[Pkg-uml-pkgs] Bug#837579: user-mode-linux: FTBFS with bindnow and PIE enabled

Tue Sep 13 22:56:47 UTC 2016

Control: tags -1 patch

Hi Ritesh,

On 09/12/2016 08:18 PM, Ritesh Raj Sarraf wrote:
> Control: tag -1 +help
> 
> 
> Hello Balint,
> 
> 
> On Mon, 2016-09-12 at 16:42 +0200, Balint Reczey wrote:
>> During a rebuild of all packages in sid, your package failed to build on
>> amd64 with patched GCC and dpkg.
> 
>> The rebuild tested if packages are ready for a transition
>> enabling PIE and bindnow for amd64.
> 
> 
> I have tried enabling hardening flags before but that never helped. And I did
> not look very deep into it.
> 
> hardening=+all also modifies LDFLAGS which breaks the UML kernel build.
> 
> So today, I tried with just the below, but lintian still complains.
> 
> rrs at chutzpah:~/Community/Packaging/user-mode-linux (master)$ git diff
> diff --git a/debian/rules b/debian/rules
> index e29da82..802eb1e 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -15,6 +15,10 @@ tmpmodules:=$(debian)/uml-modules
>  DEB_HOST_ARCH?=$(shell dpkg-architecture -qDEB_HOST_ARCH)
>  #SUBARCH?=$(shell uname -m)
>  
> +export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
> +#DPKG_EXPORT_BUILDFLAGS = 1
> +#include /usr/share/dpkg/buildflags.mk
> +
>  ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
>  KBUILDVARS := CFLAGS_KERNEL=-O1
>  endif
> 
> 
> If you have any suggestions on working around it, please do share on this bug
> report.
> 
> 
>> For more information about the changes to sid's dpkg and GCC please
>> visit:
>>  https://wiki.debian.org/Hardening/PIEByDefaultTransition
> 
>> Relevant part (hopefully):
>> ...
>>   LD      init/built-in.o
>> /usr/bin/ld: arch/um/drivers/built-in.o: relocation R_X86_64_32 against
>> `.rodata.str1.1' can not be used when making a shared object; recompile
>> with -fPIC
>> /usr/bin/ld: final link failed: Nonrepresentable section on output
>> ...
> 
> I've tagged this bug report as "help".

The following patch fixes the build for me with the changed GCC and also
builds fine with the original GCC 6:

@@ -16,9 +16,11 @@
 #SUBARCH?=$(shell uname -m)

 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-KBUILDVARS := CFLAGS_KERNEL=-O1
+CFLAGS_KERNEL += -O1
 endif

+KBUILDVARS := CFLAGS_KERNEL="$(CFLAGS_KERNEL)" CC="$(CC) -no-pie"
LD="$(LD) -no-pie"
+
 # development only targets
 #
 copy-config:


> 
> BTW, do you know if the regular linux images of Debian are Hardening enabled ?

If you mean PIE, no, but there are some hardening options enabled AFAIK
thus I can't answer that question briefly.

Cheers,
Balint



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-uml-pkgs/attachments/20160914/fc694a90/attachment.sig>
