Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

glibc: allow to build position-independent static executable #123989

Merged
merged 3 commits into from May 25, 2021
Merged

glibc: allow to build position-independent static executable #123989

merged 3 commits into from May 25, 2021

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented May 22, 2021
edited

This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Added a release notes entry if the change is major or breaking
  • Fits CONTRIBUTING.md.

@Mic92 Mic92 requested a review from matthewbauer May 22, 2021 08:14
@Mic92 Mic92 marked this pull request as draft May 22, 2021 08:27
@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

Also @Ericson2314 claims static-pie support, it is not quite true yet: https://news.ycombinator.com/item?id=23657020
Not sure if glibc support is incomplete but I still cannot create a simple static application with it:

#include <stdio.h>

int main() {
    printf("main: %p\n", main);
    return 0;
}
with import <nixpkgs> {};
stdenv.mkDerivation {
  name = "env";
  nativeBuildInputs = [
    bashInteractive
  ];
  buildInputs = [
    glibc.static
  ];
}
$ gcc -static-pie -o main main.c
$ gdb ./main
Reading symbols from ./main...
(gdb) r
Starting program: /tmp/tmp.kSRlP5T372/solo5/main

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f5115c in __dcigettext ()
(gdb) bt
#0  0x00007ffff7f5115c in __dcigettext ()
#1  0x00007ffff7f502ce in __assert_fail ()
#2  0x00007ffff7f90415 in _dl_relocate_static_pie ()
#3  0x00007ffff7f4f3b8 in __libc_start_main ()
#4  0x00007ffff7f4ee1a in _start () at ../sysdeps/x86_64/start.S:120

@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

My blind guess is, that it somehow breaks TLS:

gef➤  context
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0xffffffffffffffc0
$rbx   : 0x0
$rcx   : 0x0
$rdx   : 0x0
$rsp   : 0x00007fffffff9060  →  0x0000000000000000
$rbp   : 0x00007fffffff9150  →  0x00007ffff7fd1495  →  "get-dynamic-info.h"
$rsi   : 0x00007ffff7fcd350  →  "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n"
$rdi   : 0x00007ffff7fe10c0  →  0x000000006362696c ("libc"?)
$rip   : 0x00007ffff7f5115c  →  <__dcigettext+108> mov eax, DWORD PTR fs:[rax]
$r8    : 0x0
$r9    : 0x5
$r10   : 0x6ffffdff
$r11   : 0x6ffffe32
$r12   : 0x92
$r13   : 0x00007ffff7fe10c0  →  0x000000006362696c ("libc"?)
$r14   : 0x00007ffff7f45000  →  0x03010102464c457f
$r15   : 0x00007ffff7ffc160  →  0x00007ffff7f45000  →  0x03010102464c457f
$eflags: [zero CARRY PARITY ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffff9060│+0x0000: 0x0000000000000000   ← $rsp
0x00007fffffff9068│+0x0008: 0x0000000000000000
0x00007fffffff9070│+0x0010: 0x0000000000000000
0x00007fffffff9078│+0x0018: 0x0000000000000000
0x00007fffffff9080│+0x0020: 0x0000000000000000
0x00007fffffff9088│+0x0028: 0x0000000000000000
0x00007fffffff9090│+0x0030: 0x0000000000000000
0x00007fffffff9098│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff7f5114b <__dcigettext+91> mov    rax, 0xffffffffffffffc0
   0x7ffff7f51152 <__dcigettext+98> mov    rbx, 0x0
   0x7ffff7f51159 <__dcigettext+105> mov    r13, rdi
 → 0x7ffff7f5115c <__dcigettext+108> mov    eax, DWORD PTR fs:[rax]
   0x7ffff7f5115f <__dcigettext+111> mov    DWORD PTR [rbp-0xc4], eax
   0x7ffff7f51165 <__dcigettext+117> test   rbx, rbx
   0x7ffff7f51168 <__dcigettext+120> je     0x7ffff7f51182 <__dcigettext+146>
   0x7ffff7f5116a <__dcigettext+122> lea    rdi, [rip+0xaccef]        # 0x7ffff7ffde60 <__libc_setlocale_lock>
   0x7ffff7f51171 <__dcigettext+129> call   0x7ffff7f4e090
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "main", stopped 0x7ffff7f5115c in __dcigettext (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7f5115c → __dcigettext()
[#1] 0x7ffff7f502ce → __assert_fail()
[#2] 0x7ffff7f90415 → _dl_relocate_static_pie()
[#3] 0x7ffff7f4f3b8 → __libc_start_main()
[#4] 0x7ffff7f4ee1a → _start()
───────────────────────────────────

@ofborg ofborg bot requested review from Ma27 and edolstra May 22, 2021 09:57
@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

This works in an archlinux container. So it is something that breaks in our setup.

@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

This is what archlinux produces:

[root@213013bf7066 ~]# gcc -v -static-pie -o main main.c
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --with-isl --with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit --enable-cet=auto --enable-checking=release --enable-clocale=gnu --enable-default-pie --enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object --enable-install-libiberty --enable-linker-build-id --enable-lto --enable-multilib --enable-plugin --enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch --disable-libunwind-exceptions --disable-werror gdc_include_dir=/usr/include/dlang/gdc
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.1.0 (GCC)
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/cc1 -quiet -v main.c -quiet -dumpbase main.c -dumpbase-ext .c -mtune=generic -march=x86-64 -version -o /tmp/cc30fNCE.s
GNU C17 (GCC) version 11.1.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 11.1.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/include
 /usr/local/include
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/include-fixed
 /usr/include
End of search list.
GNU C17 (GCC) version 11.1.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 11.1.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 3d0ac5c030c008e73f10e8b66957dbfa
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64'
 as -v --64 -o /tmp/ccnTcBWQ.o /tmp/cc30fNCE.s
GNU assembler version 2.36.1 (x86_64-pc-linux-gnu) using BFD version (GNU Binutils) 2.36.1
COMPILER_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/:/lib/../lib/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64' '-dumpdir' 'main.'
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/collect2 -plugin /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/liblto_plugin.so -plugin-opt=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/lto-wrapper -plugin-opt=-fresolution=/tmp/ccZ96sde.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lc --build-id --eh-frame-hdr --hash-style=gnu -m elf_x86_64 -static -pie --no-dynamic-linker -z text -pie -o main /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/rcrt1.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/crti.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/crtbeginS.o -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0 -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib -L/lib/../lib -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../.. /tmp/ccnTcBWQ.o --start-group -lgcc -lgcc_eh -lc --end-group /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/crtendS.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/crtn.o
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64' '-dumpdir' 'main.'

This is Nixpkgs:

╰─ % gcc -v -static-pie -o ./main main.c
Using built-in specs.
COLLECT_GCC=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/bin/gcc
COLLECT_LTO_WRAPPER=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 10.2.0 (GCC)
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/cc1 -quiet -v -D _FORTIFY_SOURCE=2 -idirafter /nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include -idirafter /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed -isystem /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include -isystem /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include -isystem /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include -isystem /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include main.c -quiet -dumpbase main.c -mtune=generic -march=x86-64 -auxbase main -O2 -Wformat=1 -Wformat-security -Werror=format-security -version -fstack-protector-strong -fno-strict-overflow -fPIC -frandom-seed=hq9nk61nxq -fcommon --param=ssp-buffer-size=4 -o /run/user/1000/cc6Ggpn2.s
GNU C17 (GCC) version 10.2.0 (x86_64-unknown-linux-gnu)
        compiled by GNU C version 10.2.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring duplicate directory "/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include"
ignoring duplicate directory "/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include"
ignoring nonexistent directory "/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../x86_64-unknown-linux-gnu/include"
ignoring duplicate directory "/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include"
ignoring duplicate directory "/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed"
#include "..." search starts here:
#include <...> search starts here:
 /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include
 /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed
 /nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include
End of search list.
GNU C17 (GCC) version 10.2.0 (x86_64-unknown-linux-gnu)
        compiled by GNU C version 10.2.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 51e193d705b8aa8fb3d71b10edfdea16
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/as -v --64 -o /run/user/1000/ccRh84Q2.o /run/user/1000/cc6Ggpn2.s
GNU assembler version 2.35.1 (x86_64-unknown-linux-gnu) using BFD version (GNU Binutils) 2.35.1
COMPILER_PATH=/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib/:/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/:/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/
LIBRARY_PATH=/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib/:/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/:/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../lib64/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/collect2 -plugin /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/liblto_plugin.so -plugin-opt=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/lto-wrapper -plugin-opt=-fresolution=/run/user/1000/cc9Zbok4.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lc --eh-frame-hdr -m elf_x86_64 -static -pie --no-dynamic-linker -z text -o ./main /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/rcrt1.o /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/crti.o /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/crtbeginS.o -L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib -L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib -L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib -L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib -L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib -L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib -L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib -L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib -L/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0 -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../lib64 -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../.. /run/user/1000/ccRh84Q2.o -rpath /nix/store/hq9nk61nxqym59dknykxqqnsmynwziln-env/lib64 -rpath /nix/store/hq9nk61nxqym59dknykxqqnsmynwziln-env/lib --start-group -lgcc -lgcc_eh -lc --end-group /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/crtendS.o /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/crtn.o
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'

@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

Interesting enough even without the change glibc already builds rcrt1.o which is doing the relocation in static binaries.

@Mic92 Mic92 mentioned this pull request May 22, 2021
Closed
8 tasks
@Mic92
glibc: allow to build position-independent static executable
61c74e1 
This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Does this break existing binaries? Likely not. Static-pie is only
used if explicitly enabled.
@Mic92
Copy link
Member Author

Mic92 commented May 22, 2021

Ha! It works now. After compiling glibc from source I could pin-point the assertion that broke the execution.

@Mic92 Mic92 force-pushed the static-pie branch 7 times, most recently from e8fd80d to 831abe9 Compare May 23, 2021 11:27
@Mic92 Mic92 force-pushed the static-pie branch 2 times, most recently from 2676fc1 to 8a4dcb6 Compare May 23, 2021 13:23
@Mic92 Mic92 force-pushed the static-pie branch 2 times, most recently from 1a3860b to 166948d Compare May 23, 2021 18:57
@Mic92 Mic92 marked this pull request as ready for review May 23, 2021 18:58
@Mic92 Mic92 requested a review from Ericson2314 as a code owner May 23, 2021 18:58
@Mic92 Mic92 mentioned this pull request May 24, 2021
Draft
5 tasks
Ericson2314
Ericson2314 approved these changes May 24, 2021
View reviewed changes
Copy link
Member

@Ericson2314 Ericson2314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think something like my comment would make it easier to understand, but that aside LGTM.

@Mic92 @Ericson2314
Update pkgs/build-support/bintools-wrapper/ld-wrapper.sh
602b5f8 
Co-authored-by: John Ericson <git@JohnEricson.me>
@Mic92
Copy link
Member Author

Mic92 commented May 25, 2021

Someone tested also macOS/clang for me. Good to go.

@Mic92 Mic92 merged commit 5551a78 into NixOS:staging May 25, 2021
@Mic92 Mic92 deleted the static-pie branch May 25, 2021 14:32
@misuzu
Copy link
Contributor

misuzu commented Jul 1, 2021

I think this change broke glibc on armv7l:

/build/build/elf/sln /build/build/elf/symlink.list
make[1]: *** [Makefile:115: install-symbolic-link] Segmentation fault (core dumped)
make[1]: Leaving directory '/build/glibc-2.32'
make: *** [Makefile:12: install] Error 2
builder for '/nix/store/hrrfkbfywf8awmj84gkasj3zck5p4s3l-glibc-2.32-48.drv' failed with exit code 2

According to https://sourceware.org/glibc/wiki/PortStatus --enable-static-pie is not supported on armv7l:

This feature is currently supported on i386, x86_64 and x32 with binutils 2.29 or later, and on aarch64 with binutils 2.30 or later.

On Debian and Gentoo --enable-static-pie is enabled only on supported platforms.

Reverting 61c74e1 (on top of 59ef808) allowed me to successfully build glibc on armv7l.

Mic92
Mic92 commented Jul 1, 2021
View reviewed changes
pkgs/development/libraries/glibc/common.nix
@@ -153,6 +153,8 @@ stdenv.mkDerivation ({
"--enable-add-ons"
"--sysconfdir=/etc"
"--enable-stackguard-randomization"
"--enable-static-pie"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well I guess this line should be disabled on arm-legacy again than.

@misuzu misuzu mentioned this pull request Jul 2, 2021
Merged
11 tasks
@nh2 nh2 mentioned this pull request Jul 8, 2021
Open
@piegamesde piegamesde mentioned this pull request Jul 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

@matthewbauer matthewbauer Awaiting requested review from matthewbauer

@Ma27 Ma27 Awaiting requested review from Ma27

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Mic92 @misuzu @Ericson2314