Message ID | 20171228214333.8340-1-stefan.froberg@petroprogram.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [1/1,v2] gcc: Add support for --enable-default-pie configure option. | expand |
Hello, On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: > By default, buildroot produces insecure binaries. > > GCC 6.x added build time configuration option "--enable-default-pie". > With that enabled, GCC will produce PIE > (Position-independent executables) binaries. > > PIE is a requirement for ASLR (Address space layout randomization) > that will make exploits like return-to-libc attack impossible. > > If you want to have a modern, secure system then enable this option. > > To override this default behaviour, you can use -no-pie > with your CFLAGS/CXXFLAGS. > > https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html As I said in my previous review, I think we want a solution that also applies to external toolchains, by passing -pie in the compiler wrapper. Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY options" in the mailing list archives, https://patchwork.ozlabs.org/patch/830085/, it was also adding -pie support, but in a more generic way. Could you use this instead ? Thanks! Thomas
Stefan, On Dec 28, 2017 4:08 PM, "Thomas Petazzoni" < thomas.petazzoni@free-electrons.com> wrote: Hello, On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: > By default, buildroot produces insecure binaries. > > GCC 6.x added build time configuration option "--enable-default-pie". > With that enabled, GCC will produce PIE > (Position-independent executables) binaries. > > PIE is a requirement for ASLR (Address space layout randomization) > that will make exploits like return-to-libc attack impossible. > > If you want to have a modern, secure system then enable this option. > > To override this default behaviour, you can use -no-pie > with your CFLAGS/CXXFLAGS. > > https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html As I said in my previous review, I think we want a solution that also applies to external toolchains, by passing -pie in the compiler wrapper. Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY options" in the mailing list archives, https://patchwork.ozlabs.org/patch/830085/, it was also adding -pie support, but in a more generic way. Could you use this instead ? I've got a v3 in the works for that one, I can incorporate this into it if you'd like and send out the set this weekend (currently no computer) Matt <div dir="auto"><div>Stefan,<br><div class="gmail_extra"><br><div class="gmail_quote">On Dec 28, 2017 4:08 PM, "Thomas Petazzoni" <<a href="mailto:thomas.petazzoni@free-electrons.com">thomas.petazzoni@free-electrons.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br> <div class="quoted-text"><br> On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote:<br> > By default, buildroot produces insecure binaries.<br> ><br> > GCC 6.x added build time configuration option "--enable-default-pie".<br> > With that enabled, GCC will produce PIE<br> > (Position-independent executables) binaries.<br> ><br> > PIE is a requirement for ASLR (Address space layout randomization)<br> > that will make exploits like return-to-libc attack impossible.<br> ><br> > If you want to have a modern, secure system then enable this option.<br> ><br> > To override this default behaviour, you can use -no-pie<br> > with your CFLAGS/CXXFLAGS.<br> ><br> > <a href="https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html" rel="noreferrer" target="_blank">https://gcc.gnu.org/<wbr>onlinedocs/gcc-6.2.0/gcc/Link-<wbr>Options.html</a><br> <br> </div>As I said in my previous review, I think we want a solution that also<br> applies to external toolchains, by passing -pie in the compiler wrapper.<br> <br> Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY<br> options" in the mailing list archives,<br> <a href="https://patchwork.ozlabs.org/patch/830085/" rel="noreferrer" target="_blank">https://patchwork.ozlabs.org/<wbr>patch/830085/</a>, it was also adding -pie<br> support, but in a more generic way. Could you use this instead ?<br> <br><div class="elided-text"></div></blockquote></div></div></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="elided-text"></div></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">I've got a v3 in the works for that one, I can incorporate this into it if you'd like and send out the set this weekend (currently no computer)</div><div dir="auto"><br></div><div dir="auto">Matt</div><div dir="auto"><br></div></div>
Hi Thomas Yes, of course PIE (and other hardening flags) could be passed with CFLAGS/CXXFLAGS/LDFLAGS. But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS? (Like for example, zlib by default does not do, but I see that buildroot maually passes them to configure script) Then you would need to patch all those packages while with default PIE there would be no need to patch. Compiler would automatically do the right thing And in the case of PIE, there seems to be tricky rules what to put and where: https://fedoraproject.org/wiki/Changes/Harden_All_Packages From the above link: "The key change is that for PIE builds, compilation for static linking (such as object files which go into the main program, not a library) needs the flag -fPIE. But this flag /must not be included when compiling for dynamic linking/ because the resulting object code is not compatible with that. To repeat, /*you should not specify both -fpic and -fpie on the same command line/* because this rarely has the intended effect. " So with default pie built into compiler, the compiler would automatically do the right thing. Other than letting compiler to handle the PIE and changing "fstack-protector-all" to "fstack-protector-strong" (introduced in GCC 4.9, pretty much the same result that "all" but with less performance penalty) that generic hardening patch looks okay to me. So I suggest that let the compiler handle PIE. Either builtin (need GCC 6.x + ), with specs file (very ugly and messy but also very effective) or maybe compiler wrapper (call it "hardened-gcc/g++" or whatever) that I remember Arnout Vandecappelle suggesting. Best Regards -S- Thomas Petazzoni kirjoitti 29.12.2017 klo 00:07: > Hello, > > On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: >> By default, buildroot produces insecure binaries. >> >> GCC 6.x added build time configuration option "--enable-default-pie". >> With that enabled, GCC will produce PIE >> (Position-independent executables) binaries. >> >> PIE is a requirement for ASLR (Address space layout randomization) >> that will make exploits like return-to-libc attack impossible. >> >> If you want to have a modern, secure system then enable this option. >> >> To override this default behaviour, you can use -no-pie >> with your CFLAGS/CXXFLAGS. >> >> https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html > As I said in my previous review, I think we want a solution that also > applies to external toolchains, by passing -pie in the compiler wrapper. > > Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY > options" in the mailing list archives, > https://patchwork.ozlabs.org/patch/830085/, it was also adding -pie > support, but in a more generic way. Could you use this instead ? > > Thanks! > > Thomas <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> Hi Thomas<br> <br> Yes, of course PIE (and other hardening flags) could be passed with<br> CFLAGS/CXXFLAGS/LDFLAGS.<br> <br> But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS?<br> (Like for example, zlib by default does not do, but I see that buildroot maually passes them<br> to configure script)<br> <br> Then you would need to patch all those packages while with default PIE there would<br> be no need to patch. Compiler would automatically do the right thing<br> <br> And in the case of PIE, there seems to be tricky rules what to put and<br> where:<br> <a class="moz-txt-link-freetext" href="https://fedoraproject.org/wiki/Changes/Harden_All_Packages">https://fedoraproject.org/wiki/Changes/Harden_All_Packages</a><br> <br> From the above link:<br> <br> "The key change is that for PIE builds, compilation for static linking <br> (such as object files which go into the main program, not a library) needs the flag <tt>-fPIE</tt>. <br> <br> But this flag <i>must not be included when compiling for dynamic linking</i> because the <br> resulting object code is not compatible with that. <br> <br> To repeat, <i>*you should not specify both <tt>-fpic</tt> and <tt>-fpie</tt> on the same command line</i>* <br> because this rarely has the intended effect. "<br> <br> So with default pie built into compiler, the compiler would automatically do the right thing.<br> <br> Other than letting compiler to handle the PIE and changing "fstack-protector-all" to <br> "fstack-protector-strong" (introduced in GCC 4.9, pretty much the same result that "all" but with less performance penalty)<br> that generic hardening patch looks okay to me.<br> <br> So I suggest that let the compiler handle PIE.<br> <br> Either builtin (need GCC 6.x + ), with specs file (very ugly and messy but also very effective) or maybe<br> compiler wrapper (call it "hardened-gcc/g++" or whatever) that I remember Arnout Vandecappelle suggesting.<br> <br> Best Regards<br> -S-<br> <br> <br> <br> <div class="moz-cite-prefix">Thomas Petazzoni kirjoitti 29.12.2017 klo 00:07:<br> </div> <blockquote type="cite" cite="mid:20171228230743.1e6c59ab@windsurf"> <pre wrap="">Hello, On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: </pre> <blockquote type="cite"> <pre wrap="">By default, buildroot produces insecure binaries. GCC 6.x added build time configuration option "--enable-default-pie". With that enabled, GCC will produce PIE (Position-independent executables) binaries. PIE is a requirement for ASLR (Address space layout randomization) that will make exploits like return-to-libc attack impossible. If you want to have a modern, secure system then enable this option. To override this default behaviour, you can use -no-pie with your CFLAGS/CXXFLAGS. <a class="moz-txt-link-freetext" href="https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html">https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html</a> </pre> </blockquote> <pre wrap=""> As I said in my previous review, I think we want a solution that also applies to external toolchains, by passing -pie in the compiler wrapper. Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY options" in the mailing list archives, <a class="moz-txt-link-freetext" href="https://patchwork.ozlabs.org/patch/830085/">https://patchwork.ozlabs.org/patch/830085/</a>, it was also adding -pie support, but in a more generic way. Could you use this instead ? Thanks! Thomas </pre> </blockquote> <br> </body> </html>
Actually, now that I think of it...there is also --enable-default-ssp flag too to let compiler handle stack-protection automatically too https://gcc.gnu.org/install/configure.html |"--enable-default-ssp| Turn on -fstack-protector-strong by default. " -S- Stefan Fröberg kirjoitti 29.12.2017 klo 15:25: > Hi Thomas > > Yes, of course PIE (and other hardening flags) could be passed with > CFLAGS/CXXFLAGS/LDFLAGS. > > But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS? > (Like for example, zlib by default does not do, but I see that > buildroot maually passes them > to configure script) > > Then you would need to patch all those packages while with default PIE > there would > be no need to patch. Compiler would automatically do the right thing > > And in the case of PIE, there seems to be tricky rules what to put and > where: > https://fedoraproject.org/wiki/Changes/Harden_All_Packages > > From the above link: > > "The key change is that for PIE builds, compilation for static linking > (such as object files which go into the main program, not a library) > needs the flag -fPIE. > > But this flag /must not be included when compiling for dynamic > linking/ because the > resulting object code is not compatible with that. > > To repeat, /*you should not specify both -fpic and -fpie on the same > command line/* > because this rarely has the intended effect. " > > So with default pie built into compiler, the compiler would > automatically do the right thing. > > Other than letting compiler to handle the PIE and changing > "fstack-protector-all" to > "fstack-protector-strong" (introduced in GCC 4.9, pretty much the > same result that "all" but with less performance penalty) > that generic hardening patch looks okay to me. > > So I suggest that let the compiler handle PIE. > > Either builtin (need GCC 6.x + ), with specs file (very ugly and messy > but also very effective) or maybe > compiler wrapper (call it "hardened-gcc/g++" or whatever) that I > remember Arnout Vandecappelle suggesting. > > Best Regards > -S- > > > > Thomas Petazzoni kirjoitti 29.12.2017 klo 00:07: >> Hello, >> >> On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: >>> By default, buildroot produces insecure binaries. >>> >>> GCC 6.x added build time configuration option "--enable-default-pie". >>> With that enabled, GCC will produce PIE >>> (Position-independent executables) binaries. >>> >>> PIE is a requirement for ASLR (Address space layout randomization) >>> that will make exploits like return-to-libc attack impossible. >>> >>> If you want to have a modern, secure system then enable this option. >>> >>> To override this default behaviour, you can use -no-pie >>> with your CFLAGS/CXXFLAGS. >>> >>> https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html >> As I said in my previous review, I think we want a solution that also >> applies to external toolchains, by passing -pie in the compiler wrapper. >> >> Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY >> options" in the mailing list archives, >> https://patchwork.ozlabs.org/patch/830085/, it was also adding -pie >> support, but in a more generic way. Could you use this instead ? >> >> Thanks! >> >> Thomas > > > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> Actually, now that I think of it...there is also --enable-default-ssp flag too to <br> let compiler handle stack-protection automatically too<br> <br> <a class="moz-txt-link-freetext" href="https://gcc.gnu.org/install/configure.html">https://gcc.gnu.org/install/configure.html</a><br> <dl compact="compact"> <dt><code>"--enable-default-ssp</code></dt> <dd>Turn on <samp>-fstack-protector-strong</samp> by default. "<br> </dd> </dl> <p><br> </p> <p>-S-<br> </p> <br> <div class="moz-cite-prefix">Stefan Fröberg kirjoitti 29.12.2017 klo 15:25:<br> </div> <blockquote type="cite" cite="mid:5a5a8ab0-25f3-a3a2-bf5a-b9c7fe851c66@petroprogram.com"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Hi Thomas<br> <br> Yes, of course PIE (and other hardening flags) could be passed with<br> CFLAGS/CXXFLAGS/LDFLAGS.<br> <br> But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS?<br> (Like for example, zlib by default does not do, but I see that buildroot maually passes them<br> to configure script)<br> <br> Then you would need to patch all those packages while with default PIE there would<br> be no need to patch. Compiler would automatically do the right thing<br> <br> And in the case of PIE, there seems to be tricky rules what to put and<br> where:<br> <a class="moz-txt-link-freetext" href="https://fedoraproject.org/wiki/Changes/Harden_All_Packages" moz-do-not-send="true">https://fedoraproject.org/wiki/Changes/Harden_All_Packages</a><br> <br> From the above link:<br> <br> "The key change is that for PIE builds, compilation for static linking <br> (such as object files which go into the main program, not a library) needs the flag <tt>-fPIE</tt>. <br> <br> But this flag <i>must not be included when compiling for dynamic linking</i> because the <br> resulting object code is not compatible with that. <br> <br> To repeat, <i>*you should not specify both <tt>-fpic</tt> and <tt>-fpie</tt> on the same command line</i>* <br> because this rarely has the intended effect. "<br> <br> So with default pie built into compiler, the compiler would automatically do the right thing.<br> <br> Other than letting compiler to handle the PIE and changing "fstack-protector-all" to <br> "fstack-protector-strong" (introduced in GCC 4.9, pretty much the same result that "all" but with less performance penalty)<br> that generic hardening patch looks okay to me.<br> <br> So I suggest that let the compiler handle PIE.<br> <br> Either builtin (need GCC 6.x + ), with specs file (very ugly and messy but also very effective) or maybe<br> compiler wrapper (call it "hardened-gcc/g++" or whatever) that I remember Arnout Vandecappelle suggesting.<br> <br> Best Regards<br> -S-<br> <br> <br> <br> <div class="moz-cite-prefix">Thomas Petazzoni kirjoitti 29.12.2017 klo 00:07:<br> </div> <blockquote type="cite" cite="mid:20171228230743.1e6c59ab@windsurf"> <pre wrap="">Hello, On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote: </pre> <blockquote type="cite"> <pre wrap="">By default, buildroot produces insecure binaries. GCC 6.x added build time configuration option "--enable-default-pie". With that enabled, GCC will produce PIE (Position-independent executables) binaries. PIE is a requirement for ASLR (Address space layout randomization) that will make exploits like return-to-libc attack impossible. If you want to have a modern, secure system then enable this option. To override this default behaviour, you can use -no-pie with your CFLAGS/CXXFLAGS. <a class="moz-txt-link-freetext" href="https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html" moz-do-not-send="true">https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html</a> </pre> </blockquote> <pre wrap="">As I said in my previous review, I think we want a solution that also applies to external toolchains, by passing -pie in the compiler wrapper. Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY options" in the mailing list archives, <a class="moz-txt-link-freetext" href="https://patchwork.ozlabs.org/patch/830085/" moz-do-not-send="true">https://patchwork.ozlabs.org/patch/830085/</a>, it was also adding -pie support, but in a more generic way. Could you use this instead ? Thanks! Thomas </pre> </blockquote> <br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ buildroot mailing list <a class="moz-txt-link-abbreviated" href="mailto:buildroot@busybox.net">buildroot@busybox.net</a> <a class="moz-txt-link-freetext" href="http://lists.busybox.net/mailman/listinfo/buildroot">http://lists.busybox.net/mailman/listinfo/buildroot</a> </pre> </blockquote> <br> </body> </html>
Hello, On Fri, 29 Dec 2017 15:25:21 +0200, Stefan Fröberg wrote: > Yes, of course PIE (and other hardening flags) could be passed with > CFLAGS/CXXFLAGS/LDFLAGS. > > But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS? > (Like for example, zlib by default does not do, but I see that buildroot > maually passes them > to configure script) > > Then you would need to patch all those packages while with default PIE > there would > be no need to patch. Compiler would automatically do the right thing > > And in the case of PIE, there seems to be tricky rules what to put and > where: > https://fedoraproject.org/wiki/Changes/Harden_All_Packages > > From the above link: > > "The key change is that for PIE builds, compilation for static linking > (such as object files which go into the main program, not a library) > needs the flag -fPIE. > > But this flag /must not be included when compiling for dynamic linking/ > because the > resulting object code is not compatible with that. > > To repeat, /*you should not specify both -fpic and -fpie on the same > command line/* > because this rarely has the intended effect. " > > So with default pie built into compiler, the compiler would > automatically do the right thing. > > Other than letting compiler to handle the PIE and changing > "fstack-protector-all" to > "fstack-protector-strong" (introduced in GCC 4.9, pretty much the same > result that "all" but with less performance penalty) > that generic hardening patch looks okay to me. > > So I suggest that let the compiler handle PIE. And what do you propose for external toolchains ? That's the big limitation in your proposal: it works fine for the internal toolchain, but doesn't work at all for the external toolchain. Hence the discussion on using CFLAGS, or the compiler wrapper. Thomas
Yeah, there is no other way for external toolchains than generic flags passing (and possibly patching) or compiler wrapper (well, there is specs file but it's ...soooo messy...). Personally, Im only interested of internal toolchain (and I think this is not the first case that internal/external toolchains have different rules?) -S- Thomas Petazzoni kirjoitti 29.12.2017 klo 15:42: > Hello, > > On Fri, 29 Dec 2017 15:25:21 +0200, Stefan Fröberg wrote: > >> Yes, of course PIE (and other hardening flags) could be passed with >> CFLAGS/CXXFLAGS/LDFLAGS. >> >> But what if some package does not care about CFLAGS/CXXFLAGS/LDFLAGS? >> (Like for example, zlib by default does not do, but I see that buildroot >> maually passes them >> to configure script) >> >> Then you would need to patch all those packages while with default PIE >> there would >> be no need to patch. Compiler would automatically do the right thing >> >> And in the case of PIE, there seems to be tricky rules what to put and >> where: >> https://fedoraproject.org/wiki/Changes/Harden_All_Packages >> >> From the above link: >> >> "The key change is that for PIE builds, compilation for static linking >> (such as object files which go into the main program, not a library) >> needs the flag -fPIE. >> >> But this flag /must not be included when compiling for dynamic linking/ >> because the >> resulting object code is not compatible with that. >> >> To repeat, /*you should not specify both -fpic and -fpie on the same >> command line/* >> because this rarely has the intended effect. " >> >> So with default pie built into compiler, the compiler would >> automatically do the right thing. >> >> Other than letting compiler to handle the PIE and changing >> "fstack-protector-all" to >> "fstack-protector-strong" (introduced in GCC 4.9, pretty much the same >> result that "all" but with less performance penalty) >> that generic hardening patch looks okay to me. >> >> So I suggest that let the compiler handle PIE. > And what do you propose for external toolchains ? > > That's the big limitation in your proposal: it works fine for the > internal toolchain, but doesn't work at all for the external toolchain. > Hence the discussion on using CFLAGS, or the compiler wrapper. > > Thomas
Hello, On Fri, 29 Dec 2017 15:48:48 +0200, Stefan Fröberg wrote: > Yeah, there is no other way for external toolchains than generic flags > passing (and possibly patching) > or compiler wrapper (well, there is specs file but it's ...soooo messy...). And since the different method needed for external toolchains would also work for internal toolchains, there is no point in doing a solution that only works for internal toolchains. See my point ? > Personally, Im only interested of internal toolchain > (and I think this is not the first case that internal/external > toolchains have different rules?) We generally try to have internal and external toolchains supported in the same way. You may only be interested in internal toolchains, but Buildroot as a project needs to keep the feature parity between internal and external toolchains, so we would like to have a solution that solves both situations. Thomas
Hello Thomas Petazzoni kirjoitti 29.12.2017 klo 16:04: > Hello, > > On Fri, 29 Dec 2017 15:48:48 +0200, Stefan Fröberg wrote: > >> Yeah, there is no other way for external toolchains than generic flags >> passing (and possibly patching) >> or compiler wrapper (well, there is specs file but it's ...soooo messy...). > And since the different method needed for external toolchains would > also work for internal toolchains, there is no point in doing a > solution that only works for internal toolchains. See my point ? Except can you be absolute sure that -fpic and -fpie will never happen in the same commandline when using just flags? >> Personally, Im only interested of internal toolchain >> (and I think this is not the first case that internal/external >> toolchains have different rules?) > We generally try to have internal and external toolchains supported in > the same way. You may only be interested in internal toolchains, but > Buildroot as a project needs to keep the feature parity between > internal and external toolchains, so we would like to have a solution > that solves both situations. > > Thomas Actually, not true. You already have options like "Enable compiler link-time-optimization support", "Enable compiler OpenMP support" and "Enable graphite support". (with pretty spartan description I might add) All those are optimization related, activated by built-time configuration switches. Mine is security related and also activated by built-time configuration switch. And when selecting External toolchain then ...*poof* ... they all vanish into the air. So if buildroot would really treat both external and internal toolchain equally then those options should also be added when using external toolchain. -S-
diff --git a/package/gcc/Config.in.host b/package/gcc/Config.in.host index 70cce0a5c5..bf646fa07b 100644 --- a/package/gcc/Config.in.host +++ b/package/gcc/Config.in.host @@ -152,3 +152,13 @@ config BR2_GCC_ENABLE_GRAPHITE comment "graphite support needs gcc >= 5.x" depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_5 + +config BR2_GCC_ENABLE_DEFAULT_PIE + bool "Enable default PIE support" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6 + help + This option enables the GCC to make PIE + binaries by default. + +comment "default PIE support needs gcc >= 6.x" + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_6 diff --git a/package/gcc/gcc.mk b/package/gcc/gcc.mk index 27fc1e987c..0910fb3932 100644 --- a/package/gcc/gcc.mk +++ b/package/gcc/gcc.mk @@ -183,6 +183,10 @@ else HOST_GCC_COMMON_CONF_OPTS += --without-isl --without-cloog endif +ifeq ($(BR2_GCC_ENABLE_DEFAULT_PIE),y) +HOST_GCC_COMMON_CONF_OPTS += --enable-default-pie +endif + ifeq ($(BR2_arc)$(BR2_or1k),y) HOST_GCC_COMMON_DEPENDENCIES += host-flex host-bison endif
By default, buildroot produces insecure binaries. GCC 6.x added build time configuration option "--enable-default-pie". With that enabled, GCC will produce PIE (Position-independent executables) binaries. PIE is a requirement for ASLR (Address space layout randomization) that will make exploits like return-to-libc attack impossible. If you want to have a modern, secure system then enable this option. To override this default behaviour, you can use -no-pie with your CFLAGS/CXXFLAGS. https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html Signed-off-by: Stefan Fröberg <stefan.froberg@petroprogram.com> --- package/gcc/Config.in.host | 10 ++++++++++ package/gcc/gcc.mk | 4 ++++ 2 files changed, 14 insertions(+)