FS#49791 - [gcc] Compile with --enable-default-pie
Attached to Project:
Arch Linux
Opened by AnAkkk (AnAkkk) - Tuesday, 21 June 2016, 10:05 GMT
Last edited by Eli Schwartz (eschwartz) - Friday, 14 July 2017, 20:24 GMT
Opened by AnAkkk (AnAkkk) - Tuesday, 21 June 2016, 10:05 GMT
Last edited by Eli Schwartz (eschwartz) - Friday, 14 July 2017, 20:24 GMT
|
Details
GCC 6 added the --enable-defaut-pie flag, which would
provide better security as it enables the usage of ALSR.
This is already enabled in Fedora since Fedora 23, along with other compiler flags to help against security exploits: https://fedoraproject.org/wiki/Changes/Harden_All_Packages There is also some information on the Arch wiki about it: https://wiki.archlinux.org/index.php/DeveloperWiki:Security |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Friday, 14 July 2017, 20:24 GMT
Reason for closing: Fixed
Additional comments about closing: gcc 7.1.1-4
Friday, 14 July 2017, 20:24 GMT
Reason for closing: Fixed
Additional comments about closing: gcc 7.1.1-4
Submit your results. Then we know the performance penalty for enabling many security flags and can make this decision.
There seem to be no performance difference with ffmpeg from my results (and other people results too). My CPU was hotter in the last tests so that could very much explain why there is a 0.5s difference, although that's negligible.
How many results do we need to make a decision? Is it still going to be posted as a news item to gather more data?
https://sourceware.org/bugzilla/show_bug.cgi?id=21090
5 1/2 years later, C++ exceptions are still completely broken with gold incremental linking: https://sourceware.org/bugzilla/show_bug.cgi?id=13442
It also doesn't support -z relro and likely never will: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=943c8b4393ca97b6c4805c724069028be6955b89
Incremental linking has never been implemented for i386 targets: https://stackoverflow.com/questions/21877644/gold-linker-with-incremental-flag-does-not-work-for-target-i386 (I can't find the exact post on the binutils mailing list referred to from there, but looking at the current branch of master, there's still no implementation of init_got_plt_for_update for the i386 target).
The testsuite failures are due to trying to do an incremental link with gold with any type of position-independent code. They're exposed by gcc configured with --enable-default-pie because it makes gcc pass -fPIE and -pie by default. Running the test case with gcc configured *without* --enable-default-pie but passing either -fpic or -fPIE or -pie all cause the same internal error.
You can cause similar internal errors with very trivial testcases with the current gcc and binutils packages in the core repo:
/* File: main.c */
extern int x;
int main() { return x; }
/* File: other.c */
int x = 1;
Then run:
$ gcc -c -o main.o main.c
$ gcc -c -o other.o other.c
$ gcc -fuse-ld=gold -fno-use-linker-plugin -o test -Wl,-z,norelro,--incremental-full,--incremental-patch=100 main.o other.o
$ touch main.o
$ gcc -fuse-ld=gold -fno-use-linker-plugin -o test -Wl,-z,norelro,--incremental-update main.o other.o
And you get:
/usr/bin/ld.gold: internal error in set_section_addresses, at ../../binutils-gdb/gold/output.cc:4430
collect2: error: ld returned 1 exit status
(ignore the first attachment, I simplified the testcase even more in the second)
gold-error.tgz (0.4 KiB)
Since this bug is only about -pie, i hope the other flags Allan promised won't be forgotten.
-z,now to LDFLAGS and -fno-plt and -fstack-check to CFLAGS