Build libgraal with 'Full RELRO' to prevent GOT overwriting exploits

olpaw · olpaw · commit 5979c1b6c0f8 · 2023-07-18T16:39:47.000+02:00
diff --git a/substratevm/mx.substratevm/mx_substratevm.py b/substratevm/mx.substratevm/mx_substratevm.py
@@ -1213,6 +1213,9 @@ def _native_image_launcher_extra_jvm_args():
 
     # URLClassLoader causes considerable increase of the libgraal image size and should be excluded.
     '-H:ReportAnalysisForbiddenType=java.net.URLClassLoader',
+
+    # build libgraal with 'Full RELRO' to prevent GOT overwriting exploits (GR-46838)
+    '-H:NativeLinkerOption=-Wl,-z,relro,-z,now',
 ] + ([
    # Force page size to support libgraal on AArch64 machines with a page size up to 64K.
    '-H:PageSize=64K'
