FS#42748 : [ocaml] Build with PIE/PIC (hardening-wrapper).

FS#42748 - [ocaml] Build with PIE/PIC (hardening-wrapper).

Attached to Project: Arch Linux
Opened by Earnestly (Earnest) - Tuesday, 11 November 2014, 18:24 GMT
Last edited by Jürgen Hötzel (juergen) - Friday, 14 July 2017, 16:45 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Jürgen Hötzel (juergen)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	10 Catalin Hritcu (catalin_hritcu) (2017-07-17) Gustavo Alvarez (sl1pkn07) (2017-07-09) Alexander F. Rødseth (xyproto) (2016-05-30) Raphael Cazenave-Leveque (StatelessCat) (2016-01-16) Guillaume Maudoux (Layus) (2015-12-14) Jakob Gahde (J5lx) (2015-12-01) Benoit Pierre (bpierre) (2015-10-13) Luca Fulchir (Luker) (2015-05-14) Stefan Husmann (stefanhusmann) (2015-01-10) Johannes Löthberg (demize) (2014-11-11)
Private	No

Details

I cannot build an Ocaml project with Arch's ocaml package because it doesn't support relocation.

ocamlopt -o llpp -g -w +a-4 -I +lablGL link.o -cclib '-Wl,-O1,--sort-common,--as-needed,-z,relro -g -L/usr/lib -lX11 -lpthread -lmupdf -lmujs -ljbig2dec -lcrypto -lz -lopenjp2 -ljpeg -lfreetype' unix.cmxa str.cmxa lablgl.cmxa bo.cmx help.cmx utils.cmx wsi.cmx parser.cmx config.cmx main.cmx
/usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/lib/ocaml/libasmrun.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
File "caml_startup", line 1:
Error: Error during linking
/home/earnest/build/pkgbuilds/llpp-git/src/Makefile:32: recipe for target 'llpp' failed
make: *** [llpp] Error 2

I have solved this by maintaining my own ocaml package which is built with PIC/RELOC, i.e. the hardening-wrapper.

This task depends upon

Closed by Jürgen Hötzel (juergen)
Friday, 14 July 2017, 16:45 GMT
Reason for closing: Fixed

Comment by Stefan Husmann (stefanhusmann) - Saturday, 10 January 2015, 21:27 GMT

Also true for scilab from AUR, x86_64.

Comment by Daniel Micay (thestinger) - Saturday, 10 January 2015, 21:39 GMT

As long as Arch isn't using PIE by default, static libraries aren't going to be usable for building PIE binaries. PIE could be addressed package by package but that seems unrealistic.

Comment by Luca Fulchir (Luker) - Friday, 09 October 2015, 08:59 GMT

Same problem here.
Solution: got the PKGBUILD, modified the ./configure:

./configure -prefix /usr -x11include /usr/include -cc "gcc -fPIC" -aspp "gcc -fPIC -c"

Now I can compile proverif, cryptoverif from aur.

Comment by Richard Jones (rwmjones) - Tuesday, 13 October 2015, 07:56 GMT

You might try adding -runtime-variant _pic to the ocamlopt command line. This requires OCaml >= 4.02.2, and you might want to check this bug: http://caml.inria.fr/mantis/view.php?id=6693

Comment by Guillaume Maudoux (Layus) - Monday, 14 December 2015, 13:37 GMT

Also affects ocaml-sqlite3 and transitively why3.
Rebuilding ocaml with `-cc "gcc -fPIC" -aspp "gcc -fPIC -c"` works but feels like using a sledgehammer to kill a fly.
I did not found the place to add `-runtime-variant _pic` in ocaml-sqlite3 but adding it to the failed command and rerunning it manually in src/ works too.

Any final decision on this ?

Comment by Guillaume Maudoux (Layus) - Tuesday, 15 December 2015, 07:38 GMT

Now seems like a good time to fix/close this bug as the above related upstream mantis issue [1] is now closed.
There seems to be three options :
1/ Compile ocaml with -fPIC or
2/ Explain how to use `-runtime-variant _pic` in scilab, proverif, cryptoverif, ocaml-sqlite3 or
4/ Make ocaml autodetect the need for hared libraries or
3/ Discover that it works out of the box and I am the only guy with a broken config :-).

@tpowa ?

[1] http://caml.inria.fr/mantis/view.php?id=6693

Comment by Daniel Micay (thestinger) - Wednesday, 16 December 2015, 03:49 GMT

Or just wait until GCC 6 as PIE is going to end up being enabled by default across the board.

Comment by Richard Jones (rwmjones) - Wednesday, 16 December 2015, 10:32 GMT

OCaml uses its own code generator. I doubt any changes in GCC will be relevant.

Comment by Raphael Cazenave-Leveque (StatelessCat) - Saturday, 16 January 2016, 18:57 GMT

Now, opam and opam-git cannot builds anymore if 'hardening-wrapper' is installed.
See https://aur.archlinux.org/packages/opam/?comments=all

Comment by Alexander F. Rødseth (xyproto) - Monday, 30 May 2016, 08:49 GMT

Assigned to maintainer and last packager.

Comment by Gustavo Alvarez (sl1pkn07) - Sunday, 09 July 2017, 13:55 GMT

with add '-fPIC' into ocaml configure solved my probem on https://bugs.archlinux.org/task/54741

see https://github.com/ocaml/ocaml/blob/trunk/configure#L211

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#54741 - [ocaml] add -fPIC to configure~~

Arch Linux

FS#42748 - [ocaml] Build with PIE/PIC (hardening-wrapper).

Details

Loading...