On Thu, Jan 08, 2015 at 01:45:20PM -0500, Miloslav Trmač wrote: > Hello, > > = Proposed System Wide Change: Harden all packages with position-independent > > code = > > > > Harden all packages with position-independent code to limit the damage from > > certain security vulnerabilities. > > So this proposal is for _all_ architectures, including the > register-starved 32-bit i?86 where the overhead is, IIRC, around 10%. > I am by now quite convinced that x86_64 should be using PIE by default. > As for 32-bit, I’m torn between “this is too much overhead” and “32-bit > isn’t worth the worry, let’s instead make the defaults consistent.” On i?86 it isn't around 10%, but more like 10%-30%. That said, even on x86_64 it isn't anything close to no overhead. Tried last night to rebuild GCC's cc1plus as -fpie -pie, and then rebuild stage3 of GCC with make -j1 separately with the original stage3 cc1plus (ET_EXEC binary) and PIE cc1plus (ET_DYN). The build (which included still time for various other tools being not PIE, make, ld, as) got 2.1% slower user time. Also, the number of relocations and memory consumption got up. Non-PIE cc1plus: Relocation section '.rela.dyn' at offset 0x187d30 contains 190 entries: Relocation section '.rela.plt' at offset 0x188f00 contains 284 entries: GNU_RELRO 0x1d14730 0x0000000002314730 0x0000000002314730 0x0058d0 0x0058d0 R 0x1 PIE cc1plus: Relocation section '.rela.dyn' at offset 0x187d90 contains 75803 entries: Relocation section '.rela.plt' at offset 0x344018 contains 230 entries: GNU_RELRO 0x1e18cf0 0x0000000002018cf0 0x0000000002018cf0 0x10e310 0x10e310 R 0x1 That means e.g. on the startup of each cc1plus process, that means 1MB extra COW wastage (executable has 24KB of pages written and then made non-writable, while PIE over 1MB). Jakub -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
