[Buildroot] [PATCH 1/1] Config.in: -fstack-protector-all needs PIE

[Buildroot] [PATCH 1/1] Config.in: -fstack-protector-all needs PIE

[Fabrice Fontaine]

jpeg-turbo fails to build with BR2_SSP_ALL on:

/data/buildroot/buildroot-test/instance-0/output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64_be-linux-gnu/7.3.1/../../../../aarch64_be-linux-gnu/bin/ld: ../CMakeFiles/simd.dir/jsimd_none.c.o: relocation R_AARCH64_ADR_PREL_PG_HI21 against external symbol `__stack_chk_guard@@GLIBC_2.17' can not be used when making a shared object; recompile with -fPIC

Fix this issue by selecting BR2_PIC_PIE (if possible) with BR2_SSP_ALL

Fixes:
 - http://autobuild.buildroot.net/results/51459f3f26aa2e2a038ee717548266aaec05bafc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 Config.in | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Config.in b/Config.in
index 010b0774e3..3efa171405 100644
--- a/Config.in
+++ b/Config.in
@@ -751,11 +751,18 @@ config BR2_SSP_STRONG
 
 config BR2_SSP_ALL
 	bool "-fstack-protector-all"
+	depends on BR2_SHARED_LIBS
+	depends on BR2_TOOLCHAIN_SUPPORTS_PIE
+	select BR2_PIC_PIE
 	help
 	  Like -fstack-protector except that all functions are
 	  protected. This option might have a significant performance
 	  impact on the compiled binaries.
 
+comment "-fstack-protector-all needs a toolchain w/ PIE"
+	depends on BR2_SHARED_LIBS
+	depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
+
 endchoice
 
 config BR2_SSP_OPTION
-- 
2.23.0

[Buildroot] [PATCH 1/1] Config.in: -fstack-protector-all needs PIE

[Matthew Weber]

Fabrice,

On Tue, Oct 29, 2019 at 4:57 AM Fabrice Fontaine
<fontaine.fabrice@gmail.com> wrote:
>
> jpeg-turbo fails to build with BR2_SSP_ALL on:
>
> /data/buildroot/buildroot-test/instance-0/output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64_be-linux-gnu/7.3.1/../../../../aarch64_be-linux-gnu/bin/ld: ../CMakeFiles/simd.dir/jsimd_none.c.o: relocation R_AARCH64_ADR_PREL_PG_HI21 against external symbol `__stack_chk_guard@@GLIBC_2.17' can not be used when making a shared object; recompile with -fPIC
>
> Fix this issue by selecting BR2_PIC_PIE (if possible) with BR2_SSP_ALL

Interesting, I hadn't run into this on other non-aarch64 arch when I
was testing SSP strong (maybe its just a SSP all bug?).  Here's a
pretty good thread with details that support a similar case of QEMU on
Redhat needing fPIC.
https://bugzilla.redhat.com/show_bug.cgi?id=1232499

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

>
> Fixes:
>  - http://autobuild.buildroot.net/results/51459f3f26aa2e2a038ee717548266aaec05bafc
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  Config.in | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/Config.in b/Config.in
> index 010b0774e3..3efa171405 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -751,11 +751,18 @@ config BR2_SSP_STRONG
>
>  config BR2_SSP_ALL
>         bool "-fstack-protector-all"
> +       depends on BR2_SHARED_LIBS
> +       depends on BR2_TOOLCHAIN_SUPPORTS_PIE
> +       select BR2_PIC_PIE
>         help
>           Like -fstack-protector except that all functions are
>           protected. This option might have a significant performance
>           impact on the compiled binaries.
>
> +comment "-fstack-protector-all needs a toolchain w/ PIE"
> +       depends on BR2_SHARED_LIBS
> +       depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
> +
>  endchoice
>
>  config BR2_SSP_OPTION
> --
> 2.23.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot



-- 

Matthew Weber | Associate Director Software Engineer | Commercial Avionics

COLLINS AEROSPACE

400 Collins Road NE, Cedar Rapids, Iowa 52498, USA

Tel: +1 319 295 7349 | FAX: +1 319 263 6099

matthew.weber at collins.com | collinsaerospace.com



CONFIDENTIALITY WARNING: This message may contain proprietary and/or
privileged information of Collins Aerospace and its affiliated
companies. If you are not the intended recipient, please 1) Do not
disclose, copy, distribute or use this message or its contents. 2)
Advise the sender by return email. 3) Delete all copies (including all
attachments) from your computer. Your cooperation is greatly
appreciated.


Any export restricted material should be shared using my
matthew.weber at corp.rockwellcollins.com address.

[Buildroot] [PATCH 1/1] Config.in: -fstack-protector-all needs PIE

[Fabrice Fontaine]

Dear Matthew,

Le mar. 29 oct. 2019 ? 11:45, Matthew Weber
<matthew.weber@collins.com> a ?crit :
>
> Fabrice,
>
> On Tue, Oct 29, 2019 at 4:57 AM Fabrice Fontaine
> <fontaine.fabrice@gmail.com> wrote:
> >
> > jpeg-turbo fails to build with BR2_SSP_ALL on:
> >
> > /data/buildroot/buildroot-test/instance-0/output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64_be-linux-gnu/7.3.1/../../../../aarch64_be-linux-gnu/bin/ld: ../CMakeFiles/simd.dir/jsimd_none.c.o: relocation R_AARCH64_ADR_PREL_PG_HI21 against external symbol `__stack_chk_guard@@GLIBC_2.17' can not be used when making a shared object; recompile with -fPIC
> >
> > Fix this issue by selecting BR2_PIC_PIE (if possible) with BR2_SSP_ALL
>
> Interesting, I hadn't run into this on other non-aarch64 arch when I
> was testing SSP strong (maybe its just a SSP all bug?).  Here's a
> pretty good thread with details that support a similar case of QEMU on
> Redhat needing fPIC.
> https://bugzilla.redhat.com/show_bug.cgi?id=1232499
This build failure happens only with BR2_SSP_ALL. I build-tested
jpeg-turbo with BR2_SSP_STRONG and without BR2_PIC_PIE, it builds
fine.
>
> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
> >
> > Fixes:
> >  - http://autobuild.buildroot.net/results/51459f3f26aa2e2a038ee717548266aaec05bafc
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> >  Config.in | 7 +++++++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/Config.in b/Config.in
> > index 010b0774e3..3efa171405 100644
> > --- a/Config.in
> > +++ b/Config.in
> > @@ -751,11 +751,18 @@ config BR2_SSP_STRONG
> >
> >  config BR2_SSP_ALL
> >         bool "-fstack-protector-all"
> > +       depends on BR2_SHARED_LIBS
> > +       depends on BR2_TOOLCHAIN_SUPPORTS_PIE
> > +       select BR2_PIC_PIE
> >         help
> >           Like -fstack-protector except that all functions are
> >           protected. This option might have a significant performance
> >           impact on the compiled binaries.
> >
> > +comment "-fstack-protector-all needs a toolchain w/ PIE"
> > +       depends on BR2_SHARED_LIBS
> > +       depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
> > +
> >  endchoice
> >
> >  config BR2_SSP_OPTION
> > --
> > 2.23.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
>
> Matthew Weber | Associate Director Software Engineer | Commercial Avionics
>
> COLLINS AEROSPACE
>
> 400 Collins Road NE, Cedar Rapids, Iowa 52498, USA
>
> Tel: +1 319 295 7349 | FAX: +1 319 263 6099
>
> matthew.weber at collins.com | collinsaerospace.com
>
>
>
> CONFIDENTIALITY WARNING: This message may contain proprietary and/or
> privileged information of Collins Aerospace and its affiliated
> companies. If you are not the intended recipient, please 1) Do not
> disclose, copy, distribute or use this message or its contents. 2)
> Advise the sender by return email. 3) Delete all copies (including all
> attachments) from your computer. Your cooperation is greatly
> appreciated.
>
>
> Any export restricted material should be shared using my
> matthew.weber at corp.rockwellcollins.com address.
Best Regards,

Fabrice

[Buildroot] [PATCH 1/1] Config.in: -fstack-protector-all needs PIE

[Yann E. MORIN]

Fabrice, All,

Sorry for coming back so late on that patch...

It is true that the patch was tested-by Matt, but I was not entirely
convinced (call it gut-feeling or whatever), and was always a bit uneasy
with this patch, because there are so many other packages thanjpeg-turbo
that build correctly with SSP-all and without PIC/PIE. SO I always
skipped it when looking at the patch backlog...

Recent events made me look more in details.

On 2019-10-29 10:57 +0100, Fabrice Fontaine spake thusly:
> jpeg-turbo fails to build with BR2_SSP_ALL on:
> 
> /data/buildroot/buildroot-test/instance-0/output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64_be-linux-gnu/7.3.1/../../../../aarch64_be-linux-gnu/bin/ld: ../CMakeFiles/simd.dir/jsimd_none.c.o: relocation R_AARCH64_ADR_PREL_PG_HI21 against external symbol `__stack_chk_guard@@GLIBC_2.17' can not be used when making a shared object; recompile with -fPIC
> 
> Fix this issue by selecting BR2_PIC_PIE (if possible) with BR2_SSP_ALL

So, since commit 37f3d09d46a7 (package/jpeg-turbo: force PIC for shared
libraries), the issue no longer happens...

Indeed, jpeg-turbo is slightly broken in this respect: it has some code
to deal with CMAKE_POSITION_INDEPENDENT_CODE, but only if it is already
set; it never tries to set it when building shared libs, whether SSP is
enabled or not.

So it's jpeg-turbo's build system that is at fault here, SSP-all does
not require that *everything* be build with PIC/PIE.

Indeed, BR2_PIC_PIE is the option that decides whether *everything* is
build with PIC/PIE, and most notably that executables be build with PIE.
This is orthogonal to whether SSP is enabled or not (although they both
are security features, and are often enabler together).

Of course, I'm no expert in the field, so anyone is welcome to correct
me if the above is wrong.

So now I've marked that patch as rejected.

Sorry it took so long, I should realy have overcome my angst with that
patch way earlier, and spend those two-hours-or-so doing the diging of
that information, and doing various tests...

Regards,
Yann E. MORIN.

> Fixes:
>  - http://autobuild.buildroot.net/results/51459f3f26aa2e2a038ee717548266aaec05bafc
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  Config.in | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/Config.in b/Config.in
> index 010b0774e3..3efa171405 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -751,11 +751,18 @@ config BR2_SSP_STRONG
>  
>  config BR2_SSP_ALL
>  	bool "-fstack-protector-all"
> +	depends on BR2_SHARED_LIBS
> +	depends on BR2_TOOLCHAIN_SUPPORTS_PIE
> +	select BR2_PIC_PIE
>  	help
>  	  Like -fstack-protector except that all functions are
>  	  protected. This option might have a significant performance
>  	  impact on the compiled binaries.
>  
> +comment "-fstack-protector-all needs a toolchain w/ PIE"
> +	depends on BR2_SHARED_LIBS
> +	depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
> +
>  endchoice
>  
>  config BR2_SSP_OPTION
> -- 
> 2.23.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'