[PATCH 1/2] security_flags.inc: elfutils on ARM fails with PIE flags

[PATCH 1/2] security_flags.inc: elfutils on ARM fails with PIE flags

[Denys Dmytriyenko]

From: Denys Dmytriyenko <denys@ti.com>

The error messages look like this:
R_ARM_TLS_LE32 relocation not permitted in shared object

Signed-off-by: Denys Dmytriyenko <denys@ti.com>
---
 meta/conf/distro/include/security_flags.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index f3f0082..21e1a53 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -13,6 +13,7 @@ SECURITY_CFLAGS_pn-webkit-gtk_powerpc = ""
 
 # arm specific security flag issues
 SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-elfutils_arm = "${SECURITY_NO_PIE_CFLAGS}"
 
 SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
-- 
2.2.0

[PATCH 2/2] security_flags.inc: disable PIE for bash due to issues in mkbuiltins

[Denys Dmytriyenko]

From: Denys Dmytriyenko <denys@ti.com>

As bash builds a native tool called mkbuiltins, it fails with PIE flags:

ld: mkbuiltins.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC

Affects at least version 3.2 of bash.

Signed-off-by: Denys Dmytriyenko <denys@ti.com>
---
 meta/conf/distro/include/security_flags.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 21e1a53..3401c4b 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -16,6 +16,7 @@ SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-elfutils_arm = "${SECURITY_NO_PIE_CFLAGS}"
 
 SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-bash = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-blktrace = "${SECURITY_NO_PIE_CFLAGS}"
 # Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
-- 
2.2.0

Re: [PATCH 2/2] security_flags.inc: disable PIE for bash due to issues in mkbuiltins

[Richard Purdie]

On Tue, 2015-04-07 at 16:53 -0400, Denys Dmytriyenko wrote:
> From: Denys Dmytriyenko <denys@ti.com>
> 
> As bash builds a native tool called mkbuiltins, it fails with PIE flags:
> 
> ld: mkbuiltins.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC
> 
> Affects at least version 3.2 of bash.

I am a little worried about this one. Which architecture were you
building for and is this just 3.x of bash or 4.x as well? I'd like to
understand why we haven't seen this before...

Cheers,

Richard

> Signed-off-by: Denys Dmytriyenko <denys@ti.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 21e1a53..3401c4b 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -16,6 +16,7 @@ SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-elfutils_arm = "${SECURITY_NO_PIE_CFLAGS}"
>  
>  SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
> +SECURITY_CFLAGS_pn-bash = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-blktrace = "${SECURITY_NO_PIE_CFLAGS}"
>  # Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
> -- 
> 2.2.0
> 

Re: [PATCH 2/2] security_flags.inc: disable PIE for bash due to issues in mkbuiltins

[Khem Raj]

> On Apr 8, 2015, at 2:59 AM, Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> 
> On Tue, 2015-04-07 at 16:53 -0400, Denys Dmytriyenko wrote:
>> From: Denys Dmytriyenko <denys@ti.com>
>> 
>> As bash builds a native tool called mkbuiltins, it fails with PIE flags:
>> 
>> ld: mkbuiltins.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC
>> 
>> Affects at least version 3.2 of bash.
> 
> I am a little worried about this one. Which architecture were you
> building for and is this just 3.x of bash or 4.x as well? I'd like to
> understand why we haven't seen this before…

If its a tool used during building bash, then you need to adjust CFLAGS_FOR_BUILD
and make sure that bash’s build system is not mixing things up. I am not sure
if we need to disable PIE completely, there should be a better fix for this.

> 
> Cheers,
> 
> Richard
> 
>> Signed-off-by: Denys Dmytriyenko <denys@ti.com>
>> ---
>> meta/conf/distro/include/security_flags.inc | 1 +
>> 1 file changed, 1 insertion(+)
>> 
>> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
>> index 21e1a53..3401c4b 100644
>> --- a/meta/conf/distro/include/security_flags.inc
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -16,6 +16,7 @@ SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
>> SECURITY_CFLAGS_pn-elfutils_arm = "${SECURITY_NO_PIE_CFLAGS}"
>> 
>> SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
>> +SECURITY_CFLAGS_pn-bash = "${SECURITY_NO_PIE_CFLAGS}"
>> SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
>> SECURITY_CFLAGS_pn-blktrace = "${SECURITY_NO_PIE_CFLAGS}"
>> # Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
>> -- 
>> 2.2.0
>> 
> 
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core