FS#12465 - lapack 3.1.1-4: /usr/lib/liblapack.so.3 contains TEXT relocations on x86

Attached to Project: Arch Linux
Opened by Markus Dittrich (markusle) - Monday, 15 December 2008, 18:59 GMT
Last edited by Ronald van Haren (pressh) - Tuesday, 30 December 2008, 12:49 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture i686
Severity Low
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The liblapack.so.3 shared object for x86 contains text relocations.
Text relocations in shared objects should be avoided since they
require the kernel to do more work during loading and also constitute
a potential security risk.

Solution:

Since arch only ships shared libs and no static ones, the x86 objects
linked into the so should be compiled with -fPIC. The current PKGBUILD
does this already for x86_64. Is there any reason why this is not also
done for x86?

Thanks much for considering this request.

Best,
Markus
This task depends upon

Closed by  Ronald van Haren (pressh)
Tuesday, 30 December 2008, 12:49 GMT
Reason for closing:  Implemented
Comment by Ronald van Haren (pressh) - Tuesday, 16 December 2008, 00:14 GMT
lapack is compiled on x86_64 with -fPIC because it can't be compiled without.

As for -fPIC in general and in particular on x86, quite often it slows things down instead of speeding things up (I have not looked into this particular package yet). Do you have any benchmarks and statements to backup your claim for this package?
Comment by Markus Dittrich (markusle) - Tuesday, 16 December 2008, 02:56 GMT
Hi Ronald,

Thank you very much for your response and I am by no means an expert in this.
To get really good performance for, e.g., scientific libraries one should probably
link against static libraries anyways.

For shared objects, it is not know at compile time at what particular virtual address
the *.so will be loaded at run/load-time. A PIC compiled shared object is set up to deal
with this and can be accessed by all applications requiring the library independently
of where the *.so was loaded in virtual memory via the global offset table (GOT).
This incurs some cost during compilation (the -fPIC part) and results in a slightly larger
library size.
If a shared object is compiled with non-PIC code the dynamic linker at run-time has to
replace all direct memory references in the *.so and relocate these addresses.
For large libraries with lots of relocations this can lead to
a significant performance degradation. There's more info regarding this issue
at [1], [2], and [3]. That said, I have no hard numbers how much this cost turns out to
be for blas/lapack and these numbers might be fairly hard to come by. However,
I think the general consensus as far as I understand it is that shared objects should be
PIC. Last but not least (at least for me as a PAX user), these non-PIC shared objects
don't run on systems with a kernel that prevents run-time text relocations for security
reasons (PAX, SELinux) just like x86_64's NX bit, since this is a possible attack vector

Best,
Markus

[1] http://sources.redhat.com/autobook/autobook/autobook_71.html#SEC71
[2] http://www.gentoo.org/proj/en/hardened/pic-guide.xml
[3] http://people.redhat.com/drepper/dsohowto.pdf
Comment by Ronald van Haren (pressh) - Friday, 19 December 2008, 09:03 GMT
thanks for your efforts on this Markus. I just want you to know that I will only have time after christmas to look into this. Please poke me if I have not done anything before the start of next year ;)
Comment by Markus Dittrich (markusle) - Friday, 19 December 2008, 13:37 GMT
Hi Ronald,

That sounds great and I wish you relaxing holidays.

cheers,
Markus

Loading...