Yup. Looks like -pie disappeared for no reason that I can remember. I’ll turn it back on.
D. From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Jin Sheng (jisheng) Sent: Wednesday, May 30, 2018 12:11 PM To: vpp-dev@lists.fd.io Cc: Dave Wallace <dwallac...@gmail.com> Subject: [vpp-dev] overflow hardening for vpp Hi, We noticed that PIE and immediate binding isn’t enabled for vpp: /usr/bin/vpp: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! In the wiki page https://wiki.fd.io/view/VPP/Build_System_Deep_Dive, I see at least PIE should be enabled: vpp_TAG_CFLAGS = -g -O2 -DFORTIFY_SOURCE=2 -march=$(MARCH) \ -fstack-protector -fPIC -pie vpp_TAG_LDFLAGS = -g -O2 -DFORTIFY_SOURCE=2 -march=$(MARCH) \ -fstack-protector -fPIC -pie But in the repository, it’s not even included in the initial commit in 2015. Should we enable those hardening options? If so is vpp.mk the right place to add them? Thanks, Jin
