[hardening-discuss] Linker fails on i386 and amd64 with hardening options
Kees Cook
kees at outflux.net
Mon Apr 28 19:35:51 UTC 2008
Hi Jörg,
On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote:
> gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra \
> -D_FORTIFY_SOURCE=2 -Wl,-zrelro,-pie conftest.c
>
> but this fails on i386 and amd64.
>
> /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC
> /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read symbols: Bad value
>
> Can someone of you help me? The build also fails on Sparc, but I don't
> have the config.log to tell why. I expect it's the same reason.
hardening-wrapper isn't setting "-Wl,-zrelro,-pie" ... that command-line
is wrong.
First, for relro, it should be "-Wl,-z,relro". "-pie" needs to be
specified on the gcc command-line, not the linker command-line, since gcc
is responsible for choosing the crt, etc. Do you know what the origin
of the -Wl addition is?
This, for example, works:
gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -pie -fstack-protector -Wformat=2 \
-Wextra -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o hello hello.c
Note, AFAIK, -fPIC and -fPIE is redundant: -fPIE is a subset of -fPIC.
-Kees
--
Kees Cook @outflux.net
More information about the hardening-discuss
mailing list