Date: Sun, 16 Feb 2014 21:23:14 +0000 From: Stuart Henderson <stu@...cehopper.org> To: oss-security@...ts.openwall.com Subject: Re: Vendor adoption of PIE INFO#934476 oss-security On 2014/02/16 11:01, Christos Zoulas wrote: > On Feb 16, 2:28pm, stu@...cehopper.org (Stuart Henderson) wrote: > -- Subject: Re: [oss-security] Vendor adoption of PIE INFO#934476 oss-securit > > | By the way, OpenBSD has switched compilers to generating PIE code by > | default on the majority of architectures, various arch's over the last > | couple of releases, but as of a couple of months ago we've also done > | this for i386 (x86) too, so I can give some specific examples of > | where you can expect to run into problems. > | > | On amd64 (x86_64) fallout has been mostly limited to compilers and a > | couple of other programs, e.g. emacs, qemu, clisp, erlang, ghc, sbcl, > | which we are building with PIE disabled. > | > | Additionally for i386 there have been problems with register pressure > | on programs with their own asm code (mostly games), in particular > | code doing cpuid checks often doesn't save/restore %ebx, but there > | have been some others. In one case there was code for x86 OSX which > | avoids scribbling on %ebx which we've been able to borrow, and I think > | there were one or two where we've switched from asm to a generic C > | implementation. Of course, shared libraries already have to take > | this into account so not too much trouble there. > | > | Everything else, base system and ports, is built with PIE. > | On the whole, experiences have been pretty good. Obviously there is > | some performance impact but we haven't yet had any reports of this > | causing major problems (though we will probably know more about this > | after 5.5 is released when the average user will first see i386 > | packages built with PIE by default). > > Are you doing any RELRO work? > > christos AIUI this was added in binutils 2.16, so I don't believe we have support for it in our toolchain yet (we're currently using 2.15 on most architectures, the last attempt at updating had to be backed out due to a number of problems experienced in ports).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ