.plt section in modules with IBT

[nathanchance]

Peter Zijlstra reported that attempting to run objtool on the .o part of modules before linking the .o and .mod.o into .ko shows a warning about a .plt section:

warning: objtool: .plt+0x6: indirect jump found in RETPOLINE build

As it turns out, this can be reproduced with an "empty" .o file:

$ echo | clang -fcf-protection=branch -O2 -x c -c -o foo.o -

$ ld.lld -m elf_x86_64 -r -o foo-mod.o foo.o

$ objtool orc generate --module --lto --ibt --ibt-fix-direct --ibt-seal --no-fp --retpoline --uaccess foo-mod.o
foo-mod.o: warning: objtool: .plt+0x6: indirect jump found in RETPOLINE build

$ llvm-objdump -d --section=.plt foo-mod.o

foo-mod.o:      file format elf64-x86-64

Disassembly of section .plt:

0000000000000000 <.plt>:
       0: ff 35 02 00 00 00             pushq   2(%rip)                 # 0x8 <.plt+0x8>
       6: ff 25 04 00 00 00             jmpq    *4(%rip)                # 0x10 <.plt+0x10>
       c: 0f 1f 40 00                   nopl    (%rax)

ld.bfd does not exhibit this same behavior:

$ ld -m elf_x86_64 -r -o foo-mod.o foo.o

$ objtool orc generate --module --lto --ibt --ibt-fix-direct --ibt-seal --no-fp --retpoline --uaccess foo-mod.o

$ llvm-objdump -d --section=.plt foo-mod.o

foo-mod.o:      file format elf64-x86-64
llvm-objdump: warning: section '.plt' mentioned in a -j/--section option, but not found in any input file

It is not reproducible without -fcf-protection=branch:

$ echo | clang -O2 -x c -c -o foo.o -

$ ld.lld -m elf_x86_64 -r -o foo-mod.o foo.o

$ objtool orc generate --module --lto --ibt --ibt-fix-direct --ibt-seal --no-fp --retpoline --uaccess foo-mod.o

$ llvm-objdump -d --section=.plt foo-mod.o

foo-mod.o:      file format elf64-x86-64
llvm-objdump: warning: section '.plt' mentioned in a -j/--section option, but not found in any input file

It does not appear to depend on compiler, I could reproduce this with GCC + ld.lld as well:

$ echo | gcc -fcf-protection=branch -O2 -x c -c -o foo.o -

$ ld.lld -m elf_x86_64 -r -o foo-mod.o foo.o

$ objtool orc generate --module --lto --ibt --ibt-fix-direct --ibt-seal --no-fp --retpoline --uaccess foo-mod.o
foo-mod.o: warning: objtool: .plt+0x6: indirect jump found in RETPOLINE build

$ llvm-objdump -d --section=.plt foo-mod.o

foo-mod.o:      file format elf64-x86-64

Disassembly of section .plt:

0000000000000000 <.plt>:
       0: ff 35 02 00 00 00             pushq   2(%rip)                 # 0x8 <.plt+0x8>
       6: ff 25 04 00 00 00             jmpq    *4(%rip)                # 0x10 <.plt+0x10>
       c: 0f 1f 40 00                   nopl    (%rax)

I have uploaded objtool here, based on Peter's x86/wip.ibt branch.

[kees]

Ooooh, the "empty" part is starting to ring a bell. I think I saw this under GCC when doing arm64 cf-protection stuff... Let me see if I can find it.

[kees]

Ah, no, it was unwanted .note.gnu.property sections, but perhaps it's slightly related. See:

https://lore.kernel.org/linux-arm-kernel/20200821194310.3089815-8-keescook@chromium.org/
https://bugs.llvm.org/show_bug.cgi?id=46480
https://reviews.llvm.org/D80791

@DanielKristofKiss @MaskRay

[lvwr]

Hi. I looked into the bug. If I did not mess up things, here is a candidate fix: https://reviews.llvm.org/D120600 (thanks a lot for the repro, btw)

[MaskRay]

Thanks for the fix! This was exactly the form I would create.

Fixed in main and cherry picked into https://github.com/llvm/llvm-project/tree/release/14.x as well.

[nathanchance]

Thanks! I think kernel IBT is going to depend on LLVM 14 because of a crash in LLVM 13, so I think this is all sorted.

[lvwr]

This is the fix for the crash in LLVM 13, https://reviews.llvm.org/D111108 in case you can cherry-pick too.