space layout randomization (ASLR)\n"));
+ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
+ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
fprintf (file, _(" --no-seh Image does not use SEH. No SE handler may\n\
be called in this image\n"));
@@ -862,12 +874,21 @@
case OPTION_ENABLE_RELOC_SECTION:
pe_dll_enable_reloc_section = 1;
break;
+ case OPTION_DISABLE_RELOC_SECTION:
+ pe_dll_enable_reloc_section = 0;
+ /* fall through */
+ case OPTION_NO_DYNAMIC_BASE:
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
+ break;
case OPTION_FORCE_INTEGRITY:
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
break;
case OPTION_NX_COMPAT:
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
break;
+ case OPTION_NO_NX_COMPAT:
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
case OPTION_NO_ISOLATION:
pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
break;
--- a/ld/emultempl/pep.em
+++ b/ld/emultempl/pep.em
@@ -237,9 +240,12 @@
OPTION_ENABLE_LONG_SECTION_NAMES,
OPTION_DISABLE_LONG_SECTION_NAMES,
OPTION_HIGH_ENTROPY_VA,
+ OPTION_NO_HIGH_ENTROPY_VA,
OPTION_DYNAMIC_BASE,
+ OPTION_NO_DYNAMIC_BASE,
OPTION_FORCE_INTEGRITY,
OPTION_NX_COMPAT,
+ OPTION_NO_NX_COMPAT,
OPTION_NO_ISOLATION,
OPTION_NO_SEH,
OPTION_NO_BIND,
@@ -248,7 +254,8 @@
OPTION_NO_INSERT_TIMESTAMP,
OPTION_TERMINAL_SERVER_AWARE,
OPTION_BUILD_ID,
- OPTION_ENABLE_RELOC_SECTION
+ OPTION_ENABLE_RELOC_SECTION,
+ OPTION_DISABLE_RELOC_SECTION
};
static void
@@ -315,9 +322,12 @@
{"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
{"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
{"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA},
+ {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA},
{"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
+ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
{"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
{"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
+ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
{"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
{"no-seh", no_argument, NULL, OPTION_NO_SEH},
{"no-bind", no_argument, NULL, OPTION_NO_BIND},
@@ -327,6 +337,7 @@
{"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP},
{"build-id", optional_argument, NULL, OPTION_BUILD_ID},
{"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
+ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
{NULL, no_argument, NULL, 0}
};
@@ -448,11 +461,15 @@
in object files\n"));
fprintf (file, _(" --high-entropy-va Image is compatible with 64-bit address space\n\
layout randomization (ASLR)\n"));
+ fprintf (file, _(" --no-high-entropy-va Image is not compatible with 64-bit ASLR\n"));
fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
address space layout randomization (ASLR)\n"));
+ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
+ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
fprintf (file, _(" --no-seh Image does not use SEH; no SE handler may\n\
be called in this image\n"));
@@ -809,12 +826,24 @@
case OPTION_ENABLE_RELOC_SECTION:
pep_dll_enable_reloc_section = 1;
break;
+ case OPTION_DISABLE_RELOC_SECTION:
+ pep_dll_enable_reloc_section = 0;
+ /* fall through */
+ case OPTION_NO_DYNAMIC_BASE:
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
+ /* fall through */
+ case OPTION_NO_HIGH_ENTROPY_VA:
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA;
+ break;
case OPTION_FORCE_INTEGRITY:
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
break;
case OPTION_NX_COMPAT:
pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
break;
+ case OPTION_NO_NX_COMPAT:
+ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
case OPTION_NO_ISOLATION:
pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
break;
|
