Date: Tue, 30 Apr 2013 21:36:58 +0400 From: Vasily Kulikov <segoon@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: PIE on x86_64 Hi, On Fri, Apr 26, 2013 at 21:48 -0400, Rich Felker wrote: > On Sat, Apr 27, 2013 at 02:14:05AM +0800, Pavel Labushev wrote: > > On Fri, 12 Apr 2013 22:26:58 +0400 > > Solar Designer <solar@...nwall.com> wrote: > > > > > > What are your reasons not to link executables as ET_DYN, even though > > > > the target CPU architecture is PC-relative? > > > > > > I think we should start doing that, and benchmark to make sure there's > > > no unexpected performance drop. Vasily? > > > > And silence was the answer... Is it too much work? You could make -fpie > > and the other hardening flags compiler's built-in defaults, like it is > > done in Hardened Gentoo. It may be simpler and more robust than > > tweaking specs of every package and would set more secure defaults for > > anything that users might compile. > > Unfortunately changing the compiler defaults can break things in > subtle ways. The most common breakage I'm aware of from making pie the > default occurs in packages with assembler source files that are > written in non-pic-compatible ways. These will turn into TEXTRELs in > the pie binary, which depending on the arch, may just result in heavy > runtime bloat (e.g. on 32-bit x86) or produce an error at link time > (e.g. on x86_64). I seem to recall a user running into this issue in > OpenSSL... I've tried to enable PIE by default and disable it on -static, etc. The patch is based on this one: http://ftp.osuosl.org/pub/lfs/hlfs-packages/unstable/gcc-4.1.2-fpie-2.patch There were several failures: vim, owl-startup. They need pic-enabled .a files. World rebuild fixes these errors. The only one package which fails to build as-is on x86_64 -- kernel. The -D__KERNEL__ check is present, though. Will try to figure it out (likely, tomorrow). I caught no failures on syslinux or lilo. Some binary files in $PATH still miss DYN Type, will fix this too. Thanks, -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments View attachment "gcc-4.6.2-owl-defaults-Wl2.diff" of type "text/x-diff" (5251 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.