On 04.10.2016 12:24, Carl Eugen Hoyos wrote:
> Sorry if I miss something but with this patch, the hardening_check
> script succeeds here both for x86_32 and x86_64 (static and shared).
This script uses a very simplistic approach for testing position
independent executables.
I think it just does the equivalent of 'readelf -h $PROGRAM | grep Type'.
If the Type is EXEC, it's a normal executable, and if it is DYN, it
assumes it's compiled as PIE.
However, that doesn't guarantee that the executable is actually position
independent, i.e. does not contain text relocations.
> --- a/configure
> +++ b/configure
> @@ -3577,6 +3577,8 @@ case "$toolchain" in
> add_cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
> add_cflags -fno-strict-overflow -fstack-protector-all
> add_ldflags -Wl,-z,relro -Wl,-z,now
> + add_cflags -fPIE
I think this should be -fPIC, at least when building shared libraries.
That's how I understand the gcc manual [1]:
-fpie
-fPIE
These options are similar to -fpic and -fPIC, but generated position
independent code can be only linked into executables.
> + add_ldexeflags -fPIE -pie
> ;;
> ?*)
> die "Unknown toolchain $toolchain"
> -- 1.7.10.4
In general, enabling PIE for toolchain=hardened is a good idea.
But According to [2] PIE doesn't work on hppa and m68k, so it shouldn't get
enabled for these architectures.
On 05.10.2016 15:14, Carl Eugen Hoyos wrote:
> I would have expected that this (pie) patch does not work on x86_32
> but the binary runs fine here: Am I missing something or should I
> apply to get this tested?
The problem on x86_32 is that libavcodec, libavutil, etc. use
text relocations in hand-written assembler code, so these libraries
won't be position independent, unless using --disable-asm.
Now, when producing shared libraries, the ffmpeg binary is actually
position independent, just not libavcodec, libavutil...
However, when linking statically, the ffmpeg binary contains the
text relocations from the hand-written assembler code and is thus
not really position independent.
This can be tested e.g. with scanelf from pax-utils [3].
* shared PIE build on x86_32 (no text relocations):
$ scanelf -t ./ffmpeg
TYPE TEXTREL FILE
ET_DYN - ./ffmpeg
* static PIE build on x86_32 (with text relocations):
$ scanelf -t ./ffmpeg
TYPE TEXTREL FILE
ET_DYN TEXTREL ./ffmpeg
The '-T' options shows were exactly the text relocations are.
Best regards,
Andreas
1: https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html
2:
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29
3: https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
