FS#49791 - [gcc] Compile with --enable-default-pie

Attached to Project: Arch Linux
Opened by AnAkkk (AnAkkk) - Tuesday, 21 June 2016, 10:05 GMT
Last edited by Eli Schwartz (eschwartz) - Friday, 14 July 2017, 20:24 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 10
Private No

Details

GCC 6 added the --enable-defaut-pie flag, which would provide better security as it enables the usage of ALSR.

This is already enabled in Fedora since Fedora 23, along with other compiler flags to help against security exploits:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages

There is also some information on the Arch wiki about it:
https://wiki.archlinux.org/index.php/DeveloperWiki:Security
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Friday, 14 July 2017, 20:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  gcc 7.1.1-4
Comment by Allan McRae (Allan) - Tuesday, 21 June 2016, 11:17 GMT
go here: https://lists.archlinux.org/pipermail/arch-dev-public/2016-May/028030.html

Submit your results. Then we know the performance penalty for enabling many security flags and can make this decision.
Comment by AnAkkk (AnAkkk) - Thursday, 23 June 2016, 02:33 GMT
I have added my ffmpeg results. I don't currently have time to run the other tests.
There seem to be no performance difference with ffmpeg from my results (and other people results too). My CPU was hotter in the last tests so that could very much explain why there is a 0.5s difference, although that's negligible.

How many results do we need to make a decision? Is it still going to be posted as a news item to gather more data?
Comment by AnAkkk (AnAkkk) - Sunday, 30 April 2017, 14:31 GMT
  • Field changed: Percent Complete (100% → 0%)
Can we please reopen this as this is not implemented yet and was blocked by binutils(which is no longer the case apparently).
Comment by Allan McRae (Allan) - Sunday, 30 April 2017, 22:16 GMT
There is still a problem with incremental linking in gold. If mov-to-lea conversion is done during the initial link, an incremental update will not be able to apply the correct relocation.
https://sourceware.org/bugzilla/show_bug.cgi?id=21090
Comment by AnAkkk (AnAkkk) - Monday, 01 May 2017, 17:34 GMT
Wouldn't it be possible to do whatever Debian/Fedora/Alpine Linux do to workaround the issue, in the meantime?
Comment by oneup40 (oneup40) - Sunday, 28 May 2017, 03:55 GMT
Incremental linking with gold is pretty broken in general. If we're waiting for it to be fixed, then we'll never enable default-pie.

5 1/2 years later, C++ exceptions are still completely broken with gold incremental linking: https://sourceware.org/bugzilla/show_bug.cgi?id=13442

It also doesn't support -z relro and likely never will: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=943c8b4393ca97b6c4805c724069028be6955b89

Incremental linking has never been implemented for i386 targets: https://stackoverflow.com/questions/21877644/gold-linker-with-incremental-flag-does-not-work-for-target-i386 (I can't find the exact post on the binutils mailing list referred to from there, but looking at the current branch of master, there's still no implementation of init_got_plt_for_update for the i386 target).

The testsuite failures are due to trying to do an incremental link with gold with any type of position-independent code. They're exposed by gcc configured with --enable-default-pie because it makes gcc pass -fPIE and -pie by default. Running the test case with gcc configured *without* --enable-default-pie but passing either -fpic or -fPIE or -pie all cause the same internal error.

You can cause similar internal errors with very trivial testcases with the current gcc and binutils packages in the core repo:

/* File: main.c */
extern int x;
int main() { return x; }

/* File: other.c */
int x = 1;

Then run:
$ gcc -c -o main.o main.c
$ gcc -c -o other.o other.c
$ gcc -fuse-ld=gold -fno-use-linker-plugin -o test -Wl,-z,norelro,--incremental-full,--incremental-patch=100 main.o other.o
$ touch main.o
$ gcc -fuse-ld=gold -fno-use-linker-plugin -o test -Wl,-z,norelro,--incremental-update main.o other.o

And you get:

/usr/bin/ld.gold: internal error in set_section_addresses, at ../../binutils-gdb/gold/output.cc:4430
collect2: error: ld returned 1 exit status

(ignore the first attachment, I simplified the testcase even more in the second)
Comment by Bartłomiej Piotrowski (Barthalion) - Sunday, 28 May 2017, 11:39 GMT
I am not going to pay much attention to gold. I will work on enabling PIE after I move new gcc to [core].
Comment by trendkiller (trendkiller) - Tuesday, 30 May 2017, 16:36 GMT
Glad to hear it's being worked on.
Since this bug is only about -pie, i hope the other flags Allan promised won't be forgotten.
-z,now to LDFLAGS and -fno-plt and -fstack-check to CFLAGS

Loading...