subject:"Bug#661393\: FTBFS\: Enabling hardening on amd64 causes relocation errors"

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

2012-03-22 Thread Simon Ruderich

Using -fPIE won't work when linking the library, -fPIC must be
used for the library (at least on amd64). -fPIE is only for
binaries.

The attached patch fixes the missing hardening flags (CFLAGS,
CPPFLAGS) and fixes the build by stripping -fPIE/-pie when
compiling/linking the library.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

$ hardening-check /lib/x86_64-linux-gnu/libkeyutils.so.1.4 /bin/keyctl 
/sbin/request-key /sbin/key.dns_resolver
/lib/x86_64-linux-gnu/libkeyutils.so.1.4:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes
/bin/keyctl:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
/sbin/request-key:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
/sbin/key.dns_resolver:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
 .
 Also strip -pie/-fPIE from CFLAGS/LDFLAGS when used to link libraries. It
 conflicts with -fPIC.
Author: Simon Ruderich si...@ruderich.org
Last-Update: 2012-03-22

Index: keyutils-1.5.5/Makefile
===
--- keyutils-1.5.5.orig/Makefile	2012-03-22 22:21:03.354236747 +0100
+++ keyutils-1.5.5/Makefile	2012-03-22 22:27:28.118251392 +0100
@@ -1,5 +1,9 @@
-CPPFLAGS	:= -I.
-CFLAGS		:= -g -Wall -Werror
+CPPFLAGS	+= -I.
+CFLAGS		+= -g -Wall -Werror
+# Libraries can't be compiled with -pie/-fPIE. Strip it from CFLAGS/LDFLAGS if
+# used.
+CFLAGS_LIB	:= $(filter-out -fPIE,$(CFLAGS))
+LDFLAGS_LIB	:= $(filter-out -fPIE,$(filter-out -pie,$(LDFLAGS)))
 INSTALL		:= install
 DESTDIR		:=
 SPECFILE	:= keyutils.spec
@@ -116,10 +120,10 @@
 LIBVERS := -shared -Wl,-soname,$(SONAME) -Wl,--version-script,version.lds
 
 $(LIBNAME): keyutils.os version.lds Makefile
-	$(CC) $(CFLAGS) -fPIC $(LDFLAGS) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS)
+	$(CC) $(CFLAGS_LIB) -fPIC $(LDFLAGS_LIB) $(LIBVERS) -o $@ keyutils.os $(LIBLIBS)
 
 keyutils.os: keyutils.c keyutils.h Makefile
-	$(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $
+	$(CC) $(CPPFLAGS) $(VCPPFLAGS) $(CFLAGS_LIB) -fPIC -o $@ -c $
 
 ###
 #


signature.asc
Description: Digital signature

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

2012-03-22 Thread Jakub Wilk


* Simon Ruderich si...@ruderich.org, 2012-03-22, 22:38:
Using -fPIE won't work when linking the library, -fPIC must be used for 
the library (at least on amd64). -fPIE is only for binaries.


Correct. Thanks for clarification.

--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

2012-03-10 Thread Jakub Wilk


severity 661393 serious
thanks

* Miguel Colon debian.mic...@gmail.com, 2012-02-26, 17:15:

The last release enabled hardening but caused the following errors in amd64:
/usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can 
not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata' 
can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against 
`.rodata' can not be used when making a shared object; recompile with 
-fPIC

[...]

--- keyutils-1.5.5.orig/Makefile
+++ keyutils-1.5.5/Makefile
@@ -127,7 +127,7 @@ keyutils.os: keyutils.c keyutils.h Makef
#
###
%.o: %.c keyutils.h Makefile
-   $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ -c $
+   $(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $

keyctl: keyctl.o $(DEVELLIB)
$(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $ -lkeyutils


The correct fix would be to make the makefile respect CFLAGS set from 
environment, which already include -fPIE (not -fPIC).


--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

2012-02-26 Thread Miguel Colon

Source: keyutils
Version: 1.5.5-1
Severity: important
Tags: patch

Hello:

The last release enabled hardening but caused the following errors in amd64:
 /usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can
not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata'
can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against
`.rodata' can not be used when making a shared object; recompile with
-fPIC

If hardening is disabled the errors go away but I doubt that is
desired. As an attachment I included a patch for a possible way to fix
the FTBFS.

The log of the errors can be found:
https://buildd.debian.org/status/fetch.php?pkg=keyutilsarch=amd64ver=1.5.5-1stamp=1327720867

The 2nd and 3rd -fPIC error messages appear when you add -fPIC flag to
the object file of the previous line.

Hope this helps,
Miguel
Description: Use -fPIC for the generated *.o.
 Errors caused by enabling hardening in amd64:
 /usr/bin/ld: keyctl.o: relocation R_X86_64_32S against `commands' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: request-key.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: key.dns_resolver.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
Forwarded: no
Author: Miguel Colon debian.mic...@gmail.com
Last-Update: 2012-02-26

--- keyutils-1.5.5.orig/Makefile
+++ keyutils-1.5.5/Makefile
@@ -127,7 +127,7 @@ keyutils.os: keyutils.c keyutils.h Makef
 #
 ###
 %.o: %.c keyutils.h Makefile
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ -c $
+	$(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -o $@ -c $
 
 keyctl: keyctl.o $(DEVELLIB)
 	$(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $ -lkeyutils

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

Bug#661393: FTBFS: Enabling hardening on amd64 causes relocation errors

4 matches

Site Navigation

Mail list logo

Footer information