Thank you, Dave! From: "Dave Barach (dbarach)" <[email protected]> Date: Wednesday, May 30, 2018 at 3:03 PM To: Jin Sheng <[email protected]>, "[email protected]" <[email protected]> Subject: RE: overflow hardening for vpp
Yup. Looks like -pie disappeared for no reason that I can remember. I’ll turn it back on. D. From: [email protected] <[email protected]> On Behalf Of Jin Sheng (jisheng) Sent: Wednesday, May 30, 2018 12:11 PM To: [email protected] Cc: Dave Wallace <[email protected]> Subject: [vpp-dev] overflow hardening for vpp Hi, We noticed that PIE and immediate binding isn’t enabled for vpp: /usr/bin/vpp: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! In the wiki page https://wiki.fd.io/view/VPP/Build_System_Deep_Dive, I see at least PIE should be enabled: vpp_TAG_CFLAGS = -g -O2 -DFORTIFY_SOURCE=2 -march=$(MARCH) \ -fstack-protector -fPIC -pie vpp_TAG_LDFLAGS = -g -O2 -DFORTIFY_SOURCE=2 -march=$(MARCH) \ -fstack-protector -fPIC -pie But in the repository, it’s not even included in the initial commit in 2015. Should we enable those hardening options? If so is vpp.mk the right place to add them? Thanks, Jin
