[v3,1/2] drivers: fix symbol exports when map is omitted
Checks
Commit Message
ld exports any global symbol by default if no version script is passed.
As a consequence, the incriminated change let any public symbol leak
out of the driver shared libraries.
Hide again those symbols by providing a default map file which
unexports any global symbol using a local: * catch-all statement.
The checks are skipped for this default map file as it is intentionnally
an empty map (see commit b67bdda86cd4 ("devtools: catch empty symbol
maps")) and there is nothing else to check in this map.
Fixes: 7dde9c844a37 ("drivers: omit symbol map when unneeded")
Cc: stable@dpdk.org
Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Tested-by: Ferruh Yigit <ferruh.yigit@amd.com>
---
Changes since v2:
- separated the Windows cleanup in next patch,
Changes since v1:
- excluded drivers/version.map from maps checked by default in
check-symbol-maps.sh,
---
devtools/check-symbol-maps.sh | 2 +-
drivers/meson.build | 68 +++++++++++++++++++----------------
drivers/version.map | 3 ++
3 files changed, 41 insertions(+), 32 deletions(-)
create mode 100644 drivers/version.map
Comments
On Thu, Dec 01, 2022 at 11:08:46AM +0100, David Marchand wrote:
> ld exports any global symbol by default if no version script is passed.
> As a consequence, the incriminated change let any public symbol leak
> out of the driver shared libraries.
>
> Hide again those symbols by providing a default map file which
> unexports any global symbol using a local: * catch-all statement.
>
> The checks are skipped for this default map file as it is intentionnally
> an empty map (see commit b67bdda86cd4 ("devtools: catch empty symbol
> maps")) and there is nothing else to check in this map.
>
> Fixes: 7dde9c844a37 ("drivers: omit symbol map when unneeded")
> Cc: stable@dpdk.org
>
> Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
> Signed-off-by: David Marchand <david.marchand@redhat.com>
> Tested-by: Ferruh Yigit <ferruh.yigit@amd.com>
> ---
> Changes since v2:
> - separated the Windows cleanup in next patch,
>
> Changes since v1:
> - excluded drivers/version.map from maps checked by default in
> check-symbol-maps.sh,
>
> ---
> devtools/check-symbol-maps.sh | 2 +-
> drivers/meson.build | 68 +++++++++++++++++++----------------
> drivers/version.map | 3 ++
> 3 files changed, 41 insertions(+), 32 deletions(-)
> create mode 100644 drivers/version.map
>
> diff --git a/devtools/check-symbol-maps.sh b/devtools/check-symbol-maps.sh
> index 0a6062de26..8c116bfa9c 100755
> --- a/devtools/check-symbol-maps.sh
> +++ b/devtools/check-symbol-maps.sh
> @@ -8,7 +8,7 @@ cd $(dirname $0)/..
> export LC_ALL=C
>
> if [ $# = 0 ] ; then
> - set -- $(find lib drivers -name '*.map')
> + set -- $(find lib drivers -name '*.map' -a ! -path drivers/version.map)
> fi
>
> ret=0
> diff --git a/drivers/meson.build b/drivers/meson.build
> index c4ff3ff1ba..5188302057 100644
> --- a/drivers/meson.build
> +++ b/drivers/meson.build
> @@ -210,40 +210,46 @@ foreach subpath:subdirs
>
> lk_deps = []
> lk_args = []
> - if fs.is_file(version_map)
> - def_file = custom_target(lib_name + '_def',
> - command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> - input: version_map,
> - output: '@0@_exports.def'.format(lib_name))
> -
> - mingw_map = custom_target(lib_name + '_mingw',
> - command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> - input: version_map,
> - output: '@0@_mingw.map'.format(lib_name))
> -
> - lk_deps = [version_map, def_file, mingw_map]
> - if is_windows
> - if is_ms_linker
> - lk_args = ['-Wl,/def:' + def_file.full_path()]
> - if meson.version().version_compare('<0.54.0')
> - lk_args += ['-Wl,/implib:drivers\\' + implib]
> - endif
> - else
> - lk_args = ['-Wl,--version-script=' + mingw_map.full_path()]
> + if not fs.is_file(version_map)
> + version_map = '@0@/version.map'.format(meson.current_source_dir())
> + lk_deps += [version_map]
Technically, for this patch the lk_deps assignment does not need to be
split into two, but it does make the second patch smaller, so I'm ok to
keep this as you have in this version.
> + else
> + lk_deps += [version_map]
> + if not is_windows and developer_mode
> + # on unix systems check the output of the
> + # check-symbols.sh script, using it as a
> + # dependency of the .so build
> + lk_deps += custom_target(lib_name + '.sym_chk',
> + command: [check_symbols, version_map, '@INPUT@'],
> + capture: true,
> + input: static_lib,
> + output: lib_name + '.sym_chk')
> + endif
> + endif
> +
> + def_file = custom_target(lib_name + '_def',
> + command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> + input: version_map,
> + output: '@0@_exports.def'.format(lib_name))
> +
> + mingw_map = custom_target(lib_name + '_mingw',
> + command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> + input: version_map,
> + output: '@0@_mingw.map'.format(lib_name))
> +
> + lk_deps += [def_file, mingw_map]
> +
> + if is_windows
> + if is_ms_linker
> + lk_args = ['-Wl,/def:' + def_file.full_path()]
> + if meson.version().version_compare('<0.54.0')
> + lk_args += ['-Wl,/implib:drivers\\' + implib]
> endif
> else
> - lk_args = ['-Wl,--version-script=' + version_map]
> - if developer_mode
> - # on unix systems check the output of the
> - # check-symbols.sh script, using it as a
> - # dependency of the .so build
> - lk_deps += custom_target(lib_name + '.sym_chk',
> - command: [check_symbols, version_map, '@INPUT@'],
> - capture: true,
> - input: static_lib,
> - output: lib_name + '.sym_chk')
> - endif
> + lk_args = ['-Wl,--version-script=' + mingw_map.full_path()]
> endif
> + else
> + lk_args = ['-Wl,--version-script=' + version_map]
> endif
>
> shared_lib = shared_library(lib_name, sources,
> diff --git a/drivers/version.map b/drivers/version.map
> new file mode 100644
> index 0000000000..78c3585d7c
> --- /dev/null
> +++ b/drivers/version.map
> @@ -0,0 +1,3 @@
> +DPDK_23 {
> + local: *;
> +};
> --
Reviewed-by: Bruce Richardson <bruce.richardson@intel.com>
On Thu, Dec 1, 2022 at 11:55 AM Bruce Richardson
<bruce.richardson@intel.com> wrote:
>
> On Thu, Dec 01, 2022 at 11:08:46AM +0100, David Marchand wrote:
> > ld exports any global symbol by default if no version script is passed.
> > As a consequence, the incriminated change let any public symbol leak
> > out of the driver shared libraries.
> >
> > Hide again those symbols by providing a default map file which
> > unexports any global symbol using a local: * catch-all statement.
> >
> > The checks are skipped for this default map file as it is intentionnally
> > an empty map (see commit b67bdda86cd4 ("devtools: catch empty symbol
> > maps")) and there is nothing else to check in this map.
> >
> > Fixes: 7dde9c844a37 ("drivers: omit symbol map when unneeded")
> > Cc: stable@dpdk.org
> >
> > Reported-by: Luca Boccassi <luca.boccassi@microsoft.com>
> > Signed-off-by: David Marchand <david.marchand@redhat.com>
> > Tested-by: Ferruh Yigit <ferruh.yigit@amd.com>
> > ---
> > Changes since v2:
> > - separated the Windows cleanup in next patch,
> >
> > Changes since v1:
> > - excluded drivers/version.map from maps checked by default in
> > check-symbol-maps.sh,
> >
> > ---
> > devtools/check-symbol-maps.sh | 2 +-
> > drivers/meson.build | 68 +++++++++++++++++++----------------
> > drivers/version.map | 3 ++
> > 3 files changed, 41 insertions(+), 32 deletions(-)
> > create mode 100644 drivers/version.map
> >
> > diff --git a/devtools/check-symbol-maps.sh b/devtools/check-symbol-maps.sh
> > index 0a6062de26..8c116bfa9c 100755
> > --- a/devtools/check-symbol-maps.sh
> > +++ b/devtools/check-symbol-maps.sh
> > @@ -8,7 +8,7 @@ cd $(dirname $0)/..
> > export LC_ALL=C
> >
> > if [ $# = 0 ] ; then
> > - set -- $(find lib drivers -name '*.map')
> > + set -- $(find lib drivers -name '*.map' -a ! -path drivers/version.map)
> > fi
> >
> > ret=0
> > diff --git a/drivers/meson.build b/drivers/meson.build
> > index c4ff3ff1ba..5188302057 100644
> > --- a/drivers/meson.build
> > +++ b/drivers/meson.build
> > @@ -210,40 +210,46 @@ foreach subpath:subdirs
> >
> > lk_deps = []
> > lk_args = []
> > - if fs.is_file(version_map)
> > - def_file = custom_target(lib_name + '_def',
> > - command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> > - input: version_map,
> > - output: '@0@_exports.def'.format(lib_name))
> > -
> > - mingw_map = custom_target(lib_name + '_mingw',
> > - command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
> > - input: version_map,
> > - output: '@0@_mingw.map'.format(lib_name))
> > -
> > - lk_deps = [version_map, def_file, mingw_map]
> > - if is_windows
> > - if is_ms_linker
> > - lk_args = ['-Wl,/def:' + def_file.full_path()]
> > - if meson.version().version_compare('<0.54.0')
> > - lk_args += ['-Wl,/implib:drivers\\' + implib]
> > - endif
> > - else
> > - lk_args = ['-Wl,--version-script=' + mingw_map.full_path()]
> > + if not fs.is_file(version_map)
> > + version_map = '@0@/version.map'.format(meson.current_source_dir())
> > + lk_deps += [version_map]
>
> Technically, for this patch the lk_deps assignment does not need to be
> split into two, but it does make the second patch smaller, so I'm ok to
> keep this as you have in this version.
Yes, otherwise, I would have kept it untouched.
Thanks for the review!
@@ -8,7 +8,7 @@ cd $(dirname $0)/..
export LC_ALL=C
if [ $# = 0 ] ; then
- set -- $(find lib drivers -name '*.map')
+ set -- $(find lib drivers -name '*.map' -a ! -path drivers/version.map)
fi
ret=0
@@ -210,40 +210,46 @@ foreach subpath:subdirs
lk_deps = []
lk_args = []
- if fs.is_file(version_map)
- def_file = custom_target(lib_name + '_def',
- command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
- input: version_map,
- output: '@0@_exports.def'.format(lib_name))
-
- mingw_map = custom_target(lib_name + '_mingw',
- command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
- input: version_map,
- output: '@0@_mingw.map'.format(lib_name))
-
- lk_deps = [version_map, def_file, mingw_map]
- if is_windows
- if is_ms_linker
- lk_args = ['-Wl,/def:' + def_file.full_path()]
- if meson.version().version_compare('<0.54.0')
- lk_args += ['-Wl,/implib:drivers\\' + implib]
- endif
- else
- lk_args = ['-Wl,--version-script=' + mingw_map.full_path()]
+ if not fs.is_file(version_map)
+ version_map = '@0@/version.map'.format(meson.current_source_dir())
+ lk_deps += [version_map]
+ else
+ lk_deps += [version_map]
+ if not is_windows and developer_mode
+ # on unix systems check the output of the
+ # check-symbols.sh script, using it as a
+ # dependency of the .so build
+ lk_deps += custom_target(lib_name + '.sym_chk',
+ command: [check_symbols, version_map, '@INPUT@'],
+ capture: true,
+ input: static_lib,
+ output: lib_name + '.sym_chk')
+ endif
+ endif
+
+ def_file = custom_target(lib_name + '_def',
+ command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
+ input: version_map,
+ output: '@0@_exports.def'.format(lib_name))
+
+ mingw_map = custom_target(lib_name + '_mingw',
+ command: [map_to_win_cmd, '@INPUT@', '@OUTPUT@'],
+ input: version_map,
+ output: '@0@_mingw.map'.format(lib_name))
+
+ lk_deps += [def_file, mingw_map]
+
+ if is_windows
+ if is_ms_linker
+ lk_args = ['-Wl,/def:' + def_file.full_path()]
+ if meson.version().version_compare('<0.54.0')
+ lk_args += ['-Wl,/implib:drivers\\' + implib]
endif
else
- lk_args = ['-Wl,--version-script=' + version_map]
- if developer_mode
- # on unix systems check the output of the
- # check-symbols.sh script, using it as a
- # dependency of the .so build
- lk_deps += custom_target(lib_name + '.sym_chk',
- command: [check_symbols, version_map, '@INPUT@'],
- capture: true,
- input: static_lib,
- output: lib_name + '.sym_chk')
- endif
+ lk_args = ['-Wl,--version-script=' + mingw_map.full_path()]
endif
+ else
+ lk_args = ['-Wl,--version-script=' + version_map]
endif
shared_lib = shared_library(lib_name, sources,
new file mode 100644
@@ -0,0 +1,3 @@
+DPDK_23 {
+ local: *;
+};