From: Jens Axboe <axboe@kernel.dk>
To: Martin Steigerwald <ms@teamix.de>, fio@vger.kernel.org
Subject: Re: hardening fio build with PIE for Address Space Layout Randomization and bindnow linking
Date: Tue, 24 May 2016 08:17:27 -0600 [thread overview]
Message-ID: <57446277.2010705@kernel.dk> (raw)
In-Reply-To: <6243211.bqPIL7RjHY@merkaba>
On 05/24/2016 04:10 AM, Martin Steigerwald wrote:
> Hello Jens!
>
> In my attempt to harden the fio build as recommended within Debian, I tried to
> build it with PIE by using Debian�s own mechanism via dpkg-buildflags. And I
> got:
>
> CC diskutil.o
> CC fifo.o
> CC blktrace.o
> CC cgroup.o
> CC trim.o
> CC engines/sg.o
> CC engines/binject.o
> CC oslib/linux-dev-lookup.o
> CC fio.o
> LINK fio
> /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' can
> not be used when making a shared object; recompile with -fPIC
> crc/crc16.o: error adding symbols: Bad value
> collect2: error: ld returned 1 exit status
> Makefile:399: recipe for target 'fio' failed
> make[1]: *** [fio] Error 1
> make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio'
> dh_auto_build: make -j1 returned exit code 2
> debian/rules:17: recipe for target 'build' failed
> make: *** [build] Error 2
> dpkg-buildpackage: error: debian/rules build gave error exit status 2
>
>
> Yet, building fio 2.10 from upstream does doesn�t produce a shared object
> file.
>
> Any idea?
>
>
>
>
> I: fio: hardening-no-pie usr/bin/fio
> N:
> N: This package provides an ELF executable that was not compiled as a
> N: position independent executable (PIE).
> N:
> N: PIE is required for fully enabling Address Space Layout Randomization
> N: (ASLR), which makes "Return-oriented" attacks more difficult.
> N:
> N: Historically, PIE has been associated with noticeable performance
> N: overhead on i386. However, GCC-5 has implemented an optimization that
> N: can reduce the overhead significantly.
> N:
> N: If you use dpkg-buildflags, you may have to add hardening=+pie or
> N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> N:
> N: The relevant compiler flags must be passed both to the compiler and the
> N: linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
> N:
> N: CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
> N: for all cases:
> N:
> N: * It is <not> compatible with -fPIC which required for
> N: compiling shared libraries.
> N: * It is unlikely to work when compiling static libraries or
> N: executables (gcc -static).
> N:
> N: If your upstream build compiles either of the above, you may have to
> N: patch the build to ensure that only ELF executables are compiled with
> N: PIE.
> N:
> N: Refer to https://wiki.debian.org/Hardening,
> N: https://gcc.gnu.org/gcc-5/changes.html, and
> N: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
> N: for details.
> N:
> N: Severity: wishlist, Certainty: certain
> N:
> N: Check: binaries, Type: binary, udeb
> N:
> I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> I: fio: hardening-no-pie usr/bin/fio-dedupe
> I: fio: hardening-no-pie usr/bin/fio-genzipf
>
>
> Another option to harden fio works find and that is:
>
> I: fio: hardening-no-bindnow usr/bin/fio
> N:
> N: This package provides an ELF binary that lacks the "bindnow" linker
> N: flag.
> N:
> N: If the ELF binary does not rely on late binding of symbols (e.g. weak
> N: symbols), then please consider enabling this feature. Otherwise, please
> N: consider overriding the tag (possibly with a comment about why).
> N:
> N: If you use dpkg-buildflags, you may have to add hardening=+bindnow or
> N: hardening=+all to DEB_BUILD_MAINT_OPTIONS.
> N:
> N: The relevant compiler flags are set in LDFLAGS.
> N:
> N: Refer to https://wiki.debian.org/Hardening for details.
> N:
> N: Severity: wishlist, Certainty: certain
> N:
> N: Check: binaries, Type: binary, udeb
> N:
> I: fio: hardening-no-pie usr/bin/fio-btrace2fio
> I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio
> I: fio: hardening-no-pie usr/bin/fio-dedupe
> I: fio: hardening-no-bindnow usr/bin/fio-dedupe
> I: fio: hardening-no-pie usr/bin/fio-genzipf
> I: fio: hardening-no-bindnow usr/bin/fio-genzipf
>
>
> Maybe it would be nice to have some of these in upstream build? PIE may not
> yet be advisable as for GCC 5 requirement.
What extra compiler/linker flags are being set? I tried with just -fPIE
here, and it builds and links fine.
axboe@xps13:/home/axboe/git/fio $ gcc --version
gcc (Ubuntu 6.1.1-3ubuntu11~14.04.1) 6.1.1 20160511
I have gcc 5.3 installed as well, works for that too. So I'm guessing
-fPIE isn't all that's being set?
--
Jens Axboe
next prev parent reply other threads:[~2016-05-24 14:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-24 10:10 hardening fio build with PIE for Address Space Layout Randomization and bindnow linking Martin Steigerwald
2016-05-24 14:17 ` Jens Axboe [this message]
2016-05-25 8:47 ` Martin Steigerwald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57446277.2010705@kernel.dk \
--to=axboe@kernel.dk \
--cc=fio@vger.kernel.org \
--cc=ms@teamix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.