Switch to position independent executable compilation #5372
Comments
So, maybe, it is not so important now? ExperimentSetupI tried to build *.deb packages for Debian Bullseye without and with the following patch: diff --git a/debian/rules b/debian/rules
index 904eaa719..9031920e7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -28,7 +28,7 @@ DEB_DH_SYSTEMD_START_ARGS_tarantool-common := --no-restart-on-upgrade tarantool
# Needed for proper backtraces in fiber.info()
DEB_DH_STRIP_ARGS := -X/usr/bin/tarantool
-export DEB_BUILD_MAINT_OPTIONS = hardening=-stackprotector,-pie
+export DEB_BUILD_MAINT_OPTIONS = hardening=-stackprotector
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mkResultsWithout patch (baseline, no-PIE)Backtraces looks correct. fiber.info()$ tarantool
Tarantool 2.10.0-beta1-1-gfb7fe96b5
type 'help' for interactive help
tarantool> require('fiber').info()
---
- 101:
csw: 1
backtrace:
- C: '#0 0x579b90 in fiber_backtrace_cb+640'
- L: stall in =[C] at line -1
- L: (unnamed) in @builtin/fiber.lua at line 59
- C: '#1 0x5c134b in lj_BC_FUNCC+52'
- C: '#2 (nil) in +63'
memory:
total: 516480
used: 0
time: 0
name: lua
fid: 101
103:
csw: 5
backtrace:
- C: '#0 0x57ac5e in lbox_fiber_statof_bt+62'
- C: '#1 0x59b6cc in fiber_stat+76'
- C: '#2 0x57b045 in lbox_fiber_info+53'
- L: pcall in =[C] at line -1
- L: eval in @builtin/box/console.lua at line 402
- L: repl in @builtin/box/console.lua at line 708
- L: (unnamed) in @builtin/box/console.lua at line 757
- C: '#3 0x5c134b in lj_BC_FUNCC+52'
- C: '#4 0x5c7c24 in lua_pcall+116'
- C: '#5 0x57e4a4 in luaT_call+20'
- C: '#6 0x578749 in lua_main+89'
- C: '#7 0x5789e9 in run_script_f+633'
- C: '#8 0x41fa9d in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+13'
- C: '#9 0x5990b0 in fiber_loop+48'
- C: '#10 0x7d0d50 in coro_init+64'
memory:
total: 516480
used: 0
time: 0
name: interactive
fid: 103
102:
csw: 0
backtrace:
- C: '#0 (nil) in +63'
- C: '#1 (nil) in +63'
memory:
total: 516480
used: 0
time: 0
name: on_shutdown
fid: 102
...With patch (PIE)Backtraces looks correct. fiber.info()$ tarantool
Tarantool 2.10.0-beta1-1-gfb7fe96b5
type 'help' for interactive help
tarantool> require('fiber').info()
---
- 101:
csw: 1
backtrace:
- C: '#0 0x55ab76bc6db0 in fiber_backtrace_cb+656'
- L: stall in =[C] at line -1
- L: (unnamed) in @builtin/fiber.lua at line 59
- C: '#1 0x55ab76c1011b in lj_BC_FUNCC+52'
- C: '#2 (nil) in +63'
memory:
total: 516480
used: 0
time: 0
name: lua
fid: 101
103:
csw: 29
backtrace:
- C: '#0 0x55ab76bc7ede in lbox_fiber_statof_bt+62'
- C: '#1 0x55ab76be983c in fiber_stat+76'
- C: '#2 0x55ab76bc82d7 in lbox_fiber_info+55'
- L: pcall in =[C] at line -1
- L: eval in @builtin/box/console.lua at line 402
- L: repl in @builtin/box/console.lua at line 708
- L: (unnamed) in @builtin/box/console.lua at line 757
- C: '#3 0x55ab76c1011b in lj_BC_FUNCC+52'
- C: '#4 0x55ab76c16a04 in lua_pcall+116'
- C: '#5 0x55ab76bcb904 in luaT_call+20'
- C: '#6 0x55ab76bc58d9 in lua_main+89'
- C: '#7 0x55ab76bc5b7f in run_script_f+639'
- C: '#8 0x55ab76a67e9d in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*)+13'
- C: '#9 0x55ab76be70a0 in fiber_loop+48'
- C: '#10 0x55ab76e25750 in coro_init+64'
memory:
total: 516480
used: 0
time: 0
name: interactive
fid: 103
102:
csw: 0
backtrace:
- C: '#0 (nil) in +63'
- C: '#1 (nil) in +63'
memory:
total: 516480
used: 0
time: 0
name: on_shutdown
fid: 102
... |
|
I propose to write a good test for backtraces and make attempt to eliminate PIE disabling for all distributions. |
This was referenced Aug 4, 2022
Gumix
added a commit
that referenced
this issue
Aug 18, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess the following compiler options that harden Tarantool (including bundled libraries) against memory corruption attacks: -fpie - generate position-independent code. This is required to take advantage of ASLR (Address Space Layout Randomization). -fstack-protector - emit extra code to check for buffer overflows. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build NO_CHANGELOG=build
Gumix
added a commit
that referenced
this issue
Aug 19, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including bundled libraries) against memory corruption attacks. For now the following flag is passed: -fstack-protector - emit extra code to check for buffer overflows. ENABLE_HARDENING also enables CMAKE_POSITION_INDEPENDENT_CODE for all targets. This option forces compiler to generate PIC (Position-Independent Code by passing -fPIC to Dynamic Shared Object (DSO) targets and -fPIE to executable targets. It's not possible to pass -fPIE flag to all targets, because it will override the -fPIC flag, which is required for DSO targets. PIC allows to take advantage of ASLR (Address Space Layout Randomization). Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build NO_CHANGELOG=build
Gumix
added a commit
that referenced
this issue
Aug 19, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. For now only -fstack-protector is passed, which emits extra code, which checks for buffer overflows. ENABLE_HARDENING also enables CMAKE_POSITION_INDEPENDENT_CODE for all targets. This option forces compiler to generate PIC (Position-Independent Code) by passing -fPIC to Dynamic Shared Object (DSO) targets and -fPIE to executable targets. PIC/PIE allow to take advantage of ASLR (Address Space Layout Randomization). For libunwind we have to pass -fPIE explicitly, because libunwind uses configure instead of cmake. It is not possible to pass `-fPIE` flag to all targets, because it will override the default -fPIC flag, which is required for DSO targets. Also it is not desirable to pass `-fPIC` flag to all targets, because it will produce less optimal code than -fPIE for executable targets. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build NO_CHANGELOG=build
Gumix
added a commit
that referenced
this issue
Aug 25, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC - Generate position-independent code (PIC). It allows to take advantage of Address Space Layout Randomization (ASLR). * -Wl,-z,relro,-z,now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 25, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC - Generate position-independent code (PIC). It allows to take advantage of Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 25, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC - Generate position-independent code (PIC). It allows to take advantage of Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 26, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC - Generate position-independent code (PIC). It allows to take advantage of Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 31, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC - Generate position-independent code (PIC). It allows to take advantage of Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 31, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Aug 31, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Sep 1, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Sep 9, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -D_FORTIFY_SOURCE=2 - Replace some common functions with fortified wrappers that check whether the size of the destination buffer in those functions is large enough to handle the input data. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
to Gumix/tarantool
that referenced
this issue
Sep 13, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes tarantool#5372 Closes tarantool#7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Sep 15, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Sep 15, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Gumix
added a commit
that referenced
this issue
Sep 15, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
locker
pushed a commit
that referenced
this issue
Sep 15, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
locker
pushed a commit
that referenced
this issue
Sep 15, 2022
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build (cherry picked from commit e6abe1c)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is stated as a
mustfor #5261 by MRG security teamThe text was updated successfully, but these errors were encountered: