| Message ID | 20200220095626.24906-1-ynezz@true.cz |
|---|---|
| State | Accepted |
| Delegated to: | Petr Štetiar |
| Headers | show |
| Series | [OpenWrt-Devel] ppp: activate PIE ASLR by default | expand |
On Thu, 20 Feb 2020 10:56:26 +0100 Petr Štetiar <ynezz@true.cz> wrote: > This activates PIE ASLR support by default when the regular option is > selected. > > Size increase on imx6: > > 112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk > 121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk > = 9198 diff Acked-by: Alexander Couzens <lynxis@fe80.eu>
On 20/02/2020 11:56, Petr Štetiar wrote: > This activates PIE ASLR support by default when the regular option is > selected. > Unfortunately this seems to break build on x86/64: x86_64-openwrt-linux-musl-gcc -O2 -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -ffile-prefix-map=/home/stijn/Development/LEDE/source/build_dir/target-x86_64_musl/linux-x86_64/ppp-default/ppp-2.4.8=ppp-2.4.8 -Wformat -Werror=format-security -fpic -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -ffunction-sections -fdata-sections -flto -DHAVE_PATHS_H -DHAVE_MMAP -I../include '-DDESTDIR="/usr"' -DCHAPMS=1 -DMPPE=1 -DHAS_SHADOW -DHAVE_CRYPT_H=1 -DUSE_CRYPT=1 -DPLUGIN -DPPP_FILTER -DPPP_PRECOMPILED_FILTER -I/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/include -DINET6=1 -DMAXOCTETS -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/lib -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/usr/lib -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/lib -fpic -specs=/home/stijn/Development/LEDE/source/include/hardened-ld-pie.specs -znow -zrelro -Wl,--gc-sections -flto -fuse-linker-plugin -Wl,-E -o pppd main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o eap.o chap-md5.o session.o md4.o chap_ms.o sha1.o pppcrypt.o pcap_pcc.o ipv6cp.o eui64.o -lcrypt -ldl /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a(bpf_filter.c.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; recompile with -fPIC /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: final link failed: nonrepresentable section on output collect2: error: ld returned 1 exit status So NACK from me until this is fixed. Stijn
On 2020-02-22 09:54, Stijn Tintel wrote: > On 20/02/2020 11:56, Petr Štetiar wrote: >> This activates PIE ASLR support by default when the regular option is >> selected. >> > Unfortunately this seems to break build on x86/64: > > x86_64-openwrt-linux-musl-gcc -O2 -pipe -fno-caller-saves -fno-plt > -fhonour-copts -Wno-error=unused-but-set-variable > -Wno-error=unused-result > -ffile-prefix-map=/home/stijn/Development/LEDE/source/build_dir/target-x86_64_musl/linux-x86_64/ppp-default/ppp-2.4.8=ppp-2.4.8 > -Wformat -Werror=format-security -fpic -fstack-protector-strong > -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -ffunction-sections > -fdata-sections -flto -DHAVE_PATHS_H -DHAVE_MMAP -I../include > '-DDESTDIR="/usr"' -DCHAPMS=1 -DMPPE=1 -DHAS_SHADOW -DHAVE_CRYPT_H=1 > -DUSE_CRYPT=1 -DPLUGIN -DPPP_FILTER -DPPP_PRECOMPILED_FILTER > -I/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/include > -DINET6=1 -DMAXOCTETS > -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib > -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/lib > -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/usr/lib > -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/lib > -fpic > -specs=/home/stijn/Development/LEDE/source/include/hardened-ld-pie.specs > -znow -zrelro -Wl,--gc-sections -flto -fuse-linker-plugin -Wl,-E -o > pppd main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o > ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o eap.o > chap-md5.o session.o md4.o chap_ms.o sha1.o pppcrypt.o pcap_pcc.o > ipv6cp.o eui64.o -lcrypt -ldl > /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a > /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: > /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a(bpf_filter.c.o): > relocation R_X86_64_32S against `.rodata' can not be used when making a > PIE object; recompile with -fPIC > /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: > final link failed: nonrepresentable section on output > collect2: error: ld returned 1 exit status > > So NACK from me until this is fixed. This one can most likely be fixed by setting PKG_ASLR_PIE_REGULAR:=1 in libpcap as well. That way -fPIC gets passed for the static library build. - Felix
On 22/02/2020 11:10, Felix Fietkau wrote: > On 2020-02-22 09:54, Stijn Tintel wrote: >> On 20/02/2020 11:56, Petr Štetiar wrote: >>> This activates PIE ASLR support by default when the regular option is >>> selected. >>> >> Unfortunately this seems to break build on x86/64: >> >> x86_64-openwrt-linux-musl-gcc -O2 -pipe -fno-caller-saves -fno-plt >> -fhonour-copts -Wno-error=unused-but-set-variable >> -Wno-error=unused-result >> -ffile-prefix-map=/home/stijn/Development/LEDE/source/build_dir/target-x86_64_musl/linux-x86_64/ppp-default/ppp-2.4.8=ppp-2.4.8 >> -Wformat -Werror=format-security -fpic -fstack-protector-strong >> -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -ffunction-sections >> -fdata-sections -flto -DHAVE_PATHS_H -DHAVE_MMAP -I../include >> '-DDESTDIR="/usr"' -DCHAPMS=1 -DMPPE=1 -DHAS_SHADOW -DHAVE_CRYPT_H=1 >> -DUSE_CRYPT=1 -DPLUGIN -DPPP_FILTER -DPPP_PRECOMPILED_FILTER >> -I/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/include >> -DINET6=1 -DMAXOCTETS >> -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib >> -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/lib >> -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/usr/lib >> -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/lib >> -fpic >> -specs=/home/stijn/Development/LEDE/source/include/hardened-ld-pie.specs >> -znow -zrelro -Wl,--gc-sections -flto -fuse-linker-plugin -Wl,-E -o >> pppd main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o >> ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o eap.o >> chap-md5.o session.o md4.o chap_ms.o sha1.o pppcrypt.o pcap_pcc.o >> ipv6cp.o eui64.o -lcrypt -ldl >> /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a >> /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: >> /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a(bpf_filter.c.o): >> relocation R_X86_64_32S against `.rodata' can not be used when making a >> PIE object; recompile with -fPIC >> /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: >> final link failed: nonrepresentable section on output >> collect2: error: ld returned 1 exit status >> >> So NACK from me until this is fixed. > This one can most likely be fixed by setting PKG_ASLR_PIE_REGULAR:=1 in > libpcap as well. That way -fPIC gets passed for the static library build. > Interesting. I've added this in the libpcap Makefile and that seems to fix it. But I am actually building with CONFIG_PKG_ASLR_PIE_ALL=y, so would assume it would enable PIE even if PKG_ASLR_PIE_REGULAR is not set in the Makefile. Anyway, I'll send a patch for libpcap, thanks for the suggestion. Stijn
On 2020-02-22 10:22, Stijn Tintel wrote: > On 22/02/2020 11:10, Felix Fietkau wrote: >> On 2020-02-22 09:54, Stijn Tintel wrote: >>> On 20/02/2020 11:56, Petr Štetiar wrote: >>>> This activates PIE ASLR support by default when the regular option is >>>> selected. >>>> >>> Unfortunately this seems to break build on x86/64: >>> >>> x86_64-openwrt-linux-musl-gcc -O2 -pipe -fno-caller-saves -fno-plt >>> -fhonour-copts -Wno-error=unused-but-set-variable >>> -Wno-error=unused-result >>> -ffile-prefix-map=/home/stijn/Development/LEDE/source/build_dir/target-x86_64_musl/linux-x86_64/ppp-default/ppp-2.4.8=ppp-2.4.8 >>> -Wformat -Werror=format-security -fpic -fstack-protector-strong >>> -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -ffunction-sections >>> -fdata-sections -flto -DHAVE_PATHS_H -DHAVE_MMAP -I../include >>> '-DDESTDIR="/usr"' -DCHAPMS=1 -DMPPE=1 -DHAS_SHADOW -DHAVE_CRYPT_H=1 >>> -DUSE_CRYPT=1 -DPLUGIN -DPPP_FILTER -DPPP_PRECOMPILED_FILTER >>> -I/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/include >>> -DINET6=1 -DMAXOCTETS >>> -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib >>> -L/home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/lib >>> -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/usr/lib >>> -L/home/stijn/Development/LEDE/source/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/lib >>> -fpic >>> -specs=/home/stijn/Development/LEDE/source/include/hardened-ld-pie.specs >>> -znow -zrelro -Wl,--gc-sections -flto -fuse-linker-plugin -Wl,-E -o >>> pppd main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o >>> ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o eap.o >>> chap-md5.o session.o md4.o chap_ms.o sha1.o pppcrypt.o pcap_pcc.o >>> ipv6cp.o eui64.o -lcrypt -ldl >>> /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a >>> /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: >>> /home/stijn/Development/LEDE/source/staging_dir/target-x86_64_musl/usr/lib/libpcap.a(bpf_filter.c.o): >>> relocation R_X86_64_32S against `.rodata' can not be used when making a >>> PIE object; recompile with -fPIC >>> /home/build/openwrt/staging_dir/toolchain-x86_64_gcc-8.3.0_musl/bin/../lib/gcc/x86_64-openwrt-linux-musl/8.3.0/../../../../x86_64-openwrt-linux-musl/bin/ld: >>> final link failed: nonrepresentable section on output >>> collect2: error: ld returned 1 exit status >>> >>> So NACK from me until this is fixed. >> This one can most likely be fixed by setting PKG_ASLR_PIE_REGULAR:=1 in >> libpcap as well. That way -fPIC gets passed for the static library build. >> > Interesting. I've added this in the libpcap Makefile and that seems to > fix it. But I am actually building with CONFIG_PKG_ASLR_PIE_ALL=y, so > would assume it would enable PIE even if PKG_ASLR_PIE_REGULAR is not set > in the Makefile. Anyway, I'll send a patch for libpcap, thanks for the > suggestion. Maybe it was built before you made that config change? It seems to me that the ALSR_PIE stuff is missing some PKG_CONFIG_DEPENDS handling. - Felix
diff --git a/package/network/services/ppp/Makefile b/package/network/services/ppp/Makefile index b43a40bdceec..9e42cb743745 100644 --- a/package/network/services/ppp/Makefile +++ b/package/network/services/ppp/Makefile @@ -24,6 +24,7 @@ PKG_VERSION:=$(PKG_RELEASE_VERSION) PKG_BUILD_DEPENDS:=libpcap +PKG_ASLR_PIE_REGULAR:=1 PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1
This activates PIE ASLR support by default when the regular option is selected. Size increase on imx6: 112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk 121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk = 9198 diff Signed-off-by: Petr Štetiar <ynezz@true.cz> --- package/network/services/ppp/Makefile | 1 + 1 file changed, 1 insertion(+)