Currently the vdso doesn't include .note.gnu.property or a GNU noexec
stack annotation (the -z noexecstack in the linker script is
ineffective because we specify PHDRs explicitly.)
The motivation is that the dynamic linker currently do not check
these.
However, this is a weak excuse: the vdso*.so are also supposed to be
usable at link libraries, and there is no reason why the dynamic
linker might not want or need to check these in the future, so add
them back in -- it is trivial enough.
Use symbolic constants for the PHDR permission flags.
[ v4: drop unrelated formatting changes ]
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
---
arch/x86/entry/vdso/common/vdso-layout.lds.S | 38 ++++++++++++--------
1 file changed, 23 insertions(+), 15 deletions(-)
diff --git a/arch/x86/entry/vdso/common/vdso-layout.lds.S b/arch/x86/entry/vdso/common/vdso-layout.lds.S
index ec1ac191a057..a1e30be3e83d 100644
--- a/arch/x86/entry/vdso/common/vdso-layout.lds.S
+++ b/arch/x86/entry/vdso/common/vdso-layout.lds.S
@@ -47,18 +47,18 @@ SECTIONS
*(.gnu.linkonce.b.*)
} :text
- /*
- * Discard .note.gnu.property sections which are unused and have
- * different alignment requirement from vDSO note sections.
- */
- /DISCARD/ : {
+ .note.gnu.property : {
*(.note.gnu.property)
- }
- .note : { *(.note.*) } :text :note
-
- .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
- .eh_frame : { KEEP (*(.eh_frame)) } :text
+ } :text :note :gnu_property
+ .note : {
+ *(.note*)
+ } :text :note
+ .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
+ .eh_frame : {
+ KEEP (*(.eh_frame))
+ *(.eh_frame.*)
+ } :text
/*
* Text is well-separated from actual data: there's plenty of
@@ -87,15 +87,23 @@ SECTIONS
* Very old versions of ld do not recognize this name token; use the constant.
*/
#define PT_GNU_EH_FRAME 0x6474e550
+#define PT_GNU_STACK 0x6474e551
+#define PT_GNU_PROPERTY 0x6474e553
/*
* We must supply the ELF program headers explicitly to get just one
* PT_LOAD segment, and set the flags explicitly to make segments read-only.
- */
+*/
+#define PF_R FLAGS(4)
+#define PF_RW FLAGS(6)
+#define PF_RX FLAGS(5)
+
PHDRS
{
- text PT_LOAD FLAGS(5) FILEHDR PHDRS; /* PF_R|PF_X */
- dynamic PT_DYNAMIC FLAGS(4); /* PF_R */
- note PT_NOTE FLAGS(4); /* PF_R */
- eh_frame_hdr PT_GNU_EH_FRAME;
+ text PT_LOAD PF_RX FILEHDR PHDRS;
+ dynamic PT_DYNAMIC PF_R;
+ note PT_NOTE PF_R;
+ eh_frame_hdr PT_GNU_EH_FRAME PF_R;
+ gnu_stack PT_GNU_STACK PF_RW;
+ gnu_property PT_GNU_PROPERTY PF_R;
}
--
2.52.0On Tue, Dec 16, 2025 at 4:26 PM H. Peter Anvin <hpa@zytor.com> wrote:
>
> Currently the vdso doesn't include .note.gnu.property or a GNU noexec
> stack annotation (the -z noexecstack in the linker script is
> ineffective because we specify PHDRs explicitly.)
>
> The motivation is that the dynamic linker currently do not check
> these.
>
> However, this is a weak excuse: the vdso*.so are also supposed to be
> usable at link libraries, and there is no reason why the dynamic
> linker might not want or need to check these in the future, so add
> them back in -- it is trivial enough.
>
> Use symbolic constants for the PHDR permission flags.
>
> [ v4: drop unrelated formatting changes ]
>
> Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
> ---
> arch/x86/entry/vdso/common/vdso-layout.lds.S | 38 ++++++++++++--------
> 1 file changed, 23 insertions(+), 15 deletions(-)
>
> diff --git a/arch/x86/entry/vdso/common/vdso-layout.lds.S b/arch/x86/entry/vdso/common/vdso-layout.lds.S
> index ec1ac191a057..a1e30be3e83d 100644
> --- a/arch/x86/entry/vdso/common/vdso-layout.lds.S
> +++ b/arch/x86/entry/vdso/common/vdso-layout.lds.S
> @@ -47,18 +47,18 @@ SECTIONS
> *(.gnu.linkonce.b.*)
> } :text
>
> - /*
> - * Discard .note.gnu.property sections which are unused and have
> - * different alignment requirement from vDSO note sections.
> - */
> - /DISCARD/ : {
> + .note.gnu.property : {
> *(.note.gnu.property)
> - }
> - .note : { *(.note.*) } :text :note
> -
> - .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
> - .eh_frame : { KEEP (*(.eh_frame)) } :text
> + } :text :note :gnu_property
> + .note : {
> + *(.note*)
> + } :text :note
>
> + .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
> + .eh_frame : {
> + KEEP (*(.eh_frame))
> + *(.eh_frame.*)
> + } :text
>
> /*
> * Text is well-separated from actual data: there's plenty of
> @@ -87,15 +87,23 @@ SECTIONS
> * Very old versions of ld do not recognize this name token; use the constant.
> */
> #define PT_GNU_EH_FRAME 0x6474e550
> +#define PT_GNU_STACK 0x6474e551
> +#define PT_GNU_PROPERTY 0x6474e553
Do we even still support the old linkers that need these constants?
Brian Gerst
On Wed, Dec 17, 2025 at 9:16 PM Brian Gerst <brgerst@gmail.com> wrote:
>
> On Tue, Dec 16, 2025 at 4:26 PM H. Peter Anvin <hpa@zytor.com> wrote:
> >
> > Currently the vdso doesn't include .note.gnu.property or a GNU noexec
> > stack annotation (the -z noexecstack in the linker script is
> > ineffective because we specify PHDRs explicitly.)
> >
> > The motivation is that the dynamic linker currently do not check
> > these.
> >
> > However, this is a weak excuse: the vdso*.so are also supposed to be
> > usable at link libraries, and there is no reason why the dynamic
> > linker might not want or need to check these in the future, so add
> > them back in -- it is trivial enough.
> >
> > Use symbolic constants for the PHDR permission flags.
> >
> > [ v4: drop unrelated formatting changes ]
> >
> > Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
> > ---
> > arch/x86/entry/vdso/common/vdso-layout.lds.S | 38 ++++++++++++--------
> > 1 file changed, 23 insertions(+), 15 deletions(-)
> >
> > diff --git a/arch/x86/entry/vdso/common/vdso-layout.lds.S b/arch/x86/entry/vdso/common/vdso-layout.lds.S
> > index ec1ac191a057..a1e30be3e83d 100644
> > --- a/arch/x86/entry/vdso/common/vdso-layout.lds.S
> > +++ b/arch/x86/entry/vdso/common/vdso-layout.lds.S
> > @@ -47,18 +47,18 @@ SECTIONS
> > *(.gnu.linkonce.b.*)
> > } :text
> >
> > - /*
> > - * Discard .note.gnu.property sections which are unused and have
> > - * different alignment requirement from vDSO note sections.
> > - */
> > - /DISCARD/ : {
> > + .note.gnu.property : {
> > *(.note.gnu.property)
> > - }
> > - .note : { *(.note.*) } :text :note
> > -
> > - .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
> > - .eh_frame : { KEEP (*(.eh_frame)) } :text
> > + } :text :note :gnu_property
> > + .note : {
> > + *(.note*)
> > + } :text :note
> >
> > + .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
> > + .eh_frame : {
> > + KEEP (*(.eh_frame))
> > + *(.eh_frame.*)
> > + } :text
> >
> > /*
> > * Text is well-separated from actual data: there's plenty of
> > @@ -87,15 +87,23 @@ SECTIONS
> > * Very old versions of ld do not recognize this name token; use the constant.
> > */
> > #define PT_GNU_EH_FRAME 0x6474e550
> > +#define PT_GNU_STACK 0x6474e551
> > +#define PT_GNU_PROPERTY 0x6474e553
>
> Do we even still support the old linkers that need these constants?
Digging into the binutils source, PT_GNU_EH_FRAME and PT_GNU_STACK
were added to the parser around bintils-2.15. PT_GNU_PROPERTY was
added in binutils-2.38, which is newer than the minimum supported
version of binutils-2.30.
Probably better to just leave them then.
Brian Gerst
© 2016 - 2025 Red Hat, Inc.