[hardening-discuss] Bug#478057: Linker fails on i386 and amd64 with hardening options

Jörg Sommer joerg at alea.gnuu.de
Mon Apr 28 22:32:27 UTC 2008 

Hi Kees,

Kees Cook schrieb am Mon 28. Apr, 12:35 (-0700):
> On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote:
> > gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra \
> >   -D_FORTIFY_SOURCE=2   -Wl,-zrelro,-pie conftest.c
> > 
> > but this fails on i386 and amd64.
> > 
> > /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC
> > /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read symbols: Bad value
> > 
> > Can someone of you help me? The build also fails on Sparc, but I don't
> > have the config.log to tell why. I expect it's the same reason.
> 
> hardening-wrapper isn't setting "-Wl,-zrelro,-pie" ... that command-line
> is wrong.
> 
> First, for relro, it should be "-Wl,-z,relro".

I've took this from the announcement [1]. (there was the dash missing.)

[1] http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html

> "-pie" needs to be specified on the gcc command-line, not the linker
> command-line, since gcc is responsible for choosing the crt, etc.  Do
> you know what the origin of the -Wl addition is?

Yes, it's the above mentioned mail. From there I took the -pie, too:
“PIE is enabled by passing "-fPIE" to all object builds, and passing
"-pie" to the final link.” So, I thought “the final link” is the linker
call and man ld knows the -pie option.

I didn't realise that hardening-wrapper is also for packages. I thought
it's something for userspace. I'll switch to hardening-wrapper.

Thanks for your help, Jörg.
-- 
Die Katze steht im Mittelpunkt unserer Arbeit.
Alles was wir tun, ist für sie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature http://en.wikipedia.org/wiki/OpenPGP
Url : http://lists.alioth.debian.org/pipermail/hardening-discuss/attachments/20080429/1e97eb27/attachment.pgp

More information about the hardening-discuss mailing list