From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:35779) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RVJ7T-0000Cj-9a for qemu-devel@nongnu.org; Tue, 29 Nov 2011 03:32:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RVJ7R-0002Qa-ST for qemu-devel@nongnu.org; Tue, 29 Nov 2011 03:32:51 -0500 Received: from speedy.comstyle.com ([206.51.28.2]:12710 helo=mail.comstyle.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RVJ7R-0002QT-N6 for qemu-devel@nongnu.org; Tue, 29 Nov 2011 03:32:49 -0500 Message-ID: <4ED498AB.1030705@comstyle.com> Date: Tue, 29 Nov 2011 03:32:43 -0500 From: Brad Smith MIME-Version: 1.0 References: <1321380737-23007-1-git-send-email-avi@redhat.com> <4EC8C440.8040801@redhat.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v8 1.0] configure: build position independent executables on x86-Linux hosts List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Blue Swirl Cc: Paul Moore , Peter Maydell , Avi Kivity , qemu-devel@nongnu.org On 20/11/11 12:34 PM, Blue Swirl wrote: > On Sun, Nov 20, 2011 at 09:11, Avi Kivity wrote: >> On 11/15/2011 08:12 PM, Avi Kivity wrote: >>> Change the default on x86 Linux hosts to building PIE (position >>> independent executables); instead of restricting the option to >>> user-only targets, apply it to all targets. >>> >>> In addition, set the relocation sections to read-only (relro) when >>> available; this reduces the attack surface by disallowing changes to >>> relocation tables at runtime. >>> >>> While PIE reduces performance and relro increases load time, it >>> greatly improves security, with the potential to reduce a code >>> execution vulnerability to a self denial of service. >>> >>> Non-x86 are not changed, as they require TCG changes; neither are >>> non-Linux, due to lack of test coverage. >>> >>> >> >> Ping. > > I tested the patch on OpenBSD 5.0/Sparc64 with --enable-pie, but the > resulting executables crash immediately. Maybe the PIE binaries are > not supported by the Sparc64 kernel or ld.so, some PIE support was > added in 4.4. OpenBSD has had PIE support as of 4.5. sparc64 has PIE support as does alpha/amd64/i386/powerpc/mips64/mips64el/sh. sparc was updated from gcc2 to 4 recently so maybe it'll get PIE support and arm/hppa suffer due to binutils bugs that need to be resolved by a binutils update. We build a handful of projects in our ports tree with PIE support either because they automatically do so or we've enabled them to do so and build with PIE support on all of the archs listed. > It looks like the support for PIE executables was only added to GDB > 7.1. For example Debian stable: OpenBSD has some level of PIE support in its GDB 6.3. CVSROOT: /cvs Module name: src Changes by: kurt@cvs.openbsd.org 2008/11/11 15:57:48 Modified files: gnu/usr.bin/binutils/gdb: Makefile.in breakpoint.c breakpoint.h infrun.c objfiles.c solib-svr4.c solib.c solist.h symfile-mem.c symfile.c varobj.c varobj.h Log message: Enable support for debugging pie programs. Code from Elena Zannoni's pie branch in gdb cvs, less extraneous parts and with some bug fixes. Debugging w/core files for pie programs isn't working yet since AUXV data isn't included in our core files at the moment. feedback and ok kettenis@ > Perhaps developers or users inclined to debug can be assumed to have a > recent GDB. Though on OpenBSD, GDB is pretty old 6.3. There is also newer gdb (7.2) in OpenBSD ports under devel/gdb and gdb package and installs as egdb, although only available for non x86 archs with -current due to a silly misfeature in the port Makefile. > Another issue is that this creates a point for bisection where > crossing it, all objects must be thrown away. We have a few other such > points already due to generated file name clashes so this has not been > a blocking issue. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.