From bd6dc5ccec752b0667883b3e5c3d16f65e9b6707 Mon Sep 17 00:00:00 2001
From: Daniel Bertalan <dani@danielbertalan.dev>
Date: Wed, 18 Aug 2021 17:39:04 +0200
Subject: [PATCH] Meta+LibC: Don't allow text relocations in SerenityOS
 libraries

The `-z,text` linker flag causes the linker to reject shared libraries
and PIE executables that have textrels. Our code mostly did not use
these except in one place in LibC, which is changed in this commit.
This makes GNU ld match LLD's behavior, which has this option enabled by
default.

TEXTRELs pose a security risk, as performing these relocations require
executable pages to be written to by the dynamic linker. This can
significantly weaken W^X hardening mitigations.

Note that after this change, TEXTRELs can still be used in ports, as the
dynamic loader code is not changed. There are also uses of it in the
kernel, removing which are outside the scope of this PR. To allow those,
`-z,notext` is added.
---
 CMakeLists.txt                               | 2 ++
 Kernel/CMakeLists.txt                        | 3 ++-
 Userland/Libraries/LibC/arch/i386/setjmp.S   | 2 +-
 Userland/Libraries/LibC/arch/x86_64/setjmp.S | 2 +-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index c6b18bf0e83..642c2516ec6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -299,6 +299,8 @@ else()
     add_compile_options(-Wdouble-promotion)
 endif()
 
+add_link_options(LINKER:-z,text)
+
 if("${SERENITY_ARCH}" STREQUAL "i686")
     add_compile_options(-march=i686)
 else()
diff --git a/Kernel/CMakeLists.txt b/Kernel/CMakeLists.txt
index 55374465a3a..b7d73ec9818 100644
--- a/Kernel/CMakeLists.txt
+++ b/Kernel/CMakeLists.txt
@@ -437,8 +437,9 @@ add_compile_definitions(KERNEL)
 #       It's needed because CLion doesn't understand the way we switch compilers mid-build.
 add_compile_definitions(__serenity__)
 
+add_link_options(LINKER:-z,notext)
+
 if (USE_CLANG_TOOLCHAIN)
-    add_link_options(LINKER:-z,notext)
     add_link_options(LINKER:--build-id=none)
 endif()
 
diff --git a/Userland/Libraries/LibC/arch/i386/setjmp.S b/Userland/Libraries/LibC/arch/i386/setjmp.S
index 9178690772e..9fc704a8840 100644
--- a/Userland/Libraries/LibC/arch/i386/setjmp.S
+++ b/Userland/Libraries/LibC/arch/i386/setjmp.S
@@ -31,7 +31,7 @@ sigsetjmp:
     push %eax
     push $0                 // Set argument set
     push $0                 // Set argument how
-    call sigprocmask
+    call sigprocmask@plt
     add $12, %esp
 
 .Lsaveregs:
diff --git a/Userland/Libraries/LibC/arch/x86_64/setjmp.S b/Userland/Libraries/LibC/arch/x86_64/setjmp.S
index e00c1ebd469..42a2f977647 100644
--- a/Userland/Libraries/LibC/arch/x86_64/setjmp.S
+++ b/Userland/Libraries/LibC/arch/x86_64/setjmp.S
@@ -25,7 +25,7 @@ sigsetjmp:
     mov $0, %rdi            // Set argument how
     mov $0, %rsi            // Set argument set
     lea 64(%rdi), %rdx      // Set argument oldset
-    call sigprocmask
+    call sigprocmask@plt
     mov %r12, %rdi          // Restore sigjmp_buf argument
 
 .Lsaveregs: