[hardening-discuss] cmake vs DEB_BUILD_HARDENING vs 64-bit

Kees Cook kees at outflux.net
Mon Apr 14 16:25:08 UTC 2008 

Hi Pierre,

This is better discussed on the hardening-discuss mailing list (Cc'd).

On Mon, Apr 14, 2008 at 09:48:11AM +0200, Pierre Chifflier wrote:
> It seems that with current versions from unstable, programs using cmake
> can't be build with hardening options on.
> Even the simplest cmake project fails:
> 
> $ cat CMakeLists.txt
> PROJECT(coin C)
> 
> $ DEB_BUILD_HARDENING=1 cmake .
> -- Check for working C compiler: /usr/bin/gcc
> -- Check for working C compiler: /usr/bin/gcc -- broken
> CMake Error: The C compiler "/usr/bin/gcc" is not able to compile a
> simple test program.

If you're using the hardening options and something goes wrong, a good
first-step is to add DEB_BUILD_HARDENING_DEBUG=1 (as shown in the man page)
to see specifically what commands are being run:

$ DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_DEBUG=1 cmake .
-- Check for working C compiler: /usr/bin/gcc
-- Check for working C compiler: /usr/bin/gcc -- broken
CMake Error: The C compiler "/usr/bin/gcc" is not able to compile a simple test program.
It fails with the following output:
 /usr/bin/make -f CMakeFiles/cmTryCompileExec.dir/build.make CMakeFiles/cmTryCompileExec.dir/build
make[1]: Entering directory `/tmp/ow/CMakeFiles/CMakeTmp'
/usr/bin/cmake -E cmake_progress_report /tmp/ow/CMakeFiles/CMakeTmp/CMakeFiles 1
Building C object CMakeFiles/cmTryCompileExec.dir/testCCompiler.o
/usr/bin/gcc   -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o   -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c
gcc-4.2 -fstack-protector -fPIE -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c
/usr/bin/gcc-4.2.real -fstack-protector -fPIE -Wformat -Wformat-security -fstack-protector -fPIE -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c

compilation was okay, however...

Linking C executable cmTryCompileExec
/usr/bin/cmake -P CMakeFiles/cmTryCompileExec.dir/cmake_clean_target.cmake
/usr/bin/gcc        -fPIC "CMakeFiles/cmTryCompileExec.dir/testCCompiler.o"   -o cmTryCompileExec -rdynamic 
gcc-4.2 -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fPIC CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -o cmTryCompileExec -rdynamic
/usr/bin/gcc-4.2.real -fstack-protector -Wformat -Wformat-security -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fPIC CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -o cmTryCompileExec -rdynamic
/usr/bin/ld.real -z relro -pie --eh-frame-hdr -m elf_x86_64 --hash-style=both -export-dynamic -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o cmTryCompileExec /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/crtbegin.o -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../.. CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/x86_64-linux-gnu/4.2.3/crtend.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crtn.o
/usr/bin/ld.real: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC
/usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read symbols: Bad value
collect2: ld returned 1 exit status

linking failed.  Seeing the "relocation R_X86_64_32S against
`__libc_csu_fini' can not be used when making a shared object; recompile
with -fPIC" error is a hint to me that this is related to attempting
a PIE build and failing.  To try the wrapper without PIE hardening,
use DEB_BUILD_HARDENING_PIE=0:

$ DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_PIE=0 DEB_BUILD_HARDENING_DEBUG=1 cmake .
-- Check for working C compiler: /usr/bin/gcc
-- Check for working C compiler: /usr/bin/gcc -- works
-- Check size of void*
-- Check size of void* - done
-- Configuring done
-- Generating done

> Is there a known solution or workaround ? (I'll ask on the cmake list at
> the same time).

This seems to be a bug in the hardening-wrapper.  Cmake is doing
builds in a way that wasn't expected (i.e. passing -fPIC during
an executable build, which disables PIE at the compiler level,
but the linker will still attempt to do it).  While I think cmake
is being weird, it is still a valid command line (/usr/bin/gcc -fPIC
"CMakeFiles/cmTryCompileExec.dir/testCCompiler.o" -o cmTryCompileExec
-rdynamic).

-Kees

-- 
Kees Cook                                            @outflux.net

More information about the hardening-discuss mailing list