From patchwork Fri Apr 29 06:33:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Beattie X-Patchwork-Id: 616621 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qx3n92Fq4z9t3b; Fri, 29 Apr 2016 16:33:49 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aw1zb-0000Uq-QB; Fri, 29 Apr 2016 06:33:35 +0000 Received: from 208-151-246-43.dq1sn.easystreet.com ([208.151.246.43] helo=lizaveta.nxnw.org) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1aw1zW-0000Uc-LQ for kernel-team@lists.ubuntu.com; Fri, 29 Apr 2016 06:33:31 +0000 Received: from kryten.nxnw.org (kryten.nxnw.org [10.19.96.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "kryten.int.wirex.com", Issuer "nxnw.org" (not verified)) by lizaveta.nxnw.org (Postfix) with ESMTPS id 7ED94607B7 for ; Thu, 28 Apr 2016 23:33:26 -0700 (PDT) Received: by kryten.nxnw.org (Postfix, from userid 1000) id E6D813414CA; Thu, 28 Apr 2016 23:33:25 -0700 (PDT) Date: Thu, 28 Apr 2016 23:33:25 -0700 From: Steve Beattie To: kernel-team@lists.ubuntu.com Subject: [PATCH yakkety] [RFC v1] disable -pie when gcc has it enabled by default Message-ID: <20160429063325.GA22271@nxnw.org> MIME-Version: 1.0 Organization: North by Northwest Consolidated Industries, LLC X-Paranoia: Greetings CIA, FBI, MI5, NSA, ATF, Immigration! X-Message-Flag: Repeal the DMCA! Real security is only possible when subject to open critical review. X-PGP-Key: http://www.NxNW.org/~steve/005E81F4.txt User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Steve Beattie In Ubuntu 16.10, gcc's defaults have been set to build Position Independent Executables (PIE) on amd64 and ppc64le (gcc was configured this way for s390x in Ubuntu 16.04 LTS). This breaks the kernel build on amd64. The following patch disables pie for x86 builds (though not yet verified to work with gcc configured to build PIE by default i386 -- we're not planning to enable it for that architecture). The intent is for this patch to go upstream after expanding it to additional architectures where needed, but I wanted to ensure that we could build 16.10 kernels first. I've successfully built kernels and booted them with this patch applied using the 16.10 compiler. Patch is against yakkety.git, but also applies with minor movement (no fuzz) against current linus.git. Signed-off-by: Steve Beattie diff --git a/Makefile b/Makefile index e27da43..e4e8331 100644 --- a/Makefile +++ b/Makefile @@ -640,6 +640,11 @@ ifneq ($(CONFIG_FRAME_WARN),0) KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN}) endif +# force no-pie for distro compilers that enable pie by default +KBUILD_CFLAGS += $(call cc-option, -fno-pie) +KBUILD_CFLAGS += $(call cc-option, -no-pie) +KBUILD_AFLAGS += $(call cc-option, -fno-pie) + # Handle stack protector mode. # # Since kbuild can potentially perform two passes (first with the old diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 4086abc..84d1cc8 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -27,6 +27,7 @@ REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \ -mno-mmx -mno-sse \ $(call cc-option, -ffreestanding) \ $(call cc-option, -fno-stack-protector) \ + $(call cc-option, -fno-pie) \ $(call cc-option, -mpreferred-stack-boundary=2) export REALMODE_CFLAGS @@ -129,7 +130,7 @@ endif # Make sure compiler does not have buggy stack-protector support. ifdef CONFIG_CC_STACKPROTECTOR cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh - ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y) + ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) -fno-pie $(KBUILD_CPPFLAGS) $(biarch)),y) $(warning stack-protector enabled but compiler support broken) endif endif diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index 265c0ed..9677975 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -44,6 +44,7 @@ export CPPFLAGS_vdso.lds += -P -C VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \ -Wl,--no-undefined \ -Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096 \ + $(call ld-option, -no-pie) \ $(DISABLE_LTO) $(obj)/vdso64.so.dbg: $(src)/vdso.lds $(vobjs) FORCE @@ -67,6 +68,7 @@ $(obj)/vdso-image-%.c: $(obj)/vdso%.so.dbg $(obj)/vdso%.so $(obj)/vdso2c FORCE CFL := $(PROFILING) -mcmodel=small -fPIC -O2 -fasynchronous-unwind-tables -m64 \ $(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \ -fno-omit-frame-pointer -foptimize-sibling-calls \ + $(call cc-option, -fno-pie) \ -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO $(vobjs): KBUILD_CFLAGS += $(CFL) @@ -140,6 +142,7 @@ KBUILD_CFLAGS_32 := $(filter-out -mcmodel=kernel,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32)) KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic +KBUILD_CFLAGS_32 += $(call cc-option, -no-pie) KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector) KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls) KBUILD_CFLAGS_32 += -fno-omit-frame-pointer