On 04.10.2016 12:24, Carl Eugen Hoyos wrote: > Sorry if I miss something but with this patch, the hardening_check > script succeeds here both for x86_32 and x86_64 (static and shared).
This script uses a very simplistic approach for testing position independent executables. I think it just does the equivalent of 'readelf -h $PROGRAM | grep Type'. If the Type is EXEC, it's a normal executable, and if it is DYN, it assumes it's compiled as PIE. However, that doesn't guarantee that the executable is actually position independent, i.e. does not contain text relocations. > --- a/configure > +++ b/configure > @@ -3577,6 +3577,8 @@ case "$toolchain" in > add_cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 > add_cflags -fno-strict-overflow -fstack-protector-all > add_ldflags -Wl,-z,relro -Wl,-z,now > + add_cflags -fPIE I think this should be -fPIC, at least when building shared libraries. That's how I understand the gcc manual [1]: -fpie -fPIE These options are similar to -fpic and -fPIC, but generated position independent code can be only linked into executables. > + add_ldexeflags -fPIE -pie > ;; > ?*) > die "Unknown toolchain $toolchain" > -- 1.7.10.4 In general, enabling PIE for toolchain=hardened is a good idea. But According to [2] PIE doesn't work on hppa and m68k, so it shouldn't get enabled for these architectures. On 05.10.2016 15:14, Carl Eugen Hoyos wrote: > I would have expected that this (pie) patch does not work on x86_32 > but the binary runs fine here: Am I missing something or should I > apply to get this tested? The problem on x86_32 is that libavcodec, libavutil, etc. use text relocations in hand-written assembler code, so these libraries won't be position independent, unless using --disable-asm. Now, when producing shared libraries, the ffmpeg binary is actually position independent, just not libavcodec, libavutil... However, when linking statically, the ffmpeg binary contains the text relocations from the hand-written assembler code and is thus not really position independent. This can be tested e.g. with scanelf from pax-utils [3]. * shared PIE build on x86_32 (no text relocations): $ scanelf -t ./ffmpeg TYPE TEXTREL FILE ET_DYN - ./ffmpeg * static PIE build on x86_32 (with text relocations): $ scanelf -t ./ffmpeg TYPE TEXTREL FILE ET_DYN TEXTREL ./ffmpeg The '-T' options shows were exactly the text relocations are. Best regards, Andreas 1: https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html 2: https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29 3: https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel