On Dienstag, 24. Mai 2016 08:17:27 CEST Jens Axboe wrote: > On 05/24/2016 04:10 AM, Martin Steigerwald wrote: > > Hello Jens! > > > > In my attempt to harden the fio build as recommended within Debian, I > > tried to build it with PIE by using Debian´s own mechanism via > > dpkg-buildflags. And I> > > got: > > CC diskutil.o > > CC fifo.o > > CC blktrace.o > > CC cgroup.o > > CC trim.o > > CC engines/sg.o > > CC engines/binject.o > > CC oslib/linux-dev-lookup.o > > CC fio.o > > > > LINK fio > > > > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' > > can > > not be used when making a shared object; recompile with -fPIC > > crc/crc16.o: error adding symbols: Bad value > > collect2: error: ld returned 1 exit status > > Makefile:399: recipe for target 'fio' failed > > make[1]: *** [fio] Error 1 > > make[1]: Leaving directory '/home/ms/Debian/fio/pkg-fio' > > dh_auto_build: make -j1 returned exit code 2 > > debian/rules:17: recipe for target 'build' failed > > make: *** [build] Error 2 > > dpkg-buildpackage: error: debian/rules build gave error exit status 2 > > > > > > Yet, building fio 2.10 from upstream does doesn´t produce a shared object > > file. > > > > Any idea? > > > > > > > > > > I: fio: hardening-no-pie usr/bin/fio > > N: > > N: This package provides an ELF executable that was not compiled as a > > N: position independent executable (PIE). > > N: > > N: PIE is required for fully enabling Address Space Layout > > Randomization > > N: (ASLR), which makes "Return-oriented" attacks more difficult. > > N: > > N: Historically, PIE has been associated with noticeable performance > > N: overhead on i386. However, GCC-5 has implemented an optimization > > that > > N: can reduce the overhead significantly. > > N: > > N: If you use dpkg-buildflags, you may have to add hardening=+pie or > > N: hardening=+all to DEB_BUILD_MAINT_OPTIONS. > > N: > > N: The relevant compiler flags must be passed both to the compiler and > > the N: linker (e.g. for C that would be commonly be CFLAGS and > > LDFLAGS). N: > > N: CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not > > suitable > > N: for all cases: > > N: > > N: * It is <not> compatible with -fPIC which required for > > N: compiling shared libraries. > > N: * It is unlikely to work when compiling static libraries or > > N: executables (gcc -static). > > N: > > N: If your upstream build compiles either of the above, you may have to > > N: patch the build to ensure that only ELF executables are compiled > > with > > N: PIE. > > N: > > N: Refer to https://wiki.debian.org/Hardening, > > N: https://gcc.gnu.org/gcc-5/changes.html, and > > N: > > https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x > > 86-in-upcoming-gcc-50-32bit-pic-mode N: for details. > > N: > > N: Severity: wishlist, Certainty: certain > > N: > > N: Check: binaries, Type: binary, udeb > > N: > > I: fio: hardening-no-pie usr/bin/fio-btrace2fio > > I: fio: hardening-no-pie usr/bin/fio-dedupe > > I: fio: hardening-no-pie usr/bin/fio-genzipf > > > > > > Another option to harden fio works find and that is: > > > > I: fio: hardening-no-bindnow usr/bin/fio > > N: > > N: This package provides an ELF binary that lacks the "bindnow" linker > > N: flag. > > N: > > N: If the ELF binary does not rely on late binding of symbols (e.g. > > weak > > N: symbols), then please consider enabling this feature. Otherwise, > > please N: consider overriding the tag (possibly with a comment about > > why). N: > > N: If you use dpkg-buildflags, you may have to add hardening=+bindnow > > or > > N: hardening=+all to DEB_BUILD_MAINT_OPTIONS. > > N: > > N: The relevant compiler flags are set in LDFLAGS. > > N: > > N: Refer to https://wiki.debian.org/Hardening for details. > > N: > > N: Severity: wishlist, Certainty: certain > > N: > > N: Check: binaries, Type: binary, udeb > > N: > > I: fio: hardening-no-pie usr/bin/fio-btrace2fio > > I: fio: hardening-no-bindnow usr/bin/fio-btrace2fio > > I: fio: hardening-no-pie usr/bin/fio-dedupe > > I: fio: hardening-no-bindnow usr/bin/fio-dedupe > > I: fio: hardening-no-pie usr/bin/fio-genzipf > > I: fio: hardening-no-bindnow usr/bin/fio-genzipf > > > > > > Maybe it would be nice to have some of these in upstream build? PIE may > > not > > yet be advisable as for GCC 5 requirement. > > What extra compiler/linker flags are being set? I tried with just -fPIE > here, and it builds and links fine. > > axboe@xps13:/home/axboe/git/fio $ gcc --version > gcc (Ubuntu 6.1.1-3ubuntu11~14.04.1) 6.1.1 20160511 > > I have gcc 5.3 installed as well, works for that too. So I'm guessing > -fPIE isn't all that's being set? Hmmm, according to DEB_BUILD_HARDENING_PIE (gcc/g++ -fPIE -pie) https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29 Its not all. It also does "-pie". Yes, if I try this as in: diff --git a/Makefile b/Makefile index 108e6ee..a559971 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ endif DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS) OPTFLAGS= -g -ffast-math -CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR) +CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement -fPIE -pie $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCD IR) LIBS += -lm $(EXTLIBS) PROGS = fio SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py) I get a working build: # hardening-check fio fio: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: no, not found! Immediate binding: no, not found! Well, I wonder about: You set CFLAGS hard without +=, maybe thats the issue, unless dpkg stuffes the build flags into BUILD_CFLAGS or so. Yes, that is it: A patch as simple as … pkg-fio> cat debian/patches/makefile-hardening --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ DEBUGFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DFIO_INC_DEBUG CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DFIO_INTERNAL $(DEBUGFLAGS) OPTFLAGS= -g -ffast-math -CFLAGS = -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR) +CFLAGS += -std=gnu99 -Wwrite-strings -Wall -Wdeclaration-after-statement $(OPTFLAGS) $(EXTFLAGS) $(BUILD_CFLAGS) -I. -I$(SRCDIR) LIBS += -lm $(EXTLIBS) PROGS = fio SCRIPTS = $(addprefix $(SRCDIR)/,tools/fio_generate_plots tools/plot/fio2gnuplot tools/genfio tools/fiologparser.py) Does the trick. Seems that Debian set some linker flag and the compiler flag was not set, leading to: > > /usr/bin/ld: crc/crc16.o: relocation R_X86_64_32S against `crc16_table' > > can > > not be used when making a shared object; recompile with -fPIC Will create a patch to merge for you. Thanks, -- Martin Steigerwald | Trainer teamix GmbH Südwestpark 43 90449 Nürnberg Tel.: +49 911 30999 55 | Fax: +49 911 30999 99 mail: martin.steigerwald@xxxxxxxxx | web: http://www.teamix.de | blog: http://blog.teamix.de Amtsgericht Nürnberg, HRB 18320 | Geschäftsführer: Oliver Kügow, Richard Müller teamix Support Hotline: +49 911 30999-112 Flexibilität im Haus – Sicherheit im Kopf, testen Sie jetzt 30 Tage kostenfrei unsere Cloud Backup Lösung FlexVault: www.teamix.de/cloud-backup -- To unsubscribe from this list: send the line "unsubscribe fio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
