[dpkg] 174/187: Dpkg::Vendor::Debian: Handle PIE enabled by default in gcc

Reiner Herrmann reiner at reiner-h.de
Sun Nov 6 12:46:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

deki-guest pushed a commit to branch master
in repository dpkg.

commit 1852648603b1cc26ee4ce95a5173032445af4eb1
Author: Guillem Jover <guillem at debian.org>
Date:   Fri Oct 21 00:18:55 2016 +0200

    Dpkg::Vendor::Debian: Handle PIE enabled by default in gcc
    
    Add support for compiler built-in features, so that we do not set
    them when enabled and set negated flags when disabled.
    
    We use gcc spec files to set these flags so that we avoid any conflict
    with other incompatible flags that would make the build fail.
    
    Closes: #835149
    Based-on-patch-by: Bálint Réczey <balint at balintreczey.hu>
---
 Makefile.am                   |  2 ++
 data/no-pie-compile.specs     |  2 ++
 data/no-pie-link.specs        |  2 ++
 debian/changelog              |  5 +++++
 debian/libdpkg-perl.install   |  1 +
 man/dpkg-buildflags.man       | 19 ++++++++++++++-----
 scripts/Dpkg/Vendor/Debian.pm | 23 +++++++++++++++++++++--
 7 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 5af7751..27e7eae 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,6 +20,8 @@ ACLOCAL_AMFLAGS = -I m4
 
 
 dist_pkgdata_DATA = \
+	data/no-pie-compile.specs \
+	data/no-pie-link.specs \
 	data/cputable \
 	data/ostable \
 	data/abitable \
diff --git a/data/no-pie-compile.specs b/data/no-pie-compile.specs
new file mode 100644
index 0000000..f85b394
--- /dev/null
+++ b/data/no-pie-compile.specs
@@ -0,0 +1,2 @@
+*cc1_options:
++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fno-PIE}}}}}}
diff --git a/data/no-pie-link.specs b/data/no-pie-link.specs
new file mode 100644
index 0000000..07df312
--- /dev/null
+++ b/data/no-pie-link.specs
@@ -0,0 +1,2 @@
+*self_spec:
++ %{!shared:%{!r:-no-pie}}
diff --git a/debian/changelog b/debian/changelog
index 1ecf178..92ba2aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -69,6 +69,11 @@ dpkg (1.18.11) UNRELEASED; urgency=medium
   * Enable dpkg-buildpackage -Jauto by default. Closes: #842845
   * Fix dpkg to not fail when removing non-existent backup files on read-only
     filesystems. Closes: #838877
+  * Handle PIE enabled by default in gcc. On achitectures where gcc enables
+    them by default, stop setting -fPIE and -pie, and set -fno-PIE and
+    -no-pie when disabling «pie» via gcc specs files, so that we do not
+    emit them on situations where it would be inappropriate. Closes: #835149
+    Based on a patch by Bálint Réczey <balint at balintreczey.hu>.
   * Architecture support:
     - Add support for AIX operating system.
     - Add a version pseudo-field to the arch tables.
diff --git a/debian/libdpkg-perl.install b/debian/libdpkg-perl.install
index 6705aad..869506a 100644
--- a/debian/libdpkg-perl.install
+++ b/debian/libdpkg-perl.install
@@ -1,3 +1,4 @@
+usr/share/dpkg/*.specs
 usr/share/locale/*/LC_MESSAGES/dpkg-dev.mo
 usr/share/man/man3/Dpkg*.3
 usr/share/perl5/Dpkg*
diff --git a/man/dpkg-buildflags.man b/man/dpkg-buildflags.man
index 225f414..a070cef 100644
--- a/man/dpkg-buildflags.man
+++ b/man/dpkg-buildflags.man
@@ -147,7 +147,7 @@ For example:
 .IP
 .nf
   Feature: pie
-  Enabled: no
+  Enabled: yes
 
   Feature: stackprotector
   Enabled: yes
@@ -347,10 +347,19 @@ above). The option cannot become enabled if \fBrelro\fP is not enabled.
 .
 .TP
 .B pie
-This setting (disabled by default) adds \fB\-fPIE\fP to \fBCFLAGS\fP,
-\fBCXXFLAGS\fP, \fBOBJCFLAGS\fP, \fBOBJCXXFLAGS\fP, \fBGCJFLAGS\fP,
-\fBFFLAGS\fP and \fBFCFLAGS\fP,
-and \fB\-fPIE \-pie\fP to \fBLDFLAGS\fP. Position Independent
+This setting (enabled and injected by default by gcc on the amd64,
+arm64, armel, armhf, i386, mips, mipsel, mips64el, ppc64el and s390x
+architectures, since dpkg 1.18.11) adds the required options if needed
+to enable or disable PIE. When enabled and injected by gcc,
+adds nothing. When enabled and not injected by gcc, adds \fB\-fPIE\fP
+to \fBCFLAGS\fP, \fBCXXFLAGS\fP, \fBOBJCFLAGS\fP, \fBOBJCXXFLAGS\fP,
+\fBGCJFLAGS\fP, \fBFFLAGS\fP and \fBFCFLAGS\fP, and \fB\-fPIE \-pie\fP
+to \fBLDFLAGS\fP. When disabled and injected by gcc, adds \fB\-fno\-PIE\fP
+to \fBCFLAGS\fP, \fBCXXFLAGS\fP, \fBOBJCFLAGS\fP, \fBOBJCXXFLAGS\fP,
+\fBGCJFLAGS\fP, \fBFFLAGS\fP and \fBFCFLAGS\fP, and
+\fB\-no\-pie\fP to \fBLDFLAGS\fP.
+
+Position Independent
 Executable are needed to take advantage of Address Space Layout
 Randomization, supported by some kernel versions. While ASLR can already
 be enforced for data areas in the stack and heap (brk and mmap), the code
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index bbba00d..043b31b 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -25,6 +25,7 @@ use warnings;
 
 our $VERSION = '0.01';
 
+use Dpkg;
 use Dpkg::Gettext;
 use Dpkg::ErrorHandling;
 use Dpkg::Control::Types;
@@ -280,7 +281,7 @@ sub _add_hardening_flags {
 
     # Default feature states.
     my %use_feature = (
-	pie => 0,
+	pie => 1,
 	stackprotector => 1,
 	stackprotectorstrong => 1,
 	fortify => 1,
@@ -288,10 +289,18 @@ sub _add_hardening_flags {
 	relro => 1,
 	bindnow => 0,
     );
+    my %builtin_feature = (
+        pie => 1,
+    );
 
     # Adjust features based on user or maintainer's desires.
     $self->_parse_feature_area('hardening', \%use_feature);
 
+    # Mask features that are not enabled by default in the compiler.
+    if ($arch !~ /^(?:amd64|arm64|armel|armhf|i386|mips|mipsel|mips64el|ppc64el|s390x)$/) {
+        $builtin_feature{pie} = 0;
+    }
+
     # Mask features that are not available on certain architectures.
     if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or
 	$cpu =~ /^(?:hppa|avr32)$/) {
@@ -330,7 +339,7 @@ sub _add_hardening_flags {
     }
 
     # PIE
-    if ($use_feature{pie}) {
+    if ($use_feature{pie} and not $builtin_feature{pie}) {
 	my $flag = '-fPIE';
 	$flags->append('CFLAGS', $flag);
 	$flags->append('OBJCFLAGS',  $flag);
@@ -340,6 +349,16 @@ sub _add_hardening_flags {
 	$flags->append('CXXFLAGS', $flag);
 	$flags->append('GCJFLAGS', $flag);
 	$flags->append('LDFLAGS', '-fPIE -pie');
+    } elsif (not $use_feature{pie} and $builtin_feature{pie}) {
+	my $flag = "-specs=$Dpkg::DATADIR/no-pie-compile.specs";
+	$flags->append('CFLAGS', $flag);
+	$flags->append('OBJCFLAGS',  $flag);
+	$flags->append('OBJCXXFLAGS', $flag);
+	$flags->append('FFLAGS', $flag);
+	$flags->append('FCFLAGS', $flag);
+	$flags->append('CXXFLAGS', $flag);
+	$flags->append('GCJFLAGS', $flag);
+	$flags->append('LDFLAGS', "-specs=$Dpkg::DATADIR/no-pie-link.specs");
     }
 
     # Stack protector

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list