pie-ssp working group

Robert Connolly cendres at videotron.ca
Sat Feb 7 00:52:03 PST 2004


Threw my trial and errors editing the gcc specs file I have found putting -pie 
in cc1 will not work. The next best thing is -fPIE/fpie, but glibc, ncurses, 
shadow, and others, produce textrel with -fpie. I don't want textrel so the 
noelfrelocs pax feature can work properly. So I started editing:
ftp://twocents.mooo.com/pub/hcc/pie/gcc-3.3-pie-2.patch
And realized if I took -fpie out, and left all the rest, it worked just like 
cflags=-pie.

There are bugs in zlib and util-linux (pivot_root bug) that don't use position 
idependent code, which gentoo has patches for (to add -pic), so now they work 
fine. gzip-1.3.5 is still messed up becuase it uses assembly, but v1.3.4 
works fine. gcc is the only application with an unresolved textrel bug, which 
would prevent it from working on a kernel with noelftextrelocs (unless maybe 
chpax can fix this).

I feel it is safe to use -pie hardcoded in gcc. The only package I can think 
of that won't like it is grub, and then its just a matter of making grub 
respect cflags=-no-pie. And 3 binutils testsuite failures from the pt_pax 
patch. Looking at ld/ld.log it looks like the testsuite needs to be fixed. 
The regex match string test is failing because it doesn't expect to have 
PAX_FLAGS from readelf, I don't think there is anything wrong with ld itself, 
upstream should fix this imho. Pappy is working on a similiar patch to 
hardcode -pic and -fstack-protector in gcc, his is more porable than mine.

I still need to test the my new pie patch by building a base with it but I 
expect good results. And it will only work on x86. Porting it to other 
platforms should not be a problem with a bit of testing.

In summary, -pie will work as well as can be expected shorty. I assume no one 
objects to me editing the pie patch to use -pie by default? (This would turn 
into a small patch for gcc-3.4 to make it use -pie by default too). However 
this will cause some problems in bhlfs land. They would have to make sure 
everything is pic/pie friendly. bhlfs can work with other resources, like 
adamantix, gentoo, even fedora, as they would all have common pic/pie issues 
and patches.





More information about the hlfs-dev mailing list