New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glibc: allow to build position-independent static executable #123989
Conversation
Also @Ericson2314 claims static-pie support, it is not quite true yet: https://news.ycombinator.com/item?id=23657020 #include <stdio.h>
int main() {
printf("main: %p\n", main);
return 0;
} with import <nixpkgs> {};
stdenv.mkDerivation {
name = "env";
nativeBuildInputs = [
bashInteractive
];
buildInputs = [
glibc.static
];
} $ gcc -static-pie -o main main.c
$ gdb ./main
Reading symbols from ./main...
(gdb) r
Starting program: /tmp/tmp.kSRlP5T372/solo5/main
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f5115c in __dcigettext ()
(gdb) bt
#0 0x00007ffff7f5115c in __dcigettext ()
#1 0x00007ffff7f502ce in __assert_fail ()
#2 0x00007ffff7f90415 in _dl_relocate_static_pie ()
#3 0x00007ffff7f4f3b8 in __libc_start_main ()
#4 0x00007ffff7f4ee1a in _start () at ../sysdeps/x86_64/start.S:120 |
My blind guess is, that it somehow breaks TLS:
|
This works in an archlinux container. So it is something that breaks in our setup. |
This is what archlinux produces:
This is Nixpkgs:
|
Interesting enough even without the change glibc already builds |
This enables ALSR on static executables, which makes them harder to exploit by providing a crt suitable for static PIEs. Does this break existing binaries? Likely not. Static-pie is only used if explicitly enabled.
Ha! It works now. After compiling glibc from source I could pin-point the assertion that broke the execution. |
e8fd80d
to
831abe9
Compare
2676fc1
to
8a4dcb6
Compare
1a3860b
to
166948d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think something like my comment would make it easier to understand, but that aside LGTM.
Co-authored-by: John Ericson <git@JohnEricson.me>
Someone tested also macOS/clang for me. Good to go. |
I think this change broke glibc on armv7l:
According to https://sourceware.org/glibc/wiki/PortStatus
On Debian and Gentoo Reverting 61c74e1 (on top of 59ef808) allowed me to successfully build glibc on armv7l. |
@@ -153,6 +153,8 @@ stdenv.mkDerivation ({ | |||
"--enable-add-ons" | |||
"--sysconfdir=/etc" | |||
"--enable-stackguard-randomization" | |||
"--enable-static-pie" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well I guess this line should be disabled on arm-legacy again than.
This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)