Re: [Qemu-devel] [PATCH v8 1.0] configure: build position independent executables on x86-Linux hosts

[Brad Smith <brad@comstyle.com>]

On 20/11/11 12:34 PM, Blue Swirl wrote:
> On Sun, Nov 20, 2011 at 09:11, Avi Kivity<avi@redhat.com>  wrote:
>> On 11/15/2011 08:12 PM, Avi Kivity wrote:
>>> Change the default on x86 Linux hosts to building PIE (position
>>> independent executables); instead of restricting the option to
>>> user-only targets, apply it to all targets.
>>>
>>> In addition, set the relocation sections to read-only (relro) when
>>> available; this reduces the attack surface by disallowing changes to
>>> relocation tables at runtime.
>>>
>>> While PIE reduces performance and relro increases load time, it
>>> greatly improves security, with the potential to reduce a code
>>> execution vulnerability to a self denial of service.
>>>
>>> Non-x86 are not changed, as they require TCG changes; neither are
>>> non-Linux, due to lack of test coverage.
>>>
>>>
>>
>> Ping.
>
> I tested the patch on OpenBSD 5.0/Sparc64 with --enable-pie, but the
> resulting executables crash immediately. Maybe the PIE binaries are
> not supported by the Sparc64 kernel or ld.so, some PIE support was
> added in 4.4.

OpenBSD has had PIE support as of 4.5.

sparc64 has PIE support as does alpha/amd64/i386/powerpc/mips64/mips64el/sh.
sparc was updated from gcc2 to 4 recently so maybe it'll get PIE support
and arm/hppa suffer due to binutils bugs that need to be resolved
by a binutils update.

We build a handful of projects in our ports tree with PIE support either
because they automatically do so or we've enabled them to do so and build
with PIE support on all of the archs listed.

> It looks like the support for PIE executables was only added to GDB
> 7.1. For example Debian stable:

OpenBSD has some level of PIE support in its GDB 6.3.

CVSROOT:	/cvs
Module name:	src
Changes by:	kurt@cvs.openbsd.org	2008/11/11 15:57:48

Modified files:
	gnu/usr.bin/binutils/gdb: Makefile.in breakpoint.c breakpoint.h
	                          infrun.c objfiles.c solib-svr4.c
	                          solib.c solist.h symfile-mem.c
	                          symfile.c varobj.c varobj.h

Log message:
Enable support for debugging pie programs. Code from Elena Zannoni's
<ezannoni at redhat dot com> pie branch in gdb cvs, less extraneous
parts and with some bug fixes. Debugging w/core files for pie programs
isn't working yet since AUXV data isn't included in our core files at
the moment.

feedback and ok kettenis@

> Perhaps developers or users inclined to debug can be assumed to have a
> recent GDB. Though on OpenBSD, GDB is pretty old 6.3.

There is also newer gdb (7.2) in OpenBSD ports under devel/gdb and gdb
package and installs as egdb, although only available for non x86 archs
with -current due to a silly misfeature in the port Makefile.

> Another issue is that this creates a point for bisection where
> crossing it, all objects must be thrown away. We have a few other such
> points already due to generated file name clashes so this has not been
> a blocking issue.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.